Zombie

John Mason Jr · 11-28-2010, 01:41 PM

On 11/28/2010 12:11 PM, Li'l Abner wrote:
> I have a Dell Windows XP SP3 here that has been spewing SPAM email. The
> owner has been warned by his ISP. I must be Googling for the wrong thing
> because all I can find about it is that it happens but no advice on what to
> do about it. There's detection tools to use on networks, routers, servers,
> etc. but nothing about the individual computer except for a couple of those
> "wipe it and start over" replies. I've done a full scan with MSE, MBAM,
> SAS, and ComboFix. MSE found nothing, MBAM found 18 MyWebSearch and 2
> Trojan Vundo, SAS found a bunch of tracking cookies, and Combofix found
> nothing at all.
> For starters, how can I detect if the computer is still sending it?
> If it is, is it a virus or some king of malware? What does it take to get
> rid of it?
>

Are you sure the machine was used to send the spam and not just that the
account credentials were stolen?

Easiest way to determine if it is still trying to send email would be to
put it behind a firewall that blocks traffic and watch the logs

If that isn't possible you might be able to tell by using the following

http://technet.microsoft.com/en-us/s.../bb897437.aspx
http://www.wireshark.org/download.html

If you have a real hub available you could install wireshark on a
separate machine to monitor the traffic from the computer in question,
this would avoid the possibility that the infected machine has some
capability to hide what it is doing.

Another option is to remove the drive from the original machine and
slave it to a different box, might be easiest i use a usb to ide or sata
adapter.

Could also try one or more of the bootable AV CDs

http://www.avira.com/en/support-down...-rescue-system

A couple of other scanners I have had good results with

http://live.sunbeltsoftware.com/
http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
and
Multi_av put together by Mr Lipman
http://www.pctipp.ch/index.cfm?pid=1411&pk=28470

If the scanners find something I would upload the file(s) to virustotal
The uploader can make this easy
http://www.virustotal.com/advanced.html#uploader

Also the Malware Hash Registry might be able to help

http://hash.cymru.com/
or the application
http://www.team-cymru.org/Services/MHR/WinMHR/

Of course before doing any type of cleanup, you should have a good
backup!!!!

Hope some of this helps
John

Thread: Zombie

Thread Tools

Display

Threaded View

Re: Zombie

Thread Information

Users Browsing this Thread

Posting Permissions