Link to home
Start Free TrialLog in
Avatar of BeechTree
BeechTree

asked on

Need help removing a SMTP relay.

Hi all,
I have a terrible spam bot I can't seem to find.  In TCP View, I've found PID 732 (services.exe) is rife with smtp connections but I ony see EventLog and PlugandPlay when I look at it via tasklist /svc.  Antimalware Bytes comes up with nothing as does Prevx, Vipre  or Trend.  Also, system restore is missing from Computer properties.  I'm going to try running Stinger, but I haven't had any luck with that in years. I can always block port 25 in windows firewall, but I'd rather a real solution.  Any help would be most appreciated.
Thanks
Jon

BTW - It's an XP SP3 workstation on a SBS 2003 domain. (removed from right now ;-)
Avatar of svgmuc
svgmuc
Flag of United States of America image

You can check your open ports with a tool like this:

http://www.nirsoft.net/utils/cports.html
Avatar of Zupreme
Open a command prompt and type "netstat -b -a" to display all open ports and the executable associated with them.
Run TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro

If still having issue run Combofix and post log here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

>If they still dont run, redownload them but rename them prior to saving them
Avatar of BeechTree
BeechTree

ASKER

Every smtp connection to a foreign address is PID 732 - services.exe.  
Most of the connections are Established.  Some are closed and some are Wait.  Since I can't even identify the infection, I beginning to consider a nuke and pave.  I need to have the ws back in place in the morning.  User was off today so I had some play time.
Try those scanners if you have time. Shouldn't take more than half hour to run all :)
ASKER CERTIFIED SOLUTION
Avatar of BeechTree
BeechTree

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial