Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IP address keeps being relisted on the CBL


  • Please log in to reply
4 replies to this topic

#1 Audryb

Audryb

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 12 August 2010 - 01:11 PM

I work at a small company (4 people) and a month or so ago we started having trouble with our e-mail being blocked. Some of the bounce messages directed us to spamhaus.com and we found that our IP was listed in the CBL. Repeated scanning of all computers with MalwareBytes and NOD32 found various threats on all the computers. We "fixed" the threats and delisted the IP address. Since then we keep getting relisted every few days.

We have a server and four other computers that are used by the four people who work here. We have a static IP address. I read a little on the CBL page about NAT but I don't really understand it. I think there must be something on one of the computers that we aren't finding with the MalwareBytes, but I don't know how to find it or what to do about it. Any help would be greatly appreciated.

Thank you.

BC AdBot (Login to Remove)

 


#2 Stor-A11

Stor-A11

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 12 August 2010 - 01:18 PM

You can use Wireshark to determine which computer is spamming. Once you've found the compromised pc, run ComboFix on it.

#3 Audryb

Audryb
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 12 August 2010 - 01:38 PM

Thank you. Is Wireshark something I need to run on all the computers individually? I'm looking at their website now.

#4 Stor-A11

Stor-A11

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 12 August 2010 - 03:29 PM

Thank you. Is Wireshark something I need to run on all the computers individually? I'm looking at their website now.


You only need to run wireshark on 1 computer.

#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:49 AM

Posted 15 August 2010 - 04:37 AM

Please be aware of the following.

ComboFix (CF for short) is intended by its creator to be "used under the guidance and supervision of an expert", NOT for personal, unsupervised use. Please read Combofix's Disclaimer. When CF is run without trained assistance, it can no longer be considered a "safe" tool. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

You may find this topic to be informative - ComboFix usage, Questions, Help? - Look here

Additionally, please see the following topic regarding malware assistance here at Bleeping Computer. How do I get help? Who is helping me?

***************************************************

Let's not use ComboFix for now. I'd like to get a rootkit scan.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.log" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and copy/paste its contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try unchecking the Devices box in addition to the others previously requested. Also, try running GMER in Safe Mode.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


~Blade


In your next reply, please include the following:
GMER log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users