Solved

Need help removing a SMTP relay.

Posted on 2010-08-31
7
485 Views
Last Modified: 2013-11-22
Hi all,
I have a terrible spam bot I can't seem to find.  In TCP View, I've found PID 732 (services.exe) is rife with smtp connections but I ony see EventLog and PlugandPlay when I look at it via tasklist /svc.  Antimalware Bytes comes up with nothing as does Prevx, Vipre  or Trend.  Also, system restore is missing from Computer properties.  I'm going to try running Stinger, but I haven't had any luck with that in years. I can always block port 25 in windows firewall, but I'd rather a real solution.  Any help would be most appreciated.
Thanks
Jon

BTW - It's an XP SP3 workstation on a SBS 2003 domain. (removed from right now ;-)
0
Comment
Question by:BeechTree
7 Comments
 
LVL 14

Expert Comment

by:svgmuc
Comment Utility
You can check your open ports with a tool like this:

http://www.nirsoft.net/utils/cports.html
0
 
LVL 4

Expert Comment

by:Zupreme
Comment Utility
Open a command prompt and type "netstat -b -a" to display all open ports and the executable associated with them.
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
Run TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro

If still having issue run Combofix and post log here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

>If they still dont run, redownload them but rename them prior to saving them
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:BeechTree
Comment Utility
Every smtp connection to a foreign address is PID 732 - services.exe.  
0
 

Author Comment

by:BeechTree
Comment Utility
Most of the connections are Established.  Some are closed and some are Wait.  Since I can't even identify the infection, I beginning to consider a nuke and pave.  I need to have the ws back in place in the morning.  User was off today so I had some play time.
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
Try those scanners if you have time. Shouldn't take more than half hour to run all :)
0
 

Accepted Solution

by:
BeechTree earned 0 total points
Comment Utility
Well,
I'm going to flatten it.  Nothing has worked so far.  I am able to find a few entries in HKLM that are hidden from the Windows API, but I can't get to them or find the associated files.  Time to push the button.  Thanks to all of you.
Jon
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now