Few days ago I had problems with the sites I am playing. The reason of the problems was a vulnerability in the Firefox not in Windows so it was a little bit harder to find and understand.
So, Thunderbird was so kind to allow download of a malware. It is added by the W32/Zotob-I worm. This infection, when started, it connects to a remote IRC server where it waits for commands to execute. I installed the TCP view from sysinternals.com and I have take a look at what is happening. My infection script start to open a lot of ports and listen to be connected to remote attacks. In one of this session, a ftp connection was up and some passwords was stolen. From here to have the sites modified was piece of cake.
To clean this issues I installed TCPView ( sysinternals ) which is a useful tool to see what connections are in use on the computer.
After I have installed Hijack This from TrendMicro.com to see what processes are starting at Windows boot. In the same time TrendMicro’s tool is able to clean the suspect entries and give explanations about every program started by the system.
The worst thing in all this adventure is that a site I am maintaining for a friend was down few times and this, you can imagine, is not a good vote for my expertise. Bellow is an example on how it looks the screen for this job in action.
Good Luck and safe websites 🙂
SERVICES.EXE:712 TCP 192.168.2.2:2028 188.8.131.52:25 ESTABLISHED
SERVICES.EXE:712 TCP 192.168.2.2:2030 184.108.40.206:25 ESTABLISHED
SERVICES.EXE:712 TCP 192.168.2.2:2035 220.127.116.11:25 LAST_ACK
SERVICES.EXE:712 TCP 192.168.2.2:1830 18.104.22.168:25 FIN_WAIT2
SERVICES.EXE:712 TCP 192.168.2.2:2012 22.214.171.124:25 LAST_ACK
[System Process]:0 TCP 192.168.2.2:1996 126.96.36.199:25 TIME_WAIT