Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Win 2003 continuous smtp connections

  • This topic is locked This topic is locked
3 replies to this topic

#1 Arshad Parvez

Arshad Parvez

  • Members
  • 16 posts
  • Local time:06:38 AM

Posted 05 July 2010 - 12:53 AM


I am running Windows Server 2003 Enterprise Edition on an HP laptop (Compaq 6720s). It had been running quite well without any noticeable problem, despite having direct internet connection through my LAN, for months. For a few days, however, there came a continuous activity of net for quite long time. The net remains ON when I switch on the system after a few days and establishes numerous smtp connections at different addresses.

I checked through NETSTAT, and found process 912 making the connections: TASKLIST says it is SERVICES.EXE:

services.exe 912 Console 0 21,748 K

I mostly use Mozilla Firefox version 3.6.6 for browsing. However, I also have and sometimes use Internet Explorer version 7.0.5730.13.

I am pasting netstat incomplete log, because the connections with different smtp hosts would continually go on and I had to press ^C to break it. I am also providing HijackThis log.

I have tried DDS Tool, but it is designed for Windows 2003.

I ran GMER. It starts and gives following warning:
GMER has found system modification, which might have been caused by ROOTKIT activity.
Do you want to fully scan your system ?

I clicked [YES]. It ran for a while and suddenly brings Windows BLUE SCREEN (of death), with no real information, just telling me that some program was about to damage the system and System has been shut down to prevent the damage.

I re-boot the system and run GMER again. This time I press [NO] when it asks whether to perform full scan or not, to view the window underneath the msg box:

In the main window it shows in RED colour:
Service (***hidden***) [BOOT] xdliym

Please help me bring my system back to normal.


