my server has been zombi-fied ***HELP***

ok, i'll give you all the low down...

one of my clients calls me up saying "our internet is slow" i go over and check it out, and low and behold, their dsl is running at about 20-25kbs (thats b, not B ) so i call up sbc and yell at them, they test the lines and the lines are fine, i think it's a bad nic (on the server, thought it might be spewing out bad traffic), i switch out the nic, and it's working fine! for 16 hours... after 16 hours the problem came back, then i thought to use netmon to take a look at the traffic. after a little filtering, i realized that my server was having a completely bizarre amount of outgoing traffic on port 25. *UGH* so i think we have narrowed it down to the fact that their server has been turned into an open relay of some sort for spammers the problem is, i've run every scan i can think of (they have corporate symantec, i used that, housecall, spysweeper, adaware, a^2, hijack this, etc etc) and they all come up with pretty much nothing. Is there any way to tell what process is creating what network traffic? is it possible that a program could have altered exchange in a way to make it spew out all kindsa spammy email? is there a best practices for getting your computer un-zombi-fied? keep in mind that this is a server... and every second of downtime hurts i'm thinkin formatting the drive might be the only cure... i DON'T want to do that...

 

i have also just gone through the steps in microsoft's article "how to block open relaying"
http://support.microsoft.com/?id=324958#3
and found that our exchange server doesn't have an open relay. So now i'm really stumped any help would be extremely appreciated.

 

Lets rule out Malware as a possibility.


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

here is my log file... hope it can help

 

Well, the Good News is that your spyware free. However, you are not virus free. You have whats called the Mimail Mass Mailing WORM.

Lets get this off, shall we?

First:
Download the following removal tool:

• W32.Mimail Removal Tool

Second:
Please run these online virus scans and post your results.

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

 

you are getting a big kiss if this works!

just to let you know, i already ran all those online scans (that is why i am pulling my hair out) but we are in the process of using the symantec tool to remove mimail and then i will run those 4 online scanners and let you know!!! this might turn out to be a good friday after all! :-D

 

sorry, looks like no big kiss for you

i am attaching the log that the tool that you linked to created. as you can see it didn't scan any of the email inboxes.

i am restarting the server and rerunning the tool right now.

 

once again, after booting into safe mode, the tool came up with nothing. I then restarted the server in safe mode with networking and am going to run all 4 of those online scans... stuff like this makes me a sad snarfy

PS- what in my hijackthis log made you think it was mimail? just to satisfy my own curiousity... i'm always learning

 

Have you tried to run the McAfee Stinger tool.

I was in a similar position to you a while ago with a PC on my network sending out spam on port 25.

I couldn't find anything with AVG, Ad-Aware, Spy Bot S&D etc etc and was told my my ISP to try McAfee Stinger

http://vil.nai.com/vil/stinger/


Hope its of some help,

good luck

 

i am currently scanning with stinger... i'll let you all know how it goes.

 

netmon.exe

C:\WINNT\netmon.exe

See if this file exist!

 

um... sorry, but that file is a legitimate windows file. It is used to monitor network traffic.

if it were in the %windows% folder (ie WINNT) that is evidence of mimail.m, but the one in the system32 folder is legit.

 

Post one last HJT log.

 

there is no c:\winnt\netmon.exe
there is only a c:\winnt\system32\netmon.exe

I believe we are on the right track with a mass mailing worm that uses it's own SMTP engine, buuuuuut.... i can't for the life of me figure out what one it might be... and there are ALOT of em my freakin client is gonna get blacklisted

 

here is a hijackthis log from 5:15pm on 4-8-05

 

Have HJT fix this below entry:

O23 - Service: Windows Internet Name Service (WINS) (WINS) - Unknown owner - C:\WINNT\System32\wins.exe (file missing)

Your HJT log is clean, lets do one more thing.

Please download "StartDreck", from here: http://www.niksoft.at/php/dl.php?f=startdreck.zip

Unzip to its own folder and start the program,
Press 'Config'
Press 'Unmark All'
Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'
Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Please attach the log in this thread.

 

stinger came up with nothing.

here is my startdreck log from 4-8-05 6pm
thanks again

 

I dont see anything suspicious. Lets do these scans just to be certain this isnt a baddie.

TrendMicro Online Scan
Symantec Online Scan
Panda Online Scan
RAV AntiVirus Online Scan
ComputerAssociates Online Scan
Bit Defender Online Scan
Command On Demand Online Scan
Freedom Online Scan
AhnLab Online Scan
PCPitStop Online Scan

If anything is detected/removed let me know the results.