Results 1 to 9 of 9
  1. #1
    New Lounger
    Join Date
    Jan 2010
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I was wondering if you guys can help with this.

    I got an e-mail from RoadRunner saying that spam is coming from my IP address. So, I ran the following on the 5 computers on my network:
    Avast Antivirus
    Spybot S&D
    Adaware
    SuperAntispyware
    ComboFix (RR's their suggestion)

    After about a week, I get another e-mail from RR telling me that I'm still spamming and they are going to discontinue my service if I don't fix it. Their option is nucleur - re-format and re-install windows.

    Anyone have an idea on how to fix this?

    At least, any ideas on figuring out which PC is infected to narrow down the hunt?

    I'm using a Belkin Wireless G router and use Win XP and Win 7. I also have 2 iphones and a Tivo going through that network.
    When I look at the connected devices, I recognize them all, so I don't think anyone's hijacked my router.

    TIA

  2. #2
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,486
    Thanks
    284
    Thanked 575 Times in 478 Posts
    Did RR not give you the outgoing Port number? Or suggest that they could block Port 25 to block the spam?


    I'd set the router to block all port 25 (SMTP) Outbound traffic first, that should stop the spam being sent.

    Use 1 PC to scan/rescan the router logs looking for any blocked traffic until you get a positive result. The outgoing IP address will give you the machine responsible.

  3. #3
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Try scanning all machines with MBAM

    http://www.malwarebytes.org/mbam.php

    It may not find everything but it would be a pretty smart infection that could hide itself completely. Also manually run windows update on each machine and see if any of them redirect or block it.

    If the above two test are inconclusive, I am going to point you to a very powerful and techy tool called GFI languard.

    http://www.gfi.com/lannetscan

    The trial version works for up to 5 IP addresses so you may have to turn off some of your less suspected devices such as printers, etc so you do not have more than that. You might also have to do the scan in two phases with half the computers on one time and the other half on the next scan.

    This tool runs on a single machine and scans the whole network. It will look at open ports and services by IP address and will find things that are running below the windows level (like rootkits) that have services open.

  4. #4
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Andy Rowlands View Post
    Did RR not give you the outgoing Port number? Or suggest that they could block Port 25 to block the spam?


    I'd set the router to block all port 25 (SMTP) Outbound traffic first, that should stop the spam being sent.

    Use 1 PC to scan/rescan the router logs looking for any blocked traffic until you get a positive result. The outgoing IP address will give you the machine responsible.
    This will also work but ALL OUTGOING EMAIL WILL BE BLOCKED while this block is in place. You did not give your Belkin model number but by looking at the belkin manuals that are posted on the web, it looks like the belkin logs are minimal or nonexistant.....

  5. #5
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,486
    Thanks
    284
    Thanked 575 Times in 478 Posts
    Quote Originally Posted by mercyh View Post
    This will also work but ALL OUTGOING EMAIL WILL BE BLOCKED while this block is in place. You did not give your Belkin model number but by looking at the belkin manuals that are posted on the web, it looks like the belkin logs are minimal or nonexistant.....
    That's the idea, for testing purposes. Anyway, it doesn't stop anyone using Webmail.

    If the Belkin <spit. router doesn't give any logging options, check the Sytem/Application logs of the PC's for related errors during the block period.

    I have no idea how to check the iPhones or TIVO, other than by the first method.

    There are great but techie tools from Sysinternals and Nirsoft that would allow you to sniff this out but they need to be installed per PC and some Nirsoft tools are 'PUP's according to many antivirus vendors and could themselves be blocked!

  6. #6
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,180
    Thanks
    47
    Thanked 983 Times in 913 Posts
    You can load Wireshark on each PC and watch the traffic - this is a last resort, I'd unplug things first, it's easier.

    cheers, Paul

  7. #7
    New Lounger
    Join Date
    Jan 2010
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    All great stuff guys, thanks!

    Let me put some of this into play and see what I can find out

  8. #8
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    If scans don't find anything, you might have a rootkit. There are specialized scanners for rootkits.

  9. #9
    Plutonium Lounger Medico's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    12,631
    Thanks
    161
    Thanked 936 Times in 856 Posts
    Quote Originally Posted by jscher2000 View Post
    If scans don't find anything, you might have a rootkit. There are specialized scanners for rootkits.
    Gizmo Richards suggests Sophos Anti-Rootkit as a great choice for this. I have not tried this, as I have never had a root kit infection, but Gizmo is well respected as a source of great apps.

    Note: Sophos does require registration to acquire it's free download.
    BACKUP...BACKUP...BACKUP
    Have a Great Day! Ted


    Sony Vaio Laptop, 2.53 GHz Duo Core Intel CPU, 8 GB RAM, 320 GB HD
    Win 8 Pro (64 Bit), IE 10 (64 Bit)


    Complete PC Specs: By Speccy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •