Hi,
One of my customers recently was blacklisted on CBL for sending spam.
on further investigation, it turned out that a user who had remote desktop access to the server, had had their password hacked.
There were two installations that appeared to be spam mailers, ASM (ThInstall) and another install called ok_-_copy, which has a bunch of nasties in it, SQL Server, IMAP, MYSQL, FTP dictionaries etc.
I removed them, into a safe, compressed folder, but i am still getting blacklisted. None of the antivirus or anti malware tools have found anything on the server. Trend Micro, Kapersky, etc.. (we have run Trend Micro)
And Spybot and Malware Bytes havent found anything.
The network runs a proxy server, and is blocking ports 25 and 587. I am about to block pop (110) as well. in case the infection is on another pc in the network.
I dont know who to send the details of this "new" infection too?
on that note, i dont know how to stop my blasted server from sending out spam!?!?! any hints?
I have run OTL and checked all the files and programs, and cant see anything out of the ordinary.
thanks!
Truby