Solved

Virus on a pc

Posted on 2011-09-27
11
257 Views
Last Modified: 2012-06-27
Hi There

I have a pc on my network which has been infected with the Cycbot virus. How do I detect which pc has the virus? It causing my public IP to be blacklisted.Any help will be appreciated.

Thanks
0
Comment
Question by:junzcpt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 11

Expert Comment

by:emilgas
ID: 36712346
Put a wireshark on your switch and mirror the uplink port to see what is being uploaded. I know I said this fast assuming what wireshark application does and what switchport mirroring is.

Is it sending out spam? Is that how your IP is being blacklisted? if so look to see which PC is using the SMTP protocol. Wireshark will help you pin point that.
0
 
LVL 1

Expert Comment

by:AntonioAlmeida
ID: 36712370
When you say blacklisted are you talking about the SMTP service ?

If is it, you can check your firewall log or sniff your network to determine which computer is sending SPAM.

You can check the computers too for the existence of the files below:
%Temp%\dwm.exe
%AppData%\Microsoft\svchost.exe
%AppData%\Microsoft\stor.cfg
%AppData%\Microsoft\windows\shell.exe
0
 
LVL 1

Expert Comment

by:DigitalBay
ID: 36713711
I recommend you assume that all of your computers are infected.

I further recommend that you disconnect your computers from the network and internet untill you have followed the procedure found at http://www.bleepingcomputer.com/forums/topic354181.html.

===============================
ComputerTherapy.Biz
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:junzcpt
ID: 36715089
The public IP is being blacklisted due to the pc with the virus sending out spam.

How do I sniff the network. What tool can I use?
0
 
LVL 11

Expert Comment

by:emilgas
ID: 36717376
Did you look at my suggestion? how many computers are we talking about?
0
 
LVL 1

Expert Comment

by:AntonioAlmeida
ID: 36718252
As emilgas said, use wireshak at a switch mirrored port or try checking your firewall/router logs... You can create a firewall rule to block SMTP traffic from workstations.
0
 

Author Comment

by:junzcpt
ID: 36813970
emilgas - I have downloaded wireshark on to one of my Servers but have no idea how to use it. What's the quickest way to get this going?
0
 
LVL 11

Accepted Solution

by:
emilgas earned 500 total points
ID: 36817286
If I were you I would download and install it on a laptop or a desktop because you will be connecting that PC to a specific port on a switch. That switch port will be mirrored with the uplink (the main port that all the connections go through)

When you mirror a port what you are telling the switch to do is to send all the traffic that is being sent out of the Uplink port to that special port too.

Now your laptop will be grabbing all the rest of the traffic that is going out. That's where wireshark comes in. it sees and analyzes all that traffic.

This is where you come in. You have to sort and filter all that data and see which machine is sending out SMTP traffic.

I you have never used wireshark or any other packet capture software then it can be confusing at first but you will have to search on the internet for some quick tutorial on help with some screen shots on wireshark. Trust me it's not complicated (depending your computer expertise) but the bottom line is that you need to do some homework on wireshark.

Let me know if you need more specific directions.
0
 

Author Comment

by:junzcpt
ID: 36915294
Thanks emilgas, let me see how far i get
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 37175663
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question