System Process (PID 8) creates mail
- From: wkrueger@xxxxxxxxx
- Date: 3 Apr 2006 15:30:05 -0700
Windows 2000 Pc with SP4.
We had a problem where one of our external IP addresses was being
blocked due to spam coming from it. It was not the mail server address
(which is NAT'd through the firewall), but rather a user's station.
This user has no email app, nor a reason to send SMTP mail. I threw
about 6 tools at it (spybot, adaware, pestscan, installed Norton AV
corp, Norton Spyware, Trend micro AV) and found about 4 viruses and 6
pieces of spyware-malware.
I do not think I can just stop the hunt and format the PC, as the apps
on the box are tricky and expensive to reset - due to proprietary
vendor installs.
I put TCPview on the machine and saw that every 5 minutes, the System
process (PID was 8) was generating email to external addresses. The
ports it was using were somewhat random (1151, 1160, 1241, 1242, 1148)
and the external addresses changed every so often. I was able to block
email from this machine, so the effect has stopped.
That is my tale of woe, now my questions (may be dumb):
Is there an executable that is behind SYSTEM? I do not see an .exe with
that name. Is it a kernel type of app? Is there a way to compare dates
of the 'file' to something from the Windows 2000?
I am concerned that there is still a bug that could somehow reactivate
if the user does something dumb again. The machine is still trying its
mail send, but I am blocking it. Is there a better tool to track the
app that is trying to talk to the outside world? What other ways can
clean the machine?
.
- Follow-Ups:
- Re: System Process (PID 8) creates mail
- From: Steven L Umbach
- Re: System Process (PID 8) creates mail
- Prev by Date: Re: CA generating private keys
- Next by Date: Re: CA Certificates
- Previous by thread: CA generating private keys
- Next by thread: Re: System Process (PID 8) creates mail
- Index(es):
Relevant Pages
|
