Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How to detect and clean malware sending spam on Windows XP and 2003 server

Posted on 2011-03-12
Medium Priority
Last Modified: 2012-06-22
A client has been disconnected by their ISP for sending spam.
They have 3 pcs running XP, and a 2003 server. The PCs are not in a domain. They don't use exchange. They use outlook for their email using the ISPs mail servers. They host their website on the 2003 server and that seems to be about the only server function they are really using. Their router is a DLink DSL-504T which is a basic ADSL 4 port router with only basic firewall.
The service provider says their is a huge amount of spam coming from their IP, and has disconnected their ADSL service.
A technician went to the site and used combofix and malware bytes to scan and clean each computer and has installed AVG also. The ISP the reconnected their ADSL but says spam was still coming from their IP and so has disconnected it again. That technician has now given up and the issue has been assigned to me.
The ISP is saying that if I ask them to reconnect the ADSL and more spam comes from the site they will disconnect again and not reconnect it.
I have scanned the PCs with the free version of Avast with a boot time scan and found a few more bits of malware, but that version wouldn't run on the server. Without an internet connection on-site I couldn't google the names of the programs found but my guess is that they were not the culprits.

So my questions are: what else can I use to scan and remove the offending malware, both workstations and server? Do I need to boot from another source to do so?
is there anything I can do as far as blocking ports on a firewall to stop this spam from being sent? Is the firewall on a Dlink dsl504t adequate?
And most importantly is there anyway I can test and verify that it is fixed before getting the ADSL connection reinstated so the ISP doesn't disconnect it yet again?
Question by:rgss
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 38

Accepted Solution

younghv earned 668 total points
ID: 35115880
If AVAST found something after an MBAM scan, then something was wrong with the way MBAM was used.

Download it again to your USB stick (rename it to xyz.exe) and download the update too.

Malwarebytes (MBAM) (
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

If you need to manually download the latest update, use this link:

When finished with MBAM, post the log that is generated and let us look at it for you.

Make sure that the DLink admin account password is not still sitting on the 'Default' - it could be a case of a compromised router causing this.

I'll get a link that one of our other Experts provided for the fix on that.
LVL 38

Expert Comment

ID: 35115893
This link was provided by the Expert known as sjklein42 - if he checks in to this question (and it works) please give him the credit. 
LVL 11

Assisted Solution

yarwell earned 1332 total points
ID: 35115903
netstat from a command line will show you established connections and similar tools are around for tracking down what process is using what port.

Do they have a static IP address ?

AVG and Kaspersky both do bootable live CD AV / rescue CDs - download the iso, burn to CD and boot into it to check the machines.

A software firewall such as Comodo our Outpost set into a strict mode requiring each process to be positively authorised would be a good place to start, I'm not that hands-on with the router you mention though the manual is at and on p36 you can see how to set up a rule to block outbound access on a particular port.

You should also check the sent items folders on your mail clients to see if they have been sent that way.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 35124607
Is there any particular port range I can block outbound traffic for that will stop the spam but allow the valid email to be sent?
LVL 11

Assisted Solution

yarwell earned 1332 total points
ID: 35132065
It depends how the spam is being sent ! If it's using regular ports you're stuck. Netstat should give you a clue what's happening.

Do they have a static IP address ?

Author Comment

ID: 35135685
I used netstat and also tcpview but I couldn't see any sign of the offending program. Will it show up as a connection if there is no internet connection?
They do have a static IP address.
Today: AVG rescue boot disk scan, Malware bytes, AVG rootkit scan, AVG full scan and Spybot search and destroy all found nothing, as well as not finding anythin with netstat and tcpview. Does this mean that they are clean and can be reconnected to the ISP or does it meaan that the offending program is hiding very well?
Also, we ordered a Cisco 887 router to replace the  old dlink router.
LVL 11

Expert Comment

ID: 35145167
If you had a running process trying to send out spam then yes it should show up even if only in the wait state. I assume the machine was connected to the LAN at the time.

Presumably you checked all the machines at the site ?

The DLink will allow you to block port 25, I would ask the ISP to reconnect you on a test basis and monitor what happens when the internet becomes available.

You should also ask them to supply the logs that show evidence of the problem, as there may be additional clues in there for example the name of the machine making the SMTP connection.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question