Re: PC Connecting to 100s of SMTPs even with active firewall

From: Gerald Vogt (vogt_at_spamcop.net)
Date: 02/15/05 

Date: Tue, 15 Feb 2005 11:55:48 +0900

Dan Sheridan wrote:
> When I do this... it brings up 100s of smtps... saying established
> connection, time wait or close wait or fin wait or syn sent.

You most likely run a spam relay. I would not reconnect your computer to
the internet if I were you. Else your ISP will become very angry with
you and will disconnect you very soon. (But I guess he has already
noticed and is flooded with spam reports/complaints).

> I believe i must be infected with some kind of virus or malware -
> however AVG or Spybot does not detect anything...

This just means that your computer is pretty well infested. In that
case, my advice would be to reboot the computer from a clean Windows CD
and reinstall the whole system. This is the only way to be 100% on the
safe side. Some local professional could help, too, as cleaning your
computer is a difficult and errorprone process. Once you have a malware
there is usually other malware quick to come, exploiting other malwares
backdoors. All the software available to "clean" and all the nice
step-by-step description usually only work with the average, well-known
infections. But malware writes are quick to adjust and creative in new
ways to run undetected. A local professional hand thus can be much more
effective than going through a simple list if you are not an expert...

> I have noticed a file called r.exe on the main system drive, im not
> sure what this is doing... if i delete it, it will reappear... 5 mins
> later...

In a command prompt. Do netstat -a -o to see the PIDs in the last
columns of the connections to the SMTPs. Use tasklist to list all the
processes and look out for the one with the PIDs from the netstat. The
name of the executable gives you a hint.

Gerald

Relevant Pages

  • Re: Internet Connection Ceased
    ... Before you try to remove spyware using any of these ... download a copy of LSPFIX from any of the following sites: ... >> program, LSPFIX, will enable you to regain your connection. ... >> Dealing with Unwanted Malware, Parasites, Toolbars and Search Engines ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: My dial-up connection keeps on getting hijacked!
    ... > it back to the correct settings, make my connection and exit, but next ... Go through the following malware steps. ... If you are running Windows ME or XP, you should disable/enable System ... System Restore point from the More Options section of Disk Cleanup ...
    (microsoft.public.windowsxp.network_web)
  • Re: Configuring program access in Norton Internet Security 2007
    ... M$ slightly more than the malware goons;-) and to keep unnecessary ... If the machine has a direct connection to the modem, then harden the O/S ... s direct connection to the Internet. ...
    (comp.security.firewalls)
  • Re: How do you detect a botnet? Impossible, right?
    ... It means the connection is likely to be nefarious. ... and suggests you're a home user on DSL, ... which I take it malware writers are working at. ... Now I don't remember visiting any Hungarian website, ...
    (alt.comp.anti-virus)
  • Re: Sunbelt-Kerio issues / Need new desktop firewall advise
    ... And if Svchost.exe is providing the means for a dubious remote IP connection by a program (it's the program that is making the connection malware or not), then he or she goes and find that program. ... Especially when this network is untrusted like the Internet. ... The FW will open the inbound ports to let the traffic back to the machine and to the program that is listening on the port. ...
    (comp.security.firewalls)