Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Determining What Is Causing Lots Of Outbound Smtp Connections From Pc


  • Please log in to reply
6 replies to this topic

#1 djab90

djab90

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 24 January 2008 - 11:40 PM

Hi

I have a PC (XP SP2) that I am trying to figure out what is causing a ton of outbound smtp connections. This is not sn smtp server and has no software I am aware of that should be doing all of this mailing.

I ran netstat on it and it shows this:
(abbreviated)
TCP pc-tennessee:4151 mailscanner.asc.edu:smtp TIME_WAIT 0
TCP pc-tennessee:4152 smtp1.laposte.net:smtp TIME_WAIT 0
TCP pc-tennessee:4157 dedusmg02.henkel.com:smtp TIME_WAIT 0
TCP pc-tennessee:4158 mc.mx.aol.com:smtp TIME_WAIT 0
TCP pc-tennessee:4159 mx1.indiatimes.com:smtp TIME_WAIT 0
TCP pc-tennessee:4161 mx.uol.com.br:smtp TIME_WAIT 0
TCP pc-tennessee:4163 simbirskktv-gw.transtelecom.net:smtp TIME_WAIT 0
TCP pc-tennessee:4167 mc.mx.aol.com:smtp TIME_WAIT 0
TCP pc-tennessee:4169 ns1.smartlogic.nl:smtp TIME_WAIT 0
TCP pc-tennessee:4173 202.66.151.137:smtp TIME_WAIT 0
TCP pc-tennessee:4174 203.131.74.2:smtp TIME_WAIT 0
TCP pc-tennessee:4179 smtp.zipmail.com.br:smtp TIME_WAIT 0
TCP pc-tennessee:4180 smtp1.mithi.com:smtp TIME_WAIT 0
TCP pc-tennessee:4181 mc.mx.aol.com:smtp TIME_WAIT 0
TCP pc-tennessee:4182 mailguard.md.com.my:smtp TIME_WAIT 0
TCP pc-tennessee:4189 phoenix.pearlmail.com:smtp TIME_WAIT 0
TCP pc-tennessee:4194 smtp10.poczta.interia.pl:smtp TIME_WAIT 0
TCP pc-tennessee:4197 mta28.mail.vip.ogk.yahoo.co.jp:smtp TIME_WAIT 0
TCP pc-tennessee:4202 mail2.laiki.com:smtp TIME_WAIT 0
TCP pc-tennessee:4203 gelen.posta.deu.edu.tr:smtp TIME_WAIT 0
TCP pc-tennessee:4204 mail5.hsphere.cc:smtp TIME_WAIT 0
TCP pc-tennessee:4205 unknown.carohosting.net:smtp TIME_WAIT 0
TCP pc-tennessee:4207 mc.mx.aol.com:smtp TIME_WAIT 0
TCP pc-tennessee:4208 mc.mx.aol.com:smtp TIME_WAIT 0
TCP pc-tennessee:4209 mc.mx.aol.com:smtp TIME_WAIT 0
TCP pc-tennessee:4217 hqmtabh2.ms.com:smtp TIME_WAIT 0
TCP pc-tennessee:4218 smtp.itanets.com:smtp TIME_WAIT 0
TCP pc-tennessee:4220 mc.mx.aol.com:smtp TIME_WAIT 0
TCP pc-tennessee:4222 mta14.grp.scd.yahoo.com:smtp TIME_WAIT 0
TCP pc-tennessee:4224 mxs.mail.ru:smtp TIME_WAIT 0
TCP pc-tennessee:4226 mx1.seznam.cz:smtp TIME_WAIT 0
TCP pc-tennessee:4227 mx0.gmx.net:smtp TIME_WAIT 0
TCP pc-tennessee:4230 mc.mx.aol.com:smtp TIME_WAIT 0
TCP pc-tennessee:4232 mc.mx.aol.com:smtp TIME_WAIT 0
TCP pc-tennessee:4236 mc.mx.aol.com:smtp TIME_WAIT 0
TCP pc-tennessee:4237 smtp.zipmail.com.br:smtp TIME_WAIT 0
TCP pc-tennessee:4239 nsures.com:smtp TIME_WAIT 0
TCP pc-tennessee:4243 h85-34.iline.cz:smtp TIME_WAIT 0
TCP pc-tennessee:4244 mc.mx.aol.com:smtp TIME_WAIT 0
TCP pc-tennessee:4247 p3presmtp01-v01.prod.phx3.secureserver.net:smtp TIME_WAIT
TCP pc-tennessee:4249 mc.mx.aol.com:smtp TIME_WAIT 0
TCP pc-tennessee:4252 mx03.t-online.de:smtp TIME_WAIT 0
TCP pc-tennessee:4253 scc-mailrelay.att.net:smtp TIME_WAIT 0
TCP pc-tennessee:4259 mc.mx.aol.com:smtp TIME_WAIT 0
TCP pc-tennessee:4261 nsures.com:smtp TIME_WAIT 0
TCP pc-tennessee:4262 avs3.arnes.si:smtp TIME_WAIT 0
TCP pc-tennessee:4263 smtp.une.net.co:smtp TIME_WAIT 0
TCP pc-tennessee:4267 mailhub.ihlas.net.tr:smtp TIME_WAIT 0
TCP pc-tennessee:4268 bzq-82-80-248-48.dcenter.bezeqint.net:smtp TIME_WAIT
TCP pc-tennessee:4269 vzr1-27.hostican.com:smtp TIME_WAIT 0
TCP pc-tennessee:4270 xasax-corp.demarc.cogentco.com:smtp TIME_WAIT 0
TCP pc-tennessee:4280 barracuda.advertising.com:smtp TIME_WAIT 0
TCP pc-tennessee:4285 smtp.tin.it:smtp TIME_WAIT 0
TCP pc-tennessee:4287 207.159.120.164:smtp TIME_WAIT 0


