Solved

How to detect and clean malware sending spam on Windows XP and 2003 server

Posted on 2011-03-12
7
762 Views
Last Modified: 2012-06-22
A client has been disconnected by their ISP for sending spam.
They have 3 pcs running XP, and a 2003 server. The PCs are not in a domain. They don't use exchange. They use outlook for their email using the ISPs mail servers. They host their website on the 2003 server and that seems to be about the only server function they are really using. Their router is a DLink DSL-504T which is a basic ADSL 4 port router with only basic firewall.
The service provider says their is a huge amount of spam coming from their IP, and has disconnected their ADSL service.
A technician went to the site and used combofix and malware bytes to scan and clean each computer and has installed AVG also. The ISP the reconnected their ADSL but says spam was still coming from their IP and so has disconnected it again. That technician has now given up and the issue has been assigned to me.
The ISP is saying that if I ask them to reconnect the ADSL and more spam comes from the site they will disconnect again and not reconnect it.
I have scanned the PCs with the free version of Avast with a boot time scan and found a few more bits of malware, but that version wouldn't run on the server. Without an internet connection on-site I couldn't google the names of the programs found but my guess is that they were not the culprits.

So my questions are: what else can I use to scan and remove the offending malware, both workstations and server? Do I need to boot from another source to do so?
is there anything I can do as far as blocking ports on a firewall to stop this spam from being sent? Is the firewall on a Dlink dsl504t adequate?
And most importantly is there anyway I can test and verify that it is fixed before getting the ADSL connection reinstated so the ISP doesn't disconnect it yet again?
0
Comment
Question by:rgss
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 38

Accepted Solution

by:
younghv earned 167 total points
ID: 35115880
If AVAST found something after an MBAM scan, then something was wrong with the way MBAM was used.

Download it again to your USB stick (rename it to xyz.exe) and download the update too.

Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

If you need to manually download the latest update, use this link:
http://data.mbamupdates.com/tools/mbam-rules.exe

When finished with MBAM, post the log that is generated and let us look at it for you.

**********
Make sure that the DLink admin account password is not still sitting on the 'Default' - it could be a case of a compromised router causing this.

I'll get a link that one of our other Experts provided for the fix on that.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35115893
This link was provided by the Expert known as sjklein42 - if he checks in to this question (and it works) please give him the credit.

http://tidystorm.com/423/the-redirect-virus-was-in-my-router/ 
0
 
LVL 11

Assisted Solution

by:yarwell
yarwell earned 333 total points
ID: 35115903
netstat from a command line will show you established connections and similar tools are around for tracking down what process is using what port.

Do they have a static IP address ?


AVG and Kaspersky both do bootable live CD AV / rescue CDs - download the iso, burn to CD and boot into it to check the machines.

http://www.avg.com/us-en/avg-rescue-cd
http://support.kaspersky.com/viruses/rescuedisk

A software firewall such as Comodo our Outpost set into a strict mode requiring each process to be positively authorised would be a good place to start, I'm not that hands-on with the router you mention though the manual is at ftp://files.dlink.com.au/Products/DSL-504T/Manuals/DSL-504T_Manual.pdf and on p36 you can see how to set up a rule to block outbound access on a particular port.

You should also check the sent items folders on your mail clients to see if they have been sent that way.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 1

Author Comment

by:rgss
ID: 35124607
Is there any particular port range I can block outbound traffic for that will stop the spam but allow the valid email to be sent?
0
 
LVL 11

Assisted Solution

by:yarwell
yarwell earned 333 total points
ID: 35132065
It depends how the spam is being sent ! If it's using regular ports you're stuck. Netstat should give you a clue what's happening.

Do they have a static IP address ?
0
 
LVL 1

Author Comment

by:rgss
ID: 35135685
I used netstat and also tcpview but I couldn't see any sign of the offending program. Will it show up as a connection if there is no internet connection?
They do have a static IP address.
Today: AVG rescue boot disk scan, Malware bytes, AVG rootkit scan, AVG full scan and Spybot search and destroy all found nothing, as well as not finding anythin with netstat and tcpview. Does this mean that they are clean and can be reconnected to the ISP or does it meaan that the offending program is hiding very well?
Also, we ordered a Cisco 887 router to replace the  old dlink router.
0
 
LVL 11

Expert Comment

by:yarwell
ID: 35145167
If you had a running process trying to send out spam then yes it should show up even if only in the wait state. I assume the machine was connected to the LAN at the time.

Presumably you checked all the machines at the site ?

The DLink will allow you to block port 25, I would ask the ISP to reconnect you on a test basis and monitor what happens when the internet becomes available.

You should also ask them to supply the logs that show evidence of the problem, as there may be additional clues in there for example the name of the machine making the SMTP connection.
0

Featured Post

Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Unmanaged Switches for Optimized Network Speeds 7 70
Support licences 3 39
Receiving wifi on an underground station 22 169
SonicWall NSA 3600 HA Content Filtering 3 26
For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question