Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Virus on a pc

Posted on 2011-09-27
11
Medium Priority
?
262 Views
Last Modified: 2012-06-27
Hi There

I have a pc on my network which has been infected with the Cycbot virus. How do I detect which pc has the virus? It causing my public IP to be blacklisted.Any help will be appreciated.

Thanks
0
Comment
Question by:junzcpt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 11

Expert Comment

by:emilgas
ID: 36712346
Put a wireshark on your switch and mirror the uplink port to see what is being uploaded. I know I said this fast assuming what wireshark application does and what switchport mirroring is.

Is it sending out spam? Is that how your IP is being blacklisted? if so look to see which PC is using the SMTP protocol. Wireshark will help you pin point that.
0
 
LVL 1

Expert Comment

by:AntonioAlmeida
ID: 36712370
When you say blacklisted are you talking about the SMTP service ?

If is it, you can check your firewall log or sniff your network to determine which computer is sending SPAM.

You can check the computers too for the existence of the files below:
%Temp%\dwm.exe
%AppData%\Microsoft\svchost.exe
%AppData%\Microsoft\stor.cfg
%AppData%\Microsoft\windows\shell.exe
0
 
LVL 1

Expert Comment

by:DigitalBay
ID: 36713711
I recommend you assume that all of your computers are infected.

I further recommend that you disconnect your computers from the network and internet untill you have followed the procedure found at http://www.bleepingcomputer.com/forums/topic354181.html.

===============================
ComputerTherapy.Biz
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:junzcpt
ID: 36715089
The public IP is being blacklisted due to the pc with the virus sending out spam.

How do I sniff the network. What tool can I use?
0
 
LVL 11

Expert Comment

by:emilgas
ID: 36717376
Did you look at my suggestion? how many computers are we talking about?
0
 
LVL 1

Expert Comment

by:AntonioAlmeida
ID: 36718252
As emilgas said, use wireshak at a switch mirrored port or try checking your firewall/router logs... You can create a firewall rule to block SMTP traffic from workstations.
0
 

Author Comment

by:junzcpt
ID: 36813970
emilgas - I have downloaded wireshark on to one of my Servers but have no idea how to use it. What's the quickest way to get this going?
0
 
LVL 11

Accepted Solution

by:
emilgas earned 2000 total points
ID: 36817286
If I were you I would download and install it on a laptop or a desktop because you will be connecting that PC to a specific port on a switch. That switch port will be mirrored with the uplink (the main port that all the connections go through)

When you mirror a port what you are telling the switch to do is to send all the traffic that is being sent out of the Uplink port to that special port too.

Now your laptop will be grabbing all the rest of the traffic that is going out. That's where wireshark comes in. it sees and analyzes all that traffic.

This is where you come in. You have to sort and filter all that data and see which machine is sending out SMTP traffic.

I you have never used wireshark or any other packet capture software then it can be confusing at first but you will have to search on the internet for some quick tutorial on help with some screen shots on wireshark. Trust me it's not complicated (depending your computer expertise) but the bottom line is that you need to do some homework on wireshark.

Let me know if you need more specific directions.
0
 

Author Comment

by:junzcpt
ID: 36915294
Thanks emilgas, let me see how far i get
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 37175663
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question