Active Connections

Proto Local Address Foreign Address State PID
TCP perlp:epmap perlp:0 LISTENING 1188
TCP perlp:mlitzer perlp:0 LISTENING 4
TCP perlp:1028 perlp:0 LISTENING 924
TCP perlp:5152 perlp:0 LISTENING 1920
TCP perlp:5152 perlp:6756 CLOSE_WAIT 1920
TCP perlp:5606 perlp:5607 ESTABLISHED 3100
TCP perlp:5607 perlp:5606 ESTABLISHED 3100
TCP perlp:5610 perlp:5611 ESTABLISHED 3100
TCP perlp:5611 perlp:5610 ESTABLISHED 3100
TCP perlp:netbios-ssn perlp:0 LISTENING 4
TCP perlp:5411 rr.pmtpa.wikimedia.org:http ESTABLISHED 912
TCP perlp:5412 m12-91.163.com:smtp CLOSE_WAIT 912
TCP perlp:5418 mail.aaahoosier.com:smtp CLOSE_WAIT 912
TCP perlp:5423 mail.drummondco.com:smtp CLOSE_WAIT 912
TCP perlp:5432 smtp632.redcondor.net:smtp CLOSE_WAIT 912
TCP perlp:5434 server.a77a.com:smtp CLOSE_WAIT 912
TCP perlp:5439 s5a1.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5442 port-212-202-112-67.static.qsc.de:smtp CLOSE_WAIT 912
TCP perlp:5444 eforwardct.name-services.com:smtp CLOSE_WAIT 912
TCP perlp:5445 CLOSE_WAIT 912
TCP perlp:5452 CLOSE_WAIT 912
TCP perlp:5454 s6b2.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5458 mx2.incresearch.com:smtp ESTABLISHED 912
TCP perlp:5460 CLOSE_WAIT 912
TCP perlp:5463 host-194-149-228-14.gazeta.pl:smtp CLOSE_WAIT 912
TCP perlp:5467 lmx1.aig.com:smtp ESTABLISHED 912
TCP perlp:5479 mail.allnet.de:smtp CLOSE_WAIT 912
TCP perlp:5481 ns605.ovh.net:smtp ESTABLISHED 912
TCP perlp:5486 mx6.tm1.org:smtp CLOSE_WAIT 912
TCP perlp:5488 mx6.tm1.org:smtp CLOSE_WAIT 912
TCP perlp:5489 mailans.ans.com.au:smtp CLOSE_WAIT 912
TCP perlp:5491 publicms1.mail2world.com:smtp CLOSE_WAIT 912
TCP perlp:5495 mail-in2.anz.com:smtp CLOSE_WAIT 912
TCP perlp:5507 dsl-210-15-236-148-static.VIC.netspace.net.au:smtp CLOSE_WAIT 912
TCP perlp:5517 h-85-24-156-72.NA.cust.bahnhof.se:smtp CLOSE_WAIT 912
TCP perlp:5529 s6b1.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5530 cpanel71.gzo.com:smtp CLOSE_WAIT 912
TCP perlp:5531 mail.avemaria.edu:smtp CLOSE_WAIT 912
TCP perlp:5537 armax.medias.rdsnet.ro:smtp ESTABLISHED 912
TCP perlp:5541 200-71-151-243.static.telcel.net.ve:smtp CLOSE_WAIT 912
TCP perlp:5543 72.b2.1243.static.theplanet.com:smtp CLOSE_WAIT 912
TCP perlp:5552 addr23.addr.com:smtp ESTABLISHED 912
TCP perlp:5553 s7b1.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5555 mx2.bcsul.com.br:smtp CLOSE_WAIT 912
TCP perlp:5557 usmail02.bd.com:smtp CLOSE_WAIT 912
TCP perlp:5562 mail.cdwcu.com:smtp CLOSE_WAIT 912
TCP perlp:5569 dns.bestrsv.com:smtp ESTABLISHED 912
TCP perlp:5573 mel2.securecloud.com:smtp CLOSE_WAIT 912
TCP perlp:5577 cluster-j.mailcontrol.com:smtp CLOSE_WAIT 912
TCP perlp:5580 d10-155-65-63.abhsia.telus.net:smtp CLOSE_WAIT 912
TCP perlp:5581 bw-in-f27.1e100.net:smtp CLOSE_WAIT 912
TCP perlp:5583 mxs.mail.ru:smtp CLOSE_WAIT 912
TCP perlp:5603 mel4.securecloud.com:smtp CLOSE_WAIT 912
TCP perlp:5617 s8a1.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5619 m12-91.163.com:smtp CLOSE_WAIT 912
TCP perlp:5622 mx03.mx-server.net:smtp CLOSE_WAIT 912
TCP perlp:5629 s7a1.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5630 s7a1.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5636 exmta.mopera.net:smtp CLOSE_WAIT 912
TCP perlp:5644 p2.nsm.ctmail.com:smtp CLOSE_WAIT 912
TCP perlp:5654 CLOSE_WAIT 912
TCP perlp:5655 mx01.mx-server.net:smtp CLOSE_WAIT 912
TCP perlp:5660 spamfilter-11.visi.com:smtp CLOSE_WAIT 912
TCP perlp:5667 telnet.netfront.net:smtp ESTABLISHED 912
TCP perlp:5668 ms14.ucs.fsu.edu:smtp ESTABLISHED 912
TCP perlp:5685 email2-vip.ups.com:smtp CLOSE_WAIT 912
TCP perlp:5693 mta21.hk.alibaba.com:smtp CLOSE_WAIT 912
TCP perlp:5701 s7b2.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5704 mx6.tm1.org:smtp CLOSE_WAIT 912
TCP perlp:5705 mx6.tm1.org:smtp CLOSE_WAIT 912
TCP perlp:5708 s7b2.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5709 mx.amtelecom.net:smtp CLOSE_WAIT 912
TCP perlp:5722 cas1.aplaceformom.com:smtp CLOSE_WAIT 912
TCP perlp:5742 mx03.mx-server.net:smtp CLOSE_WAIT 912
TCP perlp:5748 eforwardct3.name-services.com:smtp CLOSE_WAIT 912
TCP perlp:5750 zebedee.astrium.eads.net:smtp ESTABLISHED 912
TCP perlp:5751 60-250-182-246.HINET-IP.hinet.net:smtp CLOSE_WAIT 912
TCP perlp:5756 c-68-32-53-160.hsd1.nj.comcast.net:smtp ESTABLISHED 912
TCP perlp:5760 exmta.mopera.net:smtp CLOSE_WAIT 912
TCP perlp:5764 mx03.mx-server.net:smtp CLOSE_WAIT 912
TCP perlp:5774 s7b2.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5775 s6b1.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5785 lbd.spamh.com:smtp CLOSE_WAIT 912
TCP perlp:5794 riosena7.ba.gov.br:smtp CLOSE_WAIT 912
TCP perlp:5798 txemail2.bankofamerica.com:smtp ESTABLISHED 912
