1. Home
  2. Networking Firewalls
  3. PC Connecting to 100s of SMTPs even with active firewall

PC Connecting to 100s of SMTPs even with active firewall

Hi,

When I start up my computer I notice that there is a lot of traffic going over my internet connection, even though I am not doing anything on the internet.

I was told to run a program from the command line called netstat.

When I do this... it brings up 100s of smtps... saying established connection, time wait or close wait or fin wait or syn sent.

I believe i must be infected with some kind of virus or malware - however AVG or Spybot does not detect anything...

I have noticed a file called r.exe on the main system drive, im not sure what this is doing... if i delete it, it will reappear... 5 mins later...

any thoughts?

Reply to
Dan Sheridan
Loading thread data ...

Since the OP hasn't posted what Operating System he's running I just wanted to add that if he's running a 9x/ME system there's no "o" switch in netstat and it won't show PIDs; neither will TCPView. :o/

Reply to
dak

get friendly with your favourite S/E

formatting link

Reply to
William Tasso

Hi All,

Thanks for all this info - this has really helped me to get a heads up on things... I think its time for the dredded reinstall, I have also found some other processes running... about 5 instances of svchost.exe I have heard this can be virus related, and also 2x wrapper.exe and 2x java.exe!

I blocked smtp port 25 on my router at home... so hopefully that should not annoy the isp too much!

Thanks again!

Dan ;)

Reply to
Dan Sheridan

snipped-for-privacy@gmail.com (Dan Sheridan) wrote in news: snipped-for-privacy@posting.google.com:

formatting link
Duane :)

Reply to
Duane Arnold

You most likely run a spam relay. I would not reconnect your computer to the internet if I were you. Else your ISP will become very angry with you and will disconnect you very soon. (But I guess he has already noticed and is flooded with spam reports/complaints).

This just means that your computer is pretty well infested. In that case, my advice would be to reboot the computer from a clean Windows CD and reinstall the whole system. This is the only way to be 100% on the safe side. Some local professional could help, too, as cleaning your computer is a difficult and errorprone process. Once you have a malware there is usually other malware quick to come, exploiting other malwares backdoors. All the software available to "clean" and all the nice step-by-step description usually only work with the average, well-known infections. But malware writes are quick to adjust and creative in new ways to run undetected. A local professional hand thus can be much more effective than going through a simple list if you are not an expert...

In a command prompt. Do netstat -a -o to see the PIDs in the last columns of the connections to the SMTPs. Use tasklist to list all the processes and look out for the one with the PIDs from the netstat. The name of the executable gives you a hint.

Gerald

Reply to
Gerald Vogt

To follow up on that and make clear how urgent it is:

you posted from 217.43.125.249 aka host217-43-125-249.range217-43.btcentralplus.com

I don't know your ISP policy regarding the assignment of IP addresses but that IP address is listed in various black lists e.g.

formatting link
See also

formatting link
which reports an extreme increase of email traffic from that IP during the last day (9408%) probably while you were writing your article. Certainly, if your ISP uses DHCP and shuffles the IP address each time