possible zombie ?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

On one particular WinXP,sp2 machine that has been running poorly there are
dozens (hundreds?) of suspicious and unexplained smtp syn_send, established,
and time out connections showing on a Netstat command whenever the PC is
connected to the Internet. A first guess is that this machine has been
compromised (the Guest account was also suspiciously enabled) and is now a
Zombie or part of a Botnet. But every Spyware and AV scan we have ran does
not show any malware - even when run in Safe Mode (eg MS Windows Defender,
SpyBot, AdAware 2007, various online scans, etc...). The easy answer would
be to reinstall Windows XP, but ideally we would like to be better able to
identify and remove such threats w/o having to do a complete reinstall since
many of the supported machines are in remote locations. Are there any other
tools, utilities, or processes we can use to identify and remove the malware
so that this machine is not a Zombie anymore ? TIA ...
 
From: "E-Double" <[email protected]>

| On one particular WinXP,sp2 machine that has been running poorly there are
| dozens (hundreds?) of suspicious and unexplained smtp syn_send, established,
| and time out connections showing on a Netstat command whenever the PC is
| connected to the Internet. A first guess is that this machine has been
| compromised (the Guest account was also suspiciously enabled) and is now a
| Zombie or part of a Botnet. But every Spyware and AV scan we have ran does
| not show any malware - even when run in Safe Mode (eg MS Windows Defender,
| SpyBot, AdAware 2007, various online scans, etc...). The easy answer would
| be to reinstall Windows XP, but ideally we would like to be better able to
| identify and remove such threats w/o having to do a complete reinstall since
| many of the supported machines are in remote locations. Are there any other
| tools, utilities, or processes we can use to identify and remove the malware
| so that this machine is not a Zombie anymore ? TIA ...


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *
 
Back
Top