Hidden Mass Mailing Help Needed!!

**DaveW** · 04-20-2007, 09:32 AM

Unfortunately, my recommendation would be to nuke the system and re-install XP etc. Not an answer most people like to hear, but the problem is that yes, you have something on your PC sending spam, but you have to wonder - how did it get there in the first place? If there was a backdoor put in your system, getting rid of the spam sending program wouldn't do any good since the bad guys could just come back in and put something else in its place...

edit: If you don't want to nuke the system, you could always try an online virus scanner... for example, F-Secure

**crokett** · 04-20-2007, 09:33 AM

right-click your task bar. click task manager. click processes. write down every process that is running. Google each one and you should find the trojan and information on how to deal with it. XP has some onboard restore utils if you created a backup pre-infection.

**DaveW** · 04-20-2007, 09:35 AM

Originally posted by crokett

right-click your task bar. click task manager. click processes. write down every process that is running. Google each one and you should find the trojan and information on how to deal with it. XP has some onboard restore utils if you created a backup pre-infection.

The problem with this is that while it's a starting point, it may not work - we had a PC at work that had all processes checking out OK - it turned out to have a root kit that hid the spam-sending processes. (similar to that sony rootkit issue a while back)

**sacherjj** · 04-20-2007, 09:46 AM

I've got to go with Dave on this one. Unless you are good enough to follow the trojan around as it jumps from innocent looking .exes in the system and fight it at a low level, it is almost impossible to get it totally clean. It looks like the system was compromised pretty severely. Backing up what you need to save and nuking it is quicker in the long run. I've written custom programs to track network I/O and follow this crap around to fix it and it took way too much work.

**whitecobra** · 04-20-2007, 09:47 AM

Two things come to mine
First off I hate Symantec stuff so if you have tried all else choose another virus program

I prefer AVG

Second I see you have "determined" from Spamcop that you are sending out emails How did you determine that? If you answer by your email address or even your email SMTP port you still have not determined that it is coming from your computer

MOST spam today is not from hijacked computers it is from hijacked email servers and they are at your ISP not your PC

The spamer simply makes it LOOK like he is YOU

So the issue you need to find out is whether or not the email is ACTUALLY coming from your computer or LOOKING like it is coming from your computer

You can do that but you need the "shipping info" which is included in all email trails. You need to have the trail analyzed to determine where the email stream is originating from.

If it is your computer AVG or another virus checker should be used (but I also agree sometimes a clean sweep and re-install is all that will fix it)

If NOT then have your ISP shut down the SMTP port you are using and or install authorization locked to your static IP port (if you are using broadband)

Hope this helps

Dr D

**dlminehart** · 04-20-2007, 09:58 AM

You could get a Mac and be done with this whole hassle

**TheRic** · 04-20-2007, 10:22 AM

The computer is one here at work. I'm not going to start switching over 50 computers to Mac's. Besides about half the computers here are attached to equipment (controlling movement, analyzing, collecting data, etc) and I don't know of any that will work with a Mac.

The computer belongs to a manager, that has personnel info on it. Can't just nuke it. Besides since I don't know what it is, and nothing can find it. Not 100% sure it won't get copied along with data files that I take off it.

Since the computer is sending out SPAM, and only at certain times, it is probably controlled from outside. The same outside control could effect the new computer, or another. I would prefer to find out what is being done so I can stop it, and check other computers.

The SPAM is being sent by it's own SMTP engine, there is no traffic in the Exchange Logs. All the computers and servers sit behind a Cisco Firewall VPN. The firewall was put in several years ago by an outside company.
I know this computer is sending out the spam, I have MRTG (traffic grapher) tracking every switch port.

**jking** · 04-20-2007, 10:31 AM

I'm not trying to hijack the thread, but, how do you prevent a situation like this in the first place? I've been considering switching from dial-up to DSL, but, one of my concerns is security.

**williamr** · 04-20-2007, 11:05 AM

Originally posted by TheRic

I know we have some computer experts out there, looking for some help / advice from them.

Have a computer here that has some kind of mass mailing Worm / Trojan / Virus / Program / etc on it. Have been dealing with Symantec, but we have not been able to find it. At one point we thought it was gone, thought it was deleted with one of the programs even through nothing was said / flagged. We only thought this because we couldn't find it.

