BeechTree
asked on
Need help removing a SMTP relay.
Hi all,
I have a terrible spam bot I can't seem to find. In TCP View, I've found PID 732 (services.exe) is rife with smtp connections but I ony see EventLog and PlugandPlay when I look at it via tasklist /svc. Antimalware Bytes comes up with nothing as does Prevx, Vipre or Trend. Also, system restore is missing from Computer properties. I'm going to try running Stinger, but I haven't had any luck with that in years. I can always block port 25 in windows firewall, but I'd rather a real solution. Any help would be most appreciated.
Thanks
Jon
BTW - It's an XP SP3 workstation on a SBS 2003 domain. (removed from right now ;-)
I have a terrible spam bot I can't seem to find. In TCP View, I've found PID 732 (services.exe) is rife with smtp connections but I ony see EventLog and PlugandPlay when I look at it via tasklist /svc. Antimalware Bytes comes up with nothing as does Prevx, Vipre or Trend. Also, system restore is missing from Computer properties. I'm going to try running Stinger, but I haven't had any luck with that in years. I can always block port 25 in windows firewall, but I'd rather a real solution. Any help would be most appreciated.
Thanks
Jon
BTW - It's an XP SP3 workstation on a SBS 2003 domain. (removed from right now ;-)
Open a command prompt and type "netstat -b -a" to display all open ports and the executable associated with them.
Run TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro
If still having issue run Combofix and post log here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
>If they still dont run, redownload them but rename them prior to saving them
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro
If still having issue run Combofix and post log here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
>If they still dont run, redownload them but rename them prior to saving them
ASKER
Every smtp connection to a foreign address is PID 732 - services.exe.
ASKER
Most of the connections are Established. Some are closed and some are Wait. Since I can't even identify the infection, I beginning to consider a nuke and pave. I need to have the ws back in place in the morning. User was off today so I had some play time.
Try those scanners if you have time. Shouldn't take more than half hour to run all :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.nirsoft.net/utils/cports.html