Problem resolving likley infected machine

asked 2020-10-05 16:01:33 +0000

gjmart gravatar image

Any suggestions to help with a likely infected machine short of re-formatting the disk. Wireshark capture on tcp port 25 still shows that SMTP and TCP packets – indicating spam. This is after cleaning machine with Malwarebytes, F-secure, windows defender and ESET internet security. TP Link wireless adapter also uninstalled and resetted.

edit retag flag offensive close merge delete


Wireshark is unlikely to help apart from confirming the suspected malware traffic exists or not. Note that depending on what email clients are on the machine, SMTP traffic could be expected. To see what processes are using port 25 try a tool such as the SysInternals ProcMon. Use of ProcMon is off-topic for this site.

grahamb gravatar imagegrahamb ( 2020-10-05 16:21:58 +0000 )edit

Hello gjmart,

Like grahamb pointed out Wireshark will only tell you if you still have suspect software. The thing is that you need is to figure out what process on each system is sending out the traffic. ProcMon is indeed a good tool but I also recommend you to have a look at SysInternals sysmon. It will give you good logs. After you have a couple of hours of logs have a look for what applications/scripts opened the ports and investigate those.

Grahamb is right in the fact the use of these tool is of topic but we don't want you to be stuck so if you need a site that can help you further, let us know.

Kire gravatar imageKire ( 2020-10-07 07:06:22 +0000 )edit