Spam virus Outlook

[IncognitoX]

My mate is having problems with a suspected Trojan infection which is sending spam from his work.

Once it begins it gets his IP blocked on CBL (Composite Blocking List) and is listed as being infected with a spam virus.

All machines have been scanned with malware and spyware destroyers, the problem still persists. Seems to hit every couple of weeks.

Has anyone got any advice on how to tackle this problem?

Thanks in advance guys!

Edit some info:

This IP is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.

This was detected by observing this IP attempting to make contact to a Torpig Command and Control server at '64.27.3.4' (may be missing) on IP address 80, with contents unique to Torpig C&C command protocols.

Torpig is a banking trojan, specializing in stealing personal information (passwords, account information, etc) from interactions with banking sites.

Torpig is normally dropped by Mebroot. Mebroot is a Rootkit that installs itself into the MBR (Master Boot Record).

 

[demonix]

If you suspect a MBR infection, then just doing a fixmbr (I think this would require the OS disc) should get rid of most of the problem leaving the rest to the anti-virus.

If that doesn't work then a format and reinstall would probably be the next option, but if you want to use the sledgehammer approach (or you just want to be sure) then just scrap that hard drive and put a new one in.

 

[KIA]

How many machines?

If feasible, use https://support.kaspersky.com/viruses/rescuedisk on all the machines.

How are the machines being patched? Malware removal is useless if the door is left wide-open.

 

[IncognitoX]

How many machines?

If feasible, use https://support.kaspersky.com/viruses/rescuedisk on all the machines.

How are the machines being patched? Malware removal is useless if the door is left wide-open.

I don't think a format and re-install is an available option, otherwise that would have been my first option haha.

It would be around 8 machines. I am heading down Monday to do a full system scan TDSskiller, spy-bot search and destroy etc. From what I have been reading its mostly a registry infection, if it means going through and deleting entries one by one it will have to be done

 

[theheyes]

I second doing an offline scan.

With regards to formatting not being an option... do they want it fixing or not? Mangling the registry by hand isn't exactly foolproof. Anyway have fun dealing with that one.

If the problem has a history of reoccurring without explanation, especially on multiple computers, I would be suspicious of the domain administrator or any other privileged accounts as well. It might not necessarily be the host reinfecting itself.

 

[Swordfish]

http://www.bleepingcomputer.com/download/hitmanpro/

Use this. Create a boot flash drive with the kickstart option and boot from that to clean the system

http://www.bleepingcomputer.com/download/combofix/

Then run combofix

http://www.malwarebytes.org/products/mbar/

Lastly run Mbar.

Once the system is clean make sure and remove any system restore points and then create a fresh new one if you need to.

 

[IncognitoX]

http://www.bleepingcomputer.com/download/hitmanpro/

Use this. Create a boot flash drive with the kickstart option and boot from that to clean the system

http://www.bleepingcomputer.com/download/combofix/

Then run combofix

http://www.malwarebytes.org/products/mbar/

Lastly run Mbar.

Once the system is clean make sure and remove any system restore points and then create a fresh new one if you need to.

Thanks really appreciate the opinions.

I never even knew malwarebytes had released a anti-rootkit program, cheers!

 

[Swordfish]

Thanks really appreciate the opinions.

I never even knew malwarebytes had released a anti-rootkit program, cheers!

It's in Beta mode at the moment but I've been using it for about 3 months now and it finds things Malwarebytes does not.