Virus on a pc

Hi There

I have a pc on my network which has been infected with the Cycbot virus. How do I detect which pc has the virus? It causing my public IP to be blacklisted.Any help will be appreciated.

Thanks
junzcptAsked:
Who is Participating?
 
emilgasConnect With a Mentor Commented:
If I were you I would download and install it on a laptop or a desktop because you will be connecting that PC to a specific port on a switch. That switch port will be mirrored with the uplink (the main port that all the connections go through)

When you mirror a port what you are telling the switch to do is to send all the traffic that is being sent out of the Uplink port to that special port too.

Now your laptop will be grabbing all the rest of the traffic that is going out. That's where wireshark comes in. it sees and analyzes all that traffic.

This is where you come in. You have to sort and filter all that data and see which machine is sending out SMTP traffic.

I you have never used wireshark or any other packet capture software then it can be confusing at first but you will have to search on the internet for some quick tutorial on help with some screen shots on wireshark. Trust me it's not complicated (depending your computer expertise) but the bottom line is that you need to do some homework on wireshark.

Let me know if you need more specific directions.
0
 
emilgasCommented:
Put a wireshark on your switch and mirror the uplink port to see what is being uploaded. I know I said this fast assuming what wireshark application does and what switchport mirroring is.

Is it sending out spam? Is that how your IP is being blacklisted? if so look to see which PC is using the SMTP protocol. Wireshark will help you pin point that.
0
 
AntonioAlmeidaCommented:
When you say blacklisted are you talking about the SMTP service ?

If is it, you can check your firewall log or sniff your network to determine which computer is sending SPAM.

You can check the computers too for the existence of the files below:
%Temp%\dwm.exe
%AppData%\Microsoft\svchost.exe
%AppData%\Microsoft\stor.cfg
%AppData%\Microsoft\windows\shell.exe
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
DigitalBayCommented:
I recommend you assume that all of your computers are infected.

I further recommend that you disconnect your computers from the network and internet untill you have followed the procedure found at http://www.bleepingcomputer.com/forums/topic354181.html.

===============================
ComputerTherapy.Biz
0
 
junzcptAuthor Commented:
The public IP is being blacklisted due to the pc with the virus sending out spam.

How do I sniff the network. What tool can I use?
0
 
emilgasCommented:
Did you look at my suggestion? how many computers are we talking about?
0
 
AntonioAlmeidaCommented:
As emilgas said, use wireshak at a switch mirrored port or try checking your firewall/router logs... You can create a firewall rule to block SMTP traffic from workstations.
0
 
junzcptAuthor Commented:
emilgas - I have downloaded wireshark on to one of my Servers but have no idea how to use it. What's the quickest way to get this going?
0
 
junzcptAuthor Commented:
Thanks emilgas, let me see how far i get
0
 
TolomirAdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.