Need help removing a SMTP relay.

Hi all,
I have a terrible spam bot I can't seem to find.  In TCP View, I've found PID 732 (services.exe) is rife with smtp connections but I ony see EventLog and PlugandPlay when I look at it via tasklist /svc.  Antimalware Bytes comes up with nothing as does Prevx, Vipre  or Trend.  Also, system restore is missing from Computer properties.  I'm going to try running Stinger, but I haven't had any luck with that in years. I can always block port 25 in windows firewall, but I'd rather a real solution.  Any help would be most appreciated.
Thanks
Jon

BTW - It's an XP SP3 workstation on a SBS 2003 domain. (removed from right now ;-)
BeechTreeAsked:
Who is Participating?
 
BeechTreeConnect With a Mentor Author Commented:
Well,
I'm going to flatten it.  Nothing has worked so far.  I am able to find a few entries in HKLM that are hidden from the Windows API, but I can't get to them or find the associated files.  Time to push the button.  Thanks to all of you.
Jon
0
 
svgmucCommented:
You can check your open ports with a tool like this:

http://www.nirsoft.net/utils/cports.html
0
 
ZupremeCommented:
Open a command prompt and type "netstat -b -a" to display all open ports and the executable associated with them.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
optomaCommented:
Run TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro

If still having issue run Combofix and post log here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

>If they still dont run, redownload them but rename them prior to saving them
0
 
BeechTreeAuthor Commented:
Every smtp connection to a foreign address is PID 732 - services.exe.  
0
 
BeechTreeAuthor Commented:
Most of the connections are Established.  Some are closed and some are Wait.  Since I can't even identify the infection, I beginning to consider a nuke and pave.  I need to have the ws back in place in the morning.  User was off today so I had some play time.
0
 
optomaCommented:
Try those scanners if you have time. Shouldn't take more than half hour to run all :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.