[itdiscuss] virus - unauthorized email sending

Thu May 15 10:31:10 EDT 2008

I've seen most of the major AV packages miss trojans that wuld then
download all sorts of mischief. 
I second what Paul said on Windows Defender. It works well. 
I've also used Jason's recommended Hijackthis as well as Trend Micro's
Housecall.  

With those 3 tools you should find the issue. 

-----Original Message-----
From: discuss-bounces at itdiscuss.org
[mailto:discuss-bounces at itdiscuss.org] On Behalf Of Jason Hand
Sent: Wednesday, May 14, 2008 9:17 PM
To: 'IT Discussion Forum'
Subject: Re: [itdiscuss] virus - unauthorized email sending

I would use Hijackthis and see what it finds and use Sysinternals
Autoruns
and Process Explorer to see what is set to load at startup and what is
currently running. 

Sometimes a virus or trojan can hide itself from A/V software very well.
That's when an outside program running from the Internet as a Java
Applet
might have more success scanning.  Housecall is one of the best for this
http://housecall.trendmicro.com/

-----------------------------------

Article you might find will help in this situation:

1.3 Find Out if Your PC is Part of a Botnet

It is estimated than more than 50 million PCs around the world are now
silently controlled by spammers and criminal gangs. These "zombie" PCs
as
they are called, are just normal PCs owned by Moms and Pops that have
been
taken over by malware secretly downloaded onto the PCs using web
exploits,
infected emails and more.

These zombies are organized in vast networks called botnets with each
botnet
owned and controlled remotely by different criminal groups. The most
common
use of botnets is sending spam.

Most zombie owners don't even know their PC is under the control of
someone
else. That's where this program from Trend Micro is useful:

"RUBotted is a free program that monitors your computer for suspicious
activities and regularly checks with an online service to identify
behavior
associated with Bots. Upon discovering a potential infection, RUBotted
prompts you to scan and clean your computer."

http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted

------------------------------

Here is also some info from a newsletter I got today oddly enough
dealing
with just this topic:

(a) First, upload the installation file of the program you installed to
Jotti.org [1] for a free scan. Jotti will then run it through more than
a
dozen malware scanners and let you know if there is a problem.

If Jotti determines that your file is clean, it doesn't mean that there
is
no infection. It simply means that it's unlikely there is an infection,
and
that folks, is a very comforting finding.

(b) Download and run the free Panda Rootkit detector [2]. Again, a clean
scan is not a 100% guarantee of no infection, but should add greatly to
your
confidence. Panda doesn't run on Vista, so Vista users should use the
BlackLight [3] anti-rootkit scanner instead.

(c) Finally, download HijackThis from this page [4], and follow the
instructions on the same page which tell you how to create a log that
you
can paste to web forums.

There are several forums where you can post. You can find two here [5],
[6]
and many more by doing a Google search on "Post HiJackThis log". Tell
the
forum helpers you have already done a Jotti scan and a rootkit scan, and
let
them know what the results of these scans were.

The folks in the forum will then let you know if you have a problem. If
you
do, they will also be able to tell you how you can get rid of it
permanently. And it won't cost you a cent.

Now in most cases you will find that nothing shows up with Jotti, the
rootkit scan or HiJackThis. That's good news. OK, you have spent some of
your time chasing a false lead, but that's a lot better than having an
infected PC and doing nothing about it.

[1] http://virusscan.jotti.org/
[2] http://www.majorgeeks.com/Panda_Anti-Rootkit_d5457.html
[3] http://www.antirootkit.com/software/F-Secure-BlackLight-Beta.htm
[4] http://www.whatthetech.com/hijackthis/
[5] http://www.techsupportforum.com/security-center/hijackthis-log-help/
[6] http://forum.piriform.com/index.php?showforum=12

Hope it helps,
Jason

-----Original Message-----
From: discuss-bounces at itdiscuss.org
[mailto:discuss-bounces at itdiscuss.org]
On Behalf Of Stone, Dave
Sent: Wednesday, May 14, 2008 5:35 PM
To: IT Discussion Forum
Subject: [itdiscuss] virus - unauthorized email sending

I have a PC that is sending out unauthorized email messages. I know this
because they are being caught by Symantec's email scanning tool and
filling
up my user's screen with alert messages. 

When I run a full virus scan using Symantec AV, it picks up no
"threats." I
also ran Adaware 2007 which also picked up nothing other than a few
tracking
cookies. My next step is to scan with AVG.

Have any of you encountered this problem? What did you do to solve it?
Until now, I've been pleased with Symantec's protection...wondering now
how
this made it through.

Thanks,

Dave Stone
___________________
Information Technology Administrator
Bethel Church
Richland, WA
http://www.bethel-church.org

Voice: (509) 628-0150 Fax: (509) 628-8651 dave.stone at bethel-church.org
Blog: http://www.churchitadmin.com

_______________________________________________
it discuss mailing list: discuss at itdiscuss.org Mailing List:
http://itdiscuss.org/discuss Web Discussion Board:
http://itdiscuss.org/discuss-forum
Wiki: http://itdiscuss.org/wiki
Internet Relay Chat: irc://irc.freenode.net/citrt

No virus found in this incoming message.
Checked by AVG. 
Version: 7.5.524 / Virus Database: 269.23.16 - Release Date: 5/11/2008
12:00
AM

No virus found in this outgoing message.
Checked by AVG. 
Version: 7.5.524 / Virus Database: 269.23.16 - Release Date: 5/11/2008
12:00
AM

_______________________________________________
it discuss mailing list: discuss at itdiscuss.org
Mailing List: http://itdiscuss.org/discuss
Web Discussion Board: http://itdiscuss.org/discuss-forum
Wiki: http://itdiscuss.org/wiki
Internet Relay Chat: irc://irc.freenode.net/citrt