Solved

How to detect and clean malware sending spam on Windows XP and 2003 server

Posted on 2011-03-12
7
755 Views
Last Modified: 2012-06-22
A client has been disconnected by their ISP for sending spam.
They have 3 pcs running XP, and a 2003 server. The PCs are not in a domain. They don't use exchange. They use outlook for their email using the ISPs mail servers. They host their website on the 2003 server and that seems to be about the only server function they are really using. Their router is a DLink DSL-504T which is a basic ADSL 4 port router with only basic firewall.
The service provider says their is a huge amount of spam coming from their IP, and has disconnected their ADSL service.
A technician went to the site and used combofix and malware bytes to scan and clean each computer and has installed AVG also. The ISP the reconnected their ADSL but says spam was still coming from their IP and so has disconnected it again. That technician has now given up and the issue has been assigned to me.
The ISP is saying that if I ask them to reconnect the ADSL and more spam comes from the site they will disconnect again and not reconnect it.
I have scanned the PCs with the free version of Avast with a boot time scan and found a few more bits of malware, but that version wouldn't run on the server. Without an internet connection on-site I couldn't google the names of the programs found but my guess is that they were not the culprits.

So my questions are: what else can I use to scan and remove the offending malware, both workstations and server? Do I need to boot from another source to do so?
is there anything I can do as far as blocking ports on a firewall to stop this spam from being sent? Is the firewall on a Dlink dsl504t adequate?
And most importantly is there anyway I can test and verify that it is fixed before getting the ADSL connection reinstated so the ISP doesn't disconnect it yet again?
0
Comment
Question by:rgss
  • 3
  • 2
  • 2
7 Comments
 
LVL 38

Accepted Solution

by:
younghv earned 167 total points
ID: 35115880
If AVAST found something after an MBAM scan, then something was wrong with the way MBAM was used.

Download it again to your USB stick (rename it to xyz.exe) and download the update too.

Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

If you need to manually download the latest update, use this link:
http://data.mbamupdates.com/tools/mbam-rules.exe

When finished with MBAM, post the log that is generated and let us look at it for you.

**********
Make sure that the DLink admin account password is not still sitting on the 'Default' - it could be a case of a compromised router causing this.

I'll get a link that one of our other Experts provided for the fix on that.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35115893
This link was provided by the Expert known as sjklein42 - if he checks in to this question (and it works) please give him the credit.

http://tidystorm.com/423/the-redirect-virus-was-in-my-router/
0
 
LVL 11

Assisted Solution

by:yarwell
yarwell earned 333 total points
ID: 35115903
netstat from a command line will show you established connections and similar tools are around for tracking down what process is using what port.

Do they have a static IP address ?


AVG and Kaspersky both do bootable live CD AV / rescue CDs - download the iso, burn to CD and boot into it to check the machines.

http://www.avg.com/us-en/avg-rescue-cd
http://support.kaspersky.com/viruses/rescuedisk

A software firewall such as Comodo our Outpost set into a strict mode requiring each process to be positively authorised would be a good place to start, I'm not that hands-on with the router you mention though the manual is at ftp://files.dlink.com.au/Products/DSL-504T/Manuals/DSL-504T_Manual.pdf and on p36 you can see how to set up a rule to block outbound access on a particular port.

You should also check the sent items folders on your mail clients to see if they have been sent that way.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 1

Author Comment

by:rgss
ID: 35124607
Is there any particular port range I can block outbound traffic for that will stop the spam but allow the valid email to be sent?
0
 
LVL 11

Assisted Solution

by:yarwell
yarwell earned 333 total points
ID: 35132065
It depends how the spam is being sent ! If it's using regular ports you're stuck. Netstat should give you a clue what's happening.

Do they have a static IP address ?
0
 
LVL 1

Author Comment

by:rgss
ID: 35135685
I used netstat and also tcpview but I couldn't see any sign of the offending program. Will it show up as a connection if there is no internet connection?
They do have a static IP address.
Today: AVG rescue boot disk scan, Malware bytes, AVG rootkit scan, AVG full scan and Spybot search and destroy all found nothing, as well as not finding anythin with netstat and tcpview. Does this mean that they are clean and can be reconnected to the ISP or does it meaan that the offending program is hiding very well?
Also, we ordered a Cisco 887 router to replace the  old dlink router.
0
 
LVL 11

Expert Comment

by:yarwell
ID: 35145167
If you had a running process trying to send out spam then yes it should show up even if only in the wait state. I assume the machine was connected to the LAN at the time.

Presumably you checked all the machines at the site ?

The DLink will allow you to block port 25, I would ask the ISP to reconnect you on a test basis and monitor what happens when the internet becomes available.

You should also ask them to supply the logs that show evidence of the problem, as there may be additional clues in there for example the name of the machine making the SMTP connection.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now