Infection not destected

Discussion in 'ESET NOD32 Antivirus' started by Niko, Apr 24, 2008.

Thread Status:
Not open for further replies.
  1. Niko

    Niko Registered Member

    Joined:
    Apr 8, 2004
    Posts:
    23
    Location:
    France
    Hello,

    I have a PC (Win XP sp2) wich is sendind spams. I can see this by reading the firewall logs.


    04-23-2008 18:18:52 Auth.Warning 10.0.0.138 SysUpTime: 02:15:16 10.0.0.138 FIREWALL Hook: forward Rule Id: 1 Protocol: TCP Src_ip_port: 10.0.0.23:49361 Dst_ip_port: 216.176.128.38:25 Action: drop
    04-23-2008 18:18:52 Auth.Warning 10.0.0.138 SysUpTime: 02:15:16 10.0.0.138 FIREWALL Hook: forward Rule Id: 1 Protocol: TCP Src_ip_port: 10.0.0.23:49362 Dst_ip_port: 64.129.67.76:25 Action: drop
    04-23-2008 18:18:52 Auth.Warning 10.0.0.138 SysUpTime: 02:15:16 10.0.0.138 FIREWALL Hook: forward Rule Id: 1 Protocol: TCP Src_ip_port: 10.0.0.23:49363 Dst_ip_port: 69.69.103.6:25 Action: drop

    NOD32 v3 doesn't detect anything.

    I can't see anything by using netstat -a -b -o or with utilities like TCPView (SysInternals)

    The CPU activity is normal (more than 95 % idle)

    tasklist /SVC doesn't show anything strange.

    Sophos anti-rootkit has find 2 hidden files in c:\windows\system32\drivers grange48.sys and Obao33.sys but I can't catch those file to send them to Eset because I can't find them even if set up windows to show hidden file or if I try to see them by dos dir /AH command.

    If I kill all the process leaving only unkillabled windows process, the spams flow is not stopped.

    I suppose that the spams sending process is hidden into a device driver or directly into the TCP/IP layer

    What can i do to identify which files are involved to submit them to Eset ?

    Thanks by advance

    Niko
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If possible, boot from a clean drive. In such case, the files should be visible and accessible. Also please send a log from ESET SysInspector to support[at]eset.com with this thread's url enclosed.
     
  3. Niko

    Niko Registered Member

    Joined:
    Apr 8, 2004
    Posts:
    23
    Location:
    France
    ESET SysInspector doesn't find those files. I suppose that they are not existing yet.

    It does not show anything anormal but spams flow is not stopped.

    If needed, I can send Sysinspector log file

    Thanks

    Niko
     
  4. awsomaha

    awsomaha Registered Member

    Joined:
    Apr 26, 2005
    Posts:
    18
    Location:
    Nebraska
    Have you tried going into recovery console and seeing if you see them that way? Rootkits are usually hidden from even the OS hence why you can't find them after showing hidden files. Did you try a BartPE boot (read about it here)? It uses a cd to boot and doesn't depend on the os. I'm not very experinenced with rootkits so I'm going to follow this thread to get any good info :D
     
Thread Status:
Not open for further replies.