Can't stop a Zombie EMailer

Can't stop a Zombie EMailer
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Can't stop a Zombie EMailer =?Utf-8?B?SlA=?= 08-29-2007
Posted by =?Utf-8?B?SlA=?= on August 29, 2007, 4:10 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I am assuming I am on the right Group.
I have discovered a Zombie Emailer running on XP Home.
It is sending enough email to bring down the LAN. Using CurrPorts
(cports.exe) I can watch it connect to an IP address on port 80 (probably
picking up the day's email) then connect to another IP Address (close to the
first one) on Port 25.

After a few seconds, all hell breaks loose, and the computer starts spewing
email at a great rate...stopped by pulling the Network cable.
I have watched this, in CurrPorts, and in Process Explorer from
Sysinternals, and it appears to be running from Services.exe PID 688, but
from where after that is the real question.
I have used 3 different Virus Scanners, and 2 different Rootkit finders.
Nothing.

I further checked it with HiJackThis, and with Autoruns. Seems that it is
not something that normally shows up as an "evil doer". I am not sure if
they have hijacked a service, or just what.
Any suggestions.

Posted by Paul Zak on August 29, 2007, 4:23 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
What software was used? Have you tried Trojan Remover, Spybot, AVG &
AVG-AS, as well as AVG-RK? Also try superantispyware . . .


> I am assuming I am on the right Group.
> I have discovered a Zombie Emailer running on XP Home.
> It is sending enough email to bring down the LAN. Using CurrPorts
> (cports.exe) I can watch it connect to an IP address on port 80 (probably
> picking up the day's email) then connect to another IP Address (close to
the
> first one) on Port 25.
>
> After a few seconds, all hell breaks loose, and the computer starts
spewing
> email at a great rate...stopped by pulling the Network cable.
> I have watched this, in CurrPorts, and in Process Explorer from
> Sysinternals, and it appears to be running from Services.exe PID 688, but
> from where after that is the real question.
> I have used 3 different Virus Scanners, and 2 different Rootkit finders.
> Nothing.
>
> I further checked it with HiJackThis, and with Autoruns. Seems that it is
> not something that normally shows up as an "evil doer". I am not sure if
> they have hijacked a service, or just what.
> Any suggestions.



Posted by Milo \(MSPSS\) on August 29, 2007, 4:49 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Block the said ports from the firewall as an option

>I am assuming I am on the right Group.
> I have discovered a Zombie Emailer running on XP Home.
> It is sending enough email to bring down the LAN. Using CurrPorts
> (cports.exe) I can watch it connect to an IP address on port 80 (probably
> picking up the day's email) then connect to another IP Address (close to
> the
> first one) on Port 25.
>
> After a few seconds, all hell breaks loose, and the computer starts
> spewing
> email at a great rate...stopped by pulling the Network cable.
> I have watched this, in CurrPorts, and in Process Explorer from
> Sysinternals, and it appears to be running from Services.exe PID 688, but
> from where after that is the real question.
> I have used 3 different Virus Scanners, and 2 different Rootkit finders.
> Nothing.
>
> I further checked it with HiJackThis, and with Autoruns. Seems that it is
> not something that normally shows up as an "evil doer". I am not sure if
> they have hijacked a service, or just what.
> Any suggestions.


Posted by Dustin Cook on August 30, 2007, 5:36 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> Block the said ports from the firewall as an option

Doesn't remove the problem, just keeps it from talking on the internet.
Better to clean the box, imho.


--
####################################################
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
Email: bughunter.dustin@gmail.com
Web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
####################################################

Posted by Milo \(MSPSS\) on August 31, 2007, 8:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Actually thats the first step cut off the bits/data supporting the code from
within... then after such the system would be stable enough and (non
replicating since the source has been block ).

And for further identification use a proper tool for the removal or so I
would recommend to call Microsoft Security US/CANADA ( 866 727 2338 ) for
added asssistance

>
>> Block the said ports from the firewall as an option
>
> Doesn't remove the problem, just keeps it from talking on the internet.
> Better to clean the box, imho.
>
>
> --
> ####################################################
> Dustin Cook
> Author of BugHunter - MalWare Removal Tool - v2.2c
> Email: bughunter.dustin@gmail.com
> Web..: http://bughunter.it-mate.co.uk
> Pad..: http://bughunter.it-mate.co.uk/pad.xml
> ####################################################


Similar ThreadsPosted
Stop error March 13, 2006, 3:59 am
how do i stop theese popups September 9, 2005, 2:59 am
Univers.exe and dingping.exe services won't stop August 6, 2005, 3:52 pm
W32.Sober-how do I stop getting infected emails? December 5, 2005, 5:39 pm
STOP what you’re doing - It doesn’t work! 900D July 28, 2006, 7:10 pm
Stop baby eating in CHINA January 29, 2008, 10:35 am
Stop Error 0x8e Mult. Machines July 11, 2005, 9:31 pm

The site map in XML format XML site map

Contact Us | Privacy Policy