Menu
Reply
  • 17.91K
  • 990
  • 7.52K
Very Insightful Person
Very Insightful Person
326 Views
Message 131 of 164
Flag for a moderator

Re: Spamhaus ip blocked

Well this definitely confirms that it's the PC that is spamming.

Netstat -b might help us find the program I'm thinking.  @bromham what do you think?

Tim

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
  • 12.15K
  • 1.6K
  • 5.4K
Very Insightful Person
Very Insightful Person
325 Views
Message 132 of 164
Flag for a moderator

Re: Spamhaus ip blocked


@apcyberax wrote:
no need to talk to dell. windows 10 system restore is easy


Access Settings. Click the Start Menu and select the gear icon () to open up the Settings window. ...
Update & Security. Under Settings, click Update & Security to continue.
Choose Recovery Options. Click the Recovery tab and select "Get started" under Reset this PC. ...
Save or Remove Files. ...
Reset Your Computer.

I'm may be being a bit dim here, but if the hard disk is wiped clean then there won't be a Start Menu to access will there until an operating system is reinstalled onto the PC?

_________________________________________________________
Graham
I am a VM customer. There are no guarantees that my advice will work.

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

 

Mark as Helpful Answer if I've helped

  • 26.76K
  • 1.16K
  • 4.48K
Very Insightful Person
Very Insightful Person
317 Views
Message 133 of 164
Flag for a moderator

Re: Spamhaus ip blocked

You don't need to wipe the drive windows can do it and restore the OS. No need to wipe the drive

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
  • 394
  • 22
  • 139
bromham
Fibre optic
315 Views
Message 134 of 164
Flag for a moderator

Re: Spamhaus ip blocked


@Graham_A wrote:

@apcyberax wrote:
no need to talk to dell. windows 10 system restore is easy

I'm may be being a bit dim here, but if the hard disk is wiped clean then there won't be a Start Menu to access will there until an operating system is reinstalled onto the PC?


I don't know what the built-in Windows reset mechanism does, so I'm not qualified to comment on whether using it is sufficient.  I gather it erases and formats the Windows partitions but I don't know what it does with other partitions (which could contain malware) and I don't know where it sources the "factory default" version of Windows.  Is it taken from a hidden partition, in which case it could have been compromised, or is it downloaded?  I'm not a Windows person so defer to others.

Regardless, my choice would be to boot up from a Linux USB stick, wipe the hard disk in its entirety and then re-install.

0 Kudos
Highlighted
  • 687
  • 106
  • 351
Very Insightful Person
Very Insightful Person
314 Views
Message 135 of 164
Flag for a moderator

Re: Spamhaus ip blocked

netstat -p TCP -o 

Filter so only display TCP connections,  -o to shown the PID of the application making the connection. -b doesn't always manage to get the name properly so get the process ID and then check it with task manager. Look for the :25 addresses in the Foreign Address column and the last column should display the matching PID.

0 Kudos
  • 394
  • 22
  • 139
bromham
Fibre optic
311 Views
Message 136 of 164
Flag for a moderator

Re: Spamhaus ip blocked


@ravenstar68 wrote:

Netstat -b might help us find the program I'm thinking.  @bromham what do you think?


Yes, it might well do so.  But what then?  Killing the process probably won't stop it restarting.  Deleting its executable may not stop it from re-appearing.

I'm not really in favour of encouraging mfcphil to leave this PC connected to the Internet for a moment longer than necessary.  It's causing a serious nuisance and needs to be taken down.

0 Kudos
  • 687
  • 106
  • 351
Very Insightful Person
Very Insightful Person
303 Views
Message 137 of 164
Flag for a moderator

Re: Spamhaus ip blocked

 


@bromham wrote:

@Graham_A wrote:

snip....

 


I don't know what the built-in Windows reset mechanism does, so I'm not qualified to comment on whether using it is sufficient.  I gather it erases and formats the Windows partitions but I don't know what it does with other partitions (which could contain malware) and I don't know where it sources the "factory default" version of Windows.  Is it taken from a hidden partition, in which case it could have been compromised, or is it downloaded?  I'm not a Windows person so defer to others.

...snip


Assuming there is one, then Windows' reset mechanism does indeed use a factory installed 'hidden' partition. It will wipe the existing one and then replace with a fresh Windows 10 install. And, indeed there is no guarantee than this might not have been compromised.

However the point is how far do you want to go? Low level format, degauss the disk with a big magnet (doesn't actually work as well as you think it might, by the way), short of replacing the disk you can never be completely sure - and even then there are categories of malware which hide in the motherboard BIOS chips. Assuming that the PC is the source of the port 25 traffic, I'm slightly concerned that nothing has shown up on any of the scans which  @mfcphil has done with various AV packages - these mail bots aren't usually that sophisticated.

John

0 Kudos
  • 17.91K
  • 990
  • 7.52K
Very Insightful Person
Very Insightful Person
289 Views
Message 138 of 164
Flag for a moderator

Re: Spamhaus ip blocked

@jem101 

Wireshark does a packet capture at the interface level, so looking at the packets passing over the ethernet we see a source address of 192.168.0.10 for outgoing packets and a destination address of 192.168.0.10 for incoming packets.

The reason I asked if the hotspot was definitely off was there are only two ways those packets can appear:

  1. Traffic generated on the PC itself.
  2. Traffic passing through and being forwarded on to the Hotspot interface

Remember that the hotspot essentially turns the PC into a NAT router whereby traffic coming from the hotspot devices is forwarded to the ethernet with the source IP being changed in the same manner that the hub 3 handles traffic passing through it.

We can only take @mfcphil at face value when he says the Hotspot is definitely off - but based on his answer - and both the previous and current captures, the PC has to be the source of the traffic.

But yes it is bothering me that he can't find any malware.  Personally I'd love to get my hands on his PC and have a good look at what's going on 😉  Wishful thinking though.

Tim

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
  • 78
  • 0
  • 5
mfcphil
Up to speed
255 Views
Message 139 of 164
Flag for a moderator

Re: Spamhaus ip blocked

1.jpg2.jpg3.jpg

image shows the virus checkers Ive used
image shows the hotspot switched off
image shows the ethernet capture from tcp port 25

0 Kudos
  • 78
  • 0
  • 5
mfcphil
Up to speed
254 Views
Message 140 of 164
Flag for a moderator

Re: Spamhaus ip blocked

John this is why Im so puzzled - surely someone from these big companies can identify and destroy a spambot

0 Kudos