TCP perlp:5801 eforwardct.name-services.com:smtp CLOSE_WAIT 912
TCP perlp:5803 mail.baumanns-wiehager.de:smtp CLOSE_WAIT 912
TCP perlp:5807 mailrelay.bcr.fi.cr:smtp CLOSE_WAIT 912
TCP perlp:5815 host.pspdns.com:smtp CLOSE_WAIT 912
TCP perlp:5816 lbd.spamh.com:smtp CLOSE_WAIT 912
TCP perlp:5822 tmail07.tbccorp.com:smtp ESTABLISHED 912
TCP perlp:5823 p2.nsm.ctmail.com:smtp CLOSE_WAIT 912
TCP perlp:5829 s8a1.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5831 m12-91.163.com:smtp CLOSE_WAIT 912
TCP perlp:5834 moti.aafes.com:smtp CLOSE_WAIT 912
TCP perlp:5836 s7a1.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5839 mx03.mx-server.net:smtp CLOSE_WAIT 912
TCP perlp:5840 mx03.mx-server.net:smtp CLOSE_WAIT 912
TCP perlp:5841 mail.peru.edu:smtp ESTABLISHED 912
TCP perlp:5856 ww-in-f27.1e100.net:smtp CLOSE_WAIT 912
TCP perlp:5857 exmta.mopera.net:smtp CLOSE_WAIT 912
TCP perlp:5861 p2.nsm.ctmail.com:smtp CLOSE_WAIT 912
TCP perlp:5866 s6a2.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5867 CLOSE_WAIT 912
TCP perlp:5868 WPPOP01:smtp CLOSE_WAIT 912
TCP perlp:5872 spamfilter-8.visi.com:smtp CLOSE_WAIT 912
TCP perlp:5877 s75-155-5-246.ab.hsia.telus.net:smtp CLOSE_WAIT 912
TCP perlp:5879 s5a1.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5880 smtp.skitours.com:smtp CLOSE_WAIT 912
TCP perlp:5881 mx1.acessa.com:smtp CLOSE_WAIT 912
TCP perlp:5885 mail1.americangeneralfinancialservices.com:smtp ESTABLISHED 912
TCP perlp:5895 s5a2.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5900 mx1.free.fr:smtp CLOSE_WAIT 912
TCP perlp:5902 mail.alpamail.org:smtp CLOSE_WAIT 912
TCP perlp:5911 mail.saxonmtg.com:smtp CLOSE_WAIT 912
TCP perlp:5915 caraguatatuba.prolan.com.br:smtp CLOSE_WAIT 912
TCP perlp:5932 s7b2.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5939 notes.aptec.ae:smtp CLOSE_WAIT 912
TCP perlp:5942 ns2.arh.org:smtp ESTABLISHED 912
TCP perlp:5950 s9b2.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5955 exmta.mopera.net:smtp CLOSE_WAIT 912
TCP perlp:5971 p2.nsm.ctmail.com:smtp CLOSE_WAIT 912
TCP perlp:5974 vmx1.spamcop.net:smtp CLOSE_WAIT 912
TCP perlp:5977 s5b2.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:5985 eforwardct.name-services.com:smtp CLOSE_WAIT 912
TCP perlp:5988 eforwardct.name-services.com:smtp CLOSE_WAIT 912
TCP perlp:5990 mxa14.expurgate.net:smtp CLOSE_WAIT 912
TCP perlp:6010 bestwebhost.com:smtp CLOSE_WAIT 912
TCP perlp:6012 gw3.security.comendo.com:smtp CLOSE_WAIT 912
TCP perlp:6014 gw-in-f27.1e100.net:smtp CLOSE_WAIT 912
TCP perlp:6020 p4-7040.uk2net.com:smtp CLOSE_WAIT 912
TCP perlp:6021 tmail07.tbccorp.com:smtp ESTABLISHED 912
TCP perlp:6023 ww-in-f27.1e100.net:smtp CLOSE_WAIT 912
TCP perlp:6024 n11648155137.netvigator.com:smtp CLOSE_WAIT 912
TCP perlp:6026 CLOSE_WAIT 912
TCP perlp:6027 biwave.com:smtp ESTABLISHED 912
TCP perlp:6030 mail.blitzlee.com:smtp CLOSE_WAIT 912
TCP perlp:6033 s5a1.psmtp.com:smtp CLOSE_WAIT 912
TCP perlp:6064 CLOSE_WAIT 912

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:37:42 AM, on 7/5/2010
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Nuance PDF Reader-reminder] "C:\Program Files\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\PDF Reader\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe -scheduler
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O15 - ESC Trusted Zone: http://www.google.com.pk
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://avserver:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {9D614E8E-03AA-11D3-90FC-0040C7157029} (PDMSInstallerCtl Class) - http://www.pakdata.com/download/PDMSInstaller.cab
O16 - DPF: {CAAE28D1-ADCC-11D1-BD4D-004845401881} (Urdu98 Control) - http://www.pakdata.com/download/urduplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BDD6A00-54E3-40AA-9138-628CC823B5F9}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{2BDD6A00-54E3-40AA-9138-628CC823B5F9}: NameServer =
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

End of file - 4885 bytes

Hope I get reply soon.


Arshad Parvez

BC AdBot (Login to Remove)


#2 schrauber



  • Malware Response Team
  • 24,794 posts
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:38 AM

Posted 07 July 2010 - 12:10 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber



  • Malware Response Team
  • 24,794 posts
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:38 AM

Posted 10 July 2010 - 06:47 AM

Still with me?

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 schrauber



  • Malware Response Team
  • 24,794 posts
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:38 AM

Posted 13 July 2010 - 11:22 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users