Since a few days, I noticed my internet connection hiccups. Monitoring packets, I saw even if no programs were open, there was internet activity.
Using TCPview from sysinternals, I discovered a lot of connections on the SMTP port, and a few on HTTP and HTTPS port.
I started PeerBlock, and it blocked many servers from spreading.
The situation looked similar to other times.
I downloaded latest version of combofix and placed it on my desktop. Then:
- I turned off my pc
- I turned it on and choosed to run in Safe Mode
- started combofix in safe mode (no network support)
combofix found and deleted some files. Then combofix restarted my pc in normal mode and finished its job.
I checked the connections, and they looked ok. There was no activity.
After 10 minutes, unfortunately, the strange activity started again. Many connections on the SMTP port.
I also tryed looking into processes (with processExplorer from SysInternals): there are many svchosts instances, but they look normal.
What tools can I use to intercept and possibly destroy this virus?
I have Windows 7, 32-bit.
Thanks in advance.
+++ Update: I have stemmed the problem, by adding a rule in the windows firewall. The virus tries to make a connection on the port 443 (https) at the remote address 77.67.10.x , then (on success) it downloads something, and starts to spam a lot of emails (that is, it creates a lot of connections on many servers through the port 25).
So, for now, I have added a rule to deny access from/to IP 126.96.36.199/24 and it works: the internet is now accessible and doesn't hiccups. Besides, as extreme solution, I have added the rule to block the port 25.
But the virus is still in my pc... so I ask your help to get rid of it.
Edited by Zak McKracken, 15 August 2010 - 05:28 PM.