Solved

Need help removing a SMTP relay.

Posted on 2010-08-31
7
486 Views
Last Modified: 2013-11-22
Hi all,
I have a terrible spam bot I can't seem to find.  In TCP View, I've found PID 732 (services.exe) is rife with smtp connections but I ony see EventLog and PlugandPlay when I look at it via tasklist /svc.  Antimalware Bytes comes up with nothing as does Prevx, Vipre  or Trend.  Also, system restore is missing from Computer properties.  I'm going to try running Stinger, but I haven't had any luck with that in years. I can always block port 25 in windows firewall, but I'd rather a real solution.  Any help would be most appreciated.
Thanks
Jon

BTW - It's an XP SP3 workstation on a SBS 2003 domain. (removed from right now ;-)
0
Comment
Question by:BeechTree
7 Comments
 
LVL 14

Expert Comment

by:svgmuc
ID: 33571365
You can check your open ports with a tool like this:

http://www.nirsoft.net/utils/cports.html
0
 
LVL 4

Expert Comment

by:Zupreme
ID: 33571490
Open a command prompt and type "netstat -b -a" to display all open ports and the executable associated with them.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33571921
Run TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro

If still having issue run Combofix and post log here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

>If they still dont run, redownload them but rename them prior to saving them
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:BeechTree
ID: 33571934
Every smtp connection to a foreign address is PID 732 - services.exe.  
0
 

Author Comment

by:BeechTree
ID: 33571951
Most of the connections are Established.  Some are closed and some are Wait.  Since I can't even identify the infection, I beginning to consider a nuke and pave.  I need to have the ws back in place in the morning.  User was off today so I had some play time.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33571989
Try those scanners if you have time. Shouldn't take more than half hour to run all :)
0
 

Accepted Solution

by:
BeechTree earned 0 total points
ID: 33577358
Well,
I'm going to flatten it.  Nothing has worked so far.  I am able to find a few entries in HKLM that are hidden from the Windows API, but I can't get to them or find the associated files.  Time to push the button.  Thanks to all of you.
Jon
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ISA & antivirus 10 75
Anti Malware HKCU\software\askpartnernetwork 1 94
Recommendation of Antivirus software for Personal Use 19 181
Different types of mobile security tests 3 103
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now