Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My computer is connecting to hundreds of SMTP servers


  • Please log in to reply
1 reply to this topic

#1 djpeanut

djpeanut

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 25 October 2008 - 09:21 AM

Hi,

I seem to have contracted some kind of malware which is using my internet connection (56k dialup is slow enough as it is) to send spam through SMTP servers all over the world.

I have updated and run my antivirus software repeatedly (AVG Free 8) in safe mode as well as in normal mode. Nothing shows up.

I have checked out the running processes using Process Explorer and have also run HijackThis. Neither shows up anything immediately obvious as the problem.

A selection from running netstat -abv at the command line:

TCP	narin-21a6f9670:1256   mail.siol.net:smtp	 LAST_ACK		552
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
[services.exe]

TCP	narin-21a6f9670:1422   mx2.cyso.net:smtp	  LAST_ACK		552
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
[services.exe]

TCP	narin-21a6f9670:1444   smtp-in.orange.fr:smtp  LAST_ACK		552
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
[services.exe]

TCP	narin-21a6f9670:1456   hrndva-smtpin01.mail.rr.com:smtp  LAST_ACK
552
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
[services.exe]

TCP	narin-21a6f9670:1077   relay2.suez.easynet.fr:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1093   email.utc.com.kw:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1099   server66.appriver.com:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1113   xenia3-in2.renault.fr:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1117   mx.tech.numericable.fr:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1122   EB.slavi.fr:smtp	   TIME_WAIT	   0
TCP	narin-21a6f9670:1128   host-64-46-169-60.leasenet.net:smtp  TIME_WAIT
   0
TCP	narin-21a6f9670:1147   ns1.siteground190.com:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1170   mu-in-f114.google.com:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1179   mx.peterstar.ru:smtp   TIME_WAIT	   0
TCP	narin-21a6f9670:1180   lax-mail.mailroute.net:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1182   mail-in-myway.roc2.bluetie.com:smtp  TIME_WAIT
   0
TCP	narin-21a6f9670:1192   61.131.62.98:smtp	  TIME_WAIT	   0
TCP	narin-21a6f9670:1194   mail1.eircom.net:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1195   207.108.181.68:smtp	TIME_WAIT	   0
TCP	narin-21a6f9670:1198   smtpin-3001.bay.webtv.net:smtp  TIME_WAIT

TCP	narin-21a6f9670:1204   mail-in.freeserve.com:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1205   mail.flaxweiler.lu:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1209   mcdobs.vwh.net:smtp	TIME_WAIT	   0
TCP	narin-21a6f9670:1222   64.78.224.102:smtp	 TIME_WAIT	   0
TCP	narin-21a6f9670:1244   mx.libertysurf.net:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1245   fr-end-07.iptelecom.net.ua:smtp  TIME_WAIT

TCP	narin-21a6f9670:1249   Eurydice.crdp.ac-caen.fr:smtp  TIME_WAIT	   0

TCP	narin-21a6f9670:1252   mail.hesperange.lu:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1255   mail-in-myway.roc2.bluetie.com:smtp  TIME_WAIT
   0
TCP	narin-21a6f9670:1261   mail.global.frontbridge.com:smtp  TIME_WAIT
0
TCP	narin-21a6f9670:1279   xmail.wiley.com:smtp   TIME_WAIT	   0
TCP	narin-21a6f9670:1302   weld-uae.com:smtp	  TIME_WAIT	   0
TCP	narin-21a6f9670:1309   mail02.gameloft.com:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1314   216.180.243.138:http   TIME_WAIT	   0
TCP	narin-21a6f9670:1315   216.180.243.138:http   TIME_WAIT	   0
TCP	narin-21a6f9670:1316   216.180.243.138:http   TIME_WAIT	   0
TCP	narin-21a6f9670:1317   s3.amazonaws.com:http  TIME_WAIT	   0
TCP	narin-21a6f9670:1318   s3.amazonaws.com:http  TIME_WAIT	   0
TCP	narin-21a6f9670:1322   s3.amazonaws.com:http  TIME_WAIT	   0
TCP	narin-21a6f9670:1324   smtp2.hmg.inpg.fr:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1325   mailfilter2.igr.nl:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1331   216.180.243.138:http   TIME_WAIT	   0
TCP	narin-21a6f9670:1334   216.180.243.138:http   TIME_WAIT	   0
TCP	narin-21a6f9670:1341   mail54.messagelabs.com:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1353   server56.appriver.com:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1356   email.bureauveritas.com:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1361   mail.global.frontbridge.com:smtp  TIME_WAIT
0
TCP	narin-21a6f9670:1362   roughedge.com:smtp	 TIME_WAIT	   0
TCP	narin-21a6f9670:1363   mail2.technolink.lu:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1366   ofca.vn.cz:smtp		TIME_WAIT	   0
TCP	narin-21a6f9670:1370   cluster-b.mailcontrol.com:smtp  TIME_WAIT

TCP	narin-21a6f9670:1373   p3presmtp01-v01.prod.phx3.secureserver.net:smtp
IME_WAIT	   0
TCP	narin-21a6f9670:1375   alldownunder.com:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1378   alldownunder.com:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1380   216.180.243.138:http   TIME_WAIT	   0
TCP	narin-21a6f9670:1381   216.180.243.138:http   TIME_WAIT	   0
TCP	narin-21a6f9670:1384   relay2.fastweb.it:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1387   gfi.vitamail.com:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1394   server25.appriver.com:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1405   mail16.messagelabs.com:smtp  TIME_WAIT	   0
TCP	narin-21a6f9670:1406   dns3.tkte.com:smtp	 TIME_WAIT	   0
TCP	narin-21a6f9670:1426   mx1.unitz.ca:smtp	  TIME_WAIT	   0
TCP	narin-21a6f9670:4942   www.bleepingcomputer.com:http  TIME_WAIT	   0

TCP	narin-21a6f9670:4949   mx2.yandex.ru:smtp	 TIME_WAIT	   0

You get the idea. This begins to happen a few seconds after I connect to the internet.

Any idea where I should start in identifying and removing this annoyingly stubborn and impossible to locate malware?

Thanks in advance!

BC AdBot (Login to Remove)

 


m

#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:09 PM

Posted 25 October 2008 - 11:38 AM

Hi djpeanut and welcome to BleepingComputer :thumbsup:

Since you are on dialup, you might consider these downloads at your library, or on a friends computer that has high speed, and then transfer to your computer via flash drive.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users