Posted 27 July 2009 - 12:53 PM
I have a user at my company who recently started getting Symantec spam responses from target mail servers. Very soon after we were put on a block list. We set up a monitor for SMTP traffic on the firewall, and found her computer was sending thousands of spam messages out nonstop.
So far I have tried the following in an attempt to locate the source of the problem and eliminate it:
Symantec Endpoint Protection: full system scan
Trend Housecall: full scan
Kaspersky online scan: full scan
Malwarebytes: full scan
All scans returned clean with no infections found.
At this point, I resorted to using net stat to track the services, which found Services.exe sending out thousands of SMTP messages.
Next, I removed the hard drive from the computer and dropped it in another machine and proceeded to rescan the hard drive, which still came back with no results.
I resorted to using netstat to track the services, which found Services.exe sending out thousands of SMTP messages.
I did a search for all files modified in the past day, and ran across the file C:\WINDOWS\system32\drivers\246a374.sys which seemed like an odd name.
So I renamed the file to 246a374-test.sys, dropped the hard drive back in the original PC, fired it up, and no spam.
I rename the file back to it's original name, restart the computer, and bam, out flows the spam.
So now starts the mission to find what is using 246a374.sys.
A quick search of the windows registry comes back with the following entries:
Clicking on either folder results in the following message:
Error Opening Key
Cannot open 246a374: Error while opening key.
At this point we are just trying to track down the roots of this virus, what is calling 246a374.sys
Anybody have ideas for getting into that registry key, or tracking down other files related to the virus?
Thanks for the help,