Symantec Anti Virus Corporate Edition 9.4, and 10.2 (10.1.1555?)
Spybot
Adaware
Hijackthis
Load Point Diagnostics
Root Kit Revealer
Ice Sword
Process Monitor
Base Line Analyzer

You can post here, or PM me.

Thanks for you help!!!

Panda Software...
Try their online version. It often works where others don't.

http://www.pandasoftware.com/

http://www.pandasoftware.com/download/Software/

**LarryG** · 04-20-2007, 11:32 AM

Originally posted by jking

I'm not trying to hijack the thread, but, how do you prevent a situation like this in the first place? I've been considering switching from dial-up to DSL, but, one of my concerns is security.

Logging on with a restricted User account, rather than the wide-open Administrator mode, will knock out about 99.44% of the risk. A restricted User cannot install new programs, alter critical system settings, or write to the registry.

There are, however, some drawbacks. Automatic updates to Windows won't be possible, but you shouldn't be allowing those, anyway. Some anti-virus programs may not update their definitions automatically (the excellent, and free, Avast AV will). And you'll have to log on as an Administrator to install new programs and/or update existing ones.

All of which is a bit of a hassle, admittedly -- but not nearly so big a hassle as what Ric is currently "enjoying."

**crokett** · 04-20-2007, 11:37 AM

Originally posted by jking

I'm not trying to hijack the thread, but, how do you prevent a situation like this in the first place? I've been considering switching from dial-up to DSL, but, one of my concerns is security.

1. A good hardware-based router. IMO, Netgear is one of the better ones
2. Keep your system updated with all available updates
3. Virus/Trojan/etc scanner
4. Software firewall to back up the router. A good one will log connection attempts. Review the logs.
5. (and most important) Smart Internet use - don't open anything that arrives unsolicited from anyone - whether you know them or not. Don't go into the dark alleys. It took me a while and 2 system reinstalls to convince my wife not to do this. The 2nd time I just left the machine unuseable for a few weeks until I 'got around' to fixing it for her.

**Kristofor** · 04-20-2007, 01:37 PM

Originally posted by sacherjj

I've got to go with Dave on this one.
...
Backing up what you need to save and nuking it is quicker in the long run.

I concur. Take off and nuke the entire site from orbit. It's the only way to be sure. You remember what happened when that advice was ignored...

You might not be eaten by aliens, but I bet your ISP will decide you're not worth the hassle and drop you as a customer if you don't clean up the spambox

**p8ntblr** · 04-20-2007, 02:21 PM

Originally posted by jking

I'm not trying to hijack the thread, but, how do you prevent a situation like this in the first place? I've been considering switching from dial-up to DSL, but, one of my concerns is security.

Personally I think alot of it is just using some internet sense. ie. Don't open any attachments, don't go to questionable sites, don't use p2p (peer to peer) programs (emule, kazaa, torrents, etc).

Aside from that using a restricted account as someone mentioned. Since only an admin accnt can install software, hackers won't be able to install their programs as well. I think this is major reason MACs are safer (they're much more restricted on who/what can be installed).

Firefox- Use firefox instead of IE. It automatically does not allow scripts like IE does. And if you want to go to a site that you trust and is using scripts you can allow it for that site.

Firewall - I suggest using a router firewall. They're as secure (if not more) than software and not as intrusive.

Anti-Virus- My favorite is by far NOD32 by eset. The least intrusive I've seen and offers the most protection.

Btw, when I say intrusive I mean they won't slow your computer speed way down or ask you a million times if you would like to proceed.

As for the OP's question. I concur that the only sure way to get rid of it is to reformat. If the virus embeds itself that deep in your system it's nearly impossible to get rid of it without also destroying the OS.

**linear** · 04-20-2007, 02:51 PM

Originally posted by TheRic

I would prefer to find out what is being done so I can stop it, and check other computers.

TCPView will allow you to spot which process opens a TCP connection. It should help you a lot.

TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows.

If you can add egress filtering to your firewall (or edge router) to block port 25 outbound except for the legit mail exchanger, that would help contain the damage while you clean up the mess.

Hidden Mass Mailing Help Needed!!

Hidden Mass Mailing Help Needed!!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Footer Ad