Solved

Virus on a pc

Posted on 2011-09-27
11
243 Views
Last Modified: 2012-06-27
Hi There

I have a pc on my network which has been infected with the Cycbot virus. How do I detect which pc has the virus? It causing my public IP to be blacklisted.Any help will be appreciated.

Thanks
0
Comment
Question by:junzcpt
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 11

Expert Comment

by:emilgas
ID: 36712346
Put a wireshark on your switch and mirror the uplink port to see what is being uploaded. I know I said this fast assuming what wireshark application does and what switchport mirroring is.

Is it sending out spam? Is that how your IP is being blacklisted? if so look to see which PC is using the SMTP protocol. Wireshark will help you pin point that.
0
 
LVL 1

Expert Comment

by:AntonioAlmeida
ID: 36712370
When you say blacklisted are you talking about the SMTP service ?

If is it, you can check your firewall log or sniff your network to determine which computer is sending SPAM.

You can check the computers too for the existence of the files below:
%Temp%\dwm.exe
%AppData%\Microsoft\svchost.exe
%AppData%\Microsoft\stor.cfg
%AppData%\Microsoft\windows\shell.exe
0
 
LVL 1

Expert Comment

by:DigitalBay
ID: 36713711
I recommend you assume that all of your computers are infected.

I further recommend that you disconnect your computers from the network and internet untill you have followed the procedure found at http://www.bleepingcomputer.com/forums/topic354181.html.

===============================
ComputerTherapy.Biz
0
 

Author Comment

by:junzcpt
ID: 36715089
The public IP is being blacklisted due to the pc with the virus sending out spam.

How do I sniff the network. What tool can I use?
0
 
LVL 11

Expert Comment

by:emilgas
ID: 36717376
Did you look at my suggestion? how many computers are we talking about?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Expert Comment

by:AntonioAlmeida
ID: 36718252
As emilgas said, use wireshak at a switch mirrored port or try checking your firewall/router logs... You can create a firewall rule to block SMTP traffic from workstations.
0
 

Author Comment

by:junzcpt
ID: 36813970
emilgas - I have downloaded wireshark on to one of my Servers but have no idea how to use it. What's the quickest way to get this going?
0
 
LVL 11

Accepted Solution

by:
emilgas earned 500 total points
ID: 36817286
If I were you I would download and install it on a laptop or a desktop because you will be connecting that PC to a specific port on a switch. That switch port will be mirrored with the uplink (the main port that all the connections go through)

When you mirror a port what you are telling the switch to do is to send all the traffic that is being sent out of the Uplink port to that special port too.

Now your laptop will be grabbing all the rest of the traffic that is going out. That's where wireshark comes in. it sees and analyzes all that traffic.

This is where you come in. You have to sort and filter all that data and see which machine is sending out SMTP traffic.

I you have never used wireshark or any other packet capture software then it can be confusing at first but you will have to search on the internet for some quick tutorial on help with some screen shots on wireshark. Trust me it's not complicated (depending your computer expertise) but the bottom line is that you need to do some homework on wireshark.

Let me know if you need more specific directions.
0
 

Author Comment

by:junzcpt
ID: 36915294
Thanks emilgas, let me see how far i get
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 37175663
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now