I have runn full Kaspersky, hijackthis, and spybot (new ver) and they all come up clean.

Please help

Dave J.

BC AdBot (Login to Remove)

 


m

#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,722 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:18 PM

Posted 25 January 2008 - 12:48 PM

Are you sure those are OUTbound connections and not INbound?

How do you know that your computer is mailing stuff out?

Some of those sites in your list look like advertising sites, things you would find on a website; I have those blocked on my computer. Others look like your AV mail scanning programs. Many of them I have no clue.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 djab90

djab90
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 27 January 2008 - 09:00 PM

Hi

Thanks for the reply. I have verified these as being outbound with a graphical netstat utility. Also firewall logs show this one PC generating a ton of outbound smtp communications. I belive it has been hijacked for spam purposes but I don't know how to go about diagnosing it. Any help would be apprecaitive.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,722 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:18 PM

Posted 27 January 2008 - 09:18 PM

Hello djab90,

Okay, one of the first things I would do as a precautions is to completely disconnect the computer from the internet; manually unplug the connection. Any programs you might need to install to disinfect the computer, download to a thumb drive or disk on a different computer then install them from there.

What security software do you have on your system? Have you noticed any other issues besides the listings in the firewall?

I would suggest scanning with SuperAntiSpyware in safe mode.

Download and install SUPERAntiSpyware free found here: http://www.superantispyware.com/superantis...efreevspro.html

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply. Let us know how about any changes to your computer. If for some reason you couldn't get it to work, tell us that too.

By the welcome to BC :flowers: I forgot to say that in my first post.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 djab90

djab90
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 31 January 2008 - 01:27 AM

Hi

I ran that tool and it found a few cookies and that is it. I am running Trend client/server security suite on the PC. It for whatever reason is no longer displaying the outbound smtp connections. I will ocntinue to watch over the next day or so to see if it returns. It did have an odd service control manager failure on a service called clean1306b-1606 I had to sc delete that service. Not sure what that was or why it is failing now. It said file was not found. Perhaps related to what was causing the issue. Thanks for your help.

Dave

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,722 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:18 PM

Posted 31 January 2008 - 02:12 AM

Hello djab90,

I'm glad the outbound stuff has stopped. Nice find about that service and getting rid of it. I couldn't find anything about it on google, so I suspect that was your culprit alright. Perhaps one of our malware experts might know more about that particular strange service.

Now, what does concern me is that we don't know what PUT that service there or just what information it was sending out. I would suggest as a precaution to change all passwords and if you do any financial transactions on your computer to alert them to the possibility of identity theft and perhaps to close the existing accounts and open new ones. I know it's a hassle, but I'd prefer to err on the side of caution.

Just a thought: Does your firewall have the option of blocking all internet traffic? That is a trick to employ while you work to isolate and get rid of something that is sending out stuff that shouldn't

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 aco_pa

aco_pa

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 10 April 2008 - 12:12 AM

Just to add my two cents for future users; the "netstat -b" command will display your same list of open connections and give the the executable responsible for each connection. This is a great way to track down the app responsible for a problem like this.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users