Help, unable to find infection

[KRam2u]

I have a small 5 user network running 1 w2003 server and 5 xp clients. Our server somehow was infected with a virus/malware that was sending spam using it's own smtp engine. I blocked port 25 on our router to stop the spam but the infection and screwed up mu system in several ways. I rebuilt the system and it has been up for a couple of weeks and the virus is back. I can only see it using TCP view. This time it is not sending by smtp but seems to have infected my dns.exe file and is sending using UDP ports(below is a sample from the TCP view log). I have run several virus and malware scanners that only pick up tracking cookies from time to time. I need help finding the infection and getting rid of it for good. Your help on how to find it is appreciated.

dfssvc.exe:1436 UDP server:1096 *:*
dns.exe:1500 TCP server:2002 localhost:ldap ESTABLISHED
dns.exe:1500 TCP server:1030 server:0 LISTENING
dns.exe:1500 TCP server:domain server:0 LISTENING
dns.exe:1500 UDP server:62982 *:*
dns.exe:1500 UDP server:54244 *:*
dns.exe:1500 UDP server:51931 *:*
dns.exe:1500 UDP server:60669 *:*
dns.exe:1500 UDP server:57585 *:*
dns.exe:1500 UDP server:50646 *:*
dns.exe:1500 UDP server:60155 *:*
dns.exe:1500 UDP server:53987 *:*
dns.exe:1500 UDP server:53472 *:*
dns.exe:1500 UDP server:64780 *:*
dns.exe:1500 UDP server:49360 *:*
dns.exe:1500 UDP server:56813 *:*
dns.exe:1500 UDP server:61182 *:*
dns.exe:1500 UDP server:52701 *:*
dns.exe:1500 UDP server:50645 *:*
dns.exe:1500 UDP server:64008 *:*
dns.exe:1500 UDP server:57840 *:*
dns.exe:1500 UDP server:62209 *:*
dns.exe:1500 UDP server:53471 *:*
dns.exe:1500 UDP server:55527 *:*

HELP!!!

 

[2ffat]

Look in forum760. There are several threads there that might help.


James P. Cottingham
^{I'm number 1,229!
I'm number 1,229!}