John Mason Jr <notvalid@cox.net.invalid> wrote in
news:icu7pg$5ir$1@news.eternal-september.org:
> On 11/28/2010 12:11 PM, Li'l Abner wrote:
>> I have a Dell Windows XP SP3 here that has been spewing SPAM email.
>> The owner has been warned by his ISP. I must be Googling for the
>> wrong thing because all I can find about it is that it happens but no
>> advice on what to do about it. There's detection tools to use on
>> networks, routers, servers, etc. but nothing about the individual
>> computer except for a couple of those "wipe it and start over"
>> replies. I've done a full scan with MSE, MBAM, SAS, and ComboFix. MSE
>> found nothing, MBAM found 18 MyWebSearch and 2 Trojan Vundo, SAS
>> found a bunch of tracking cookies, and Combofix found nothing at all.
>> For starters, how can I detect if the computer is still sending it?
>> If it is, is it a virus or some king of malware? What does it take to
>> get rid of it?
>>
>
> Are you sure the machine was used to send the spam and not just that
> the account credentials were stolen?
>
> Easiest way to determine if it is still trying to send email would be
> to put it behind a firewall that blocks traffic and watch the logs
>
> If that isn't possible you might be able to tell by using the
> following
>
> http://technet.microsoft.com/en-us/s.../bb897437.aspx
> http://www.wireshark.org/download.html
>
> If you have a real hub available you could install wireshark on a
> separate machine to monitor the traffic from the computer in question,
> this would avoid the possibility that the infected machine has some
> capability to hide what it is doing.
>
> Another option is to remove the drive from the original machine and
> slave it to a different box, might be easiest i use a usb to ide or
> sata adapter.
>
> Could also try one or more of the bootable AV CDs
>
> http://www.avira.com/en/support-down...-rescue-system
>
>
> A couple of other scanners I have had good results with
>
> http://live.sunbeltsoftware.com/
> http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
> and
> Multi_av put together by Mr Lipman
> http://www.pctipp.ch/index.cfm?pid=1411&pk=28470
>
>
>
> If the scanners find something I would upload the file(s) to
> virustotal The uploader can make this easy
> http://www.virustotal.com/advanced.html#uploader
>
> Also the Malware Hash Registry might be able to help
>
> http://hash.cymru.com/
> or the application
> http://www.team-cymru.org/Services/MHR/WinMHR/
>
>
>
>
> Of course before doing any type of cleanup, you should have a good
> backup!!!!
His 80 gig drive had 78 gigs of stuff on it. I cloned it to a 250Gb drive
before I did anything else! So I still have everything on the old drive.
I appreciate your reply. I read VanguardLH's reply and replied to it in
detail before I saw Dave's, Dustin's and your reply. I will keep all your
replies in mind for future reference if I need it.
Your replies all had one thing in common. And that's the fact that the
mail may not be coming from this machine at all.
--
--- Everybody has a right to my opinion. ---
Reply With Quote