SBS is part of a BOTNET which I can't clean. RRS feed

  • Question

  • Hi


    Running SBS 2003 with Avast antivirus, and GFI essentials and security,  All clients 3 Vista SP1 and 1 XP SP2 running AVG suite, defender etc,  it is behind a dsl router with DMZ and running ISA server.


    I have also run Malicious SW Removal tool on all machines,  but am still getting listed on CBL and others and am still acting as a NAT for a SPAM robot / BOTNET / Trojan.


    Any ideas how I can stop this as nearly all my sent mail is getting blocked as the IP is blacklisted.





    Monday, April 28, 2008 9:06 AM

All replies

  • Clive,



    I'm asuming that yiou have updated all your AV software and run a full scan. If that does not work, try an offline scan. Here is a paper from Microsoft on how to create an AV boot CD. http://www.microsoft.com/downloads/details.aspx?FamilyID=6cd853ce-f349-4a18-a14f-c99b64adfbea&displaylang=en

    To avoid getting reinfected... make sure your systems are fully patched....not just Microsft patches.


    To be honest, the best solution would be to rebuid your environment (beware of infected backups if you do). If this is not possible try the above tips.


    When you are done contact the administrators of CBL list and ask them to remove you.


    Hope this will give you some ideas.


    Good Luck!




    Monday, April 28, 2008 1:31 PM
  • Thanks for the reply which will help.  I have since found out that one PC running XP is not updating MS updates automatically.  I run WSUS and have approved all the updates,  but this machine does not seem to pick up on the fact that updates are waiting to be installed.  The WSUS is reporting connectivity with the XP machine each day so the server can see it ok.  So I decided to remove it from WSUS and get it to update directly from MS,  but the PC still says you can't do this as it is controlled by the server !!  Don't want to rebuild this PC if possible,  but this is the likliest source of an issue as it has 148 updates waiting for it.


    Any idea why the XP machine is not promting the user to download and install updates when they are approved on the WSUS server?




    Clive....Closing in I hope.

    Tuesday, April 29, 2008 10:39 PM
  • Clive,


    I would run "gpresult" from cmd. and make sure it get's your WSUS policy.

    You can also download the "clientdiag.exe" wsus client diagnostics tool and run on the client. it will try to verify settings and try to connect to your wsus. 

     Since this computer might be the source of your trouble...after you have fully patched it, update the AV software and run a full scan. You can also download rootkit detection tools like RootKitRevealer from Sysinternals (Microsoft).


    ...and, just to let you know, my foremost recomendation is that you rebuild that PC :-)


    Good Luck



    Wednesday, April 30, 2008 8:01 AM