Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SMTP Spam bot.


  • Please log in to reply
2 replies to this topic

#1 zlyles

zlyles

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 27 July 2009 - 12:53 PM

I have a user at my company who recently started getting Symantec spam responses from target mail servers. Very soon after we were put on a block list. We set up a monitor for SMTP traffic on the firewall, and found her computer was sending thousands of spam messages out nonstop.

So far I have tried the following in an attempt to locate the source of the problem and eliminate it:

Symantec Endpoint Protection: full system scan
Trend Housecall: full scan
Kaspersky online scan: full scan
Malwarebytes: full scan
Combofix
SDfix
Microsoft RootkitRevealer
F-Secure BlackLight

All scans returned clean with no infections found.

At this point, I resorted to using net stat to track the services, which found Services.exe sending out thousands of SMTP messages.

Next, I removed the hard drive from the computer and dropped it in another machine and proceeded to rescan the hard drive, which still came back with no results.

I resorted to using netstat to track the services, which found Services.exe sending out thousands of SMTP messages.
I did a search for all files modified in the past day, and ran across the file C:\WINDOWS\system32\drivers\246a374.sys which seemed like an odd name.

So I renamed the file to 246a374-test.sys, dropped the hard drive back in the original PC, fired it up, and no spam.
I rename the file back to it's original name, restart the computer, and bam, out flows the spam.
So now starts the mission to find what is using 246a374.sys.
A quick search of the windows registry comes back with the following entries:

HKLM\SYSTEM\ControlSet001\Services\246a374
HKLM\SYSTEM\ControlSet002\Services\246a374

Clicking on either folder results in the following message:

Error Opening Key
Cannot open 246a374: Error while opening key.

At this point we are just trying to track down the roots of this virus, what is calling 246a374.sys

Anybody have ideas for getting into that registry key, or tracking down other files related to the virus?

Thanks for the help,

Zak

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:31 PM

Posted 27 July 2009 - 01:16 PM

Hello zlyles and :thumbsup: to Bleepingcomputer!

I suggest you start a thread in Am I infected? What do I do? stating all your symptoms, any steps you have already taken in an attempt to solve the problem, and any other details you can provide that may prove useful. Someone should be able to help you there!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 zlyles

zlyles
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 27 July 2009 - 02:46 PM

Done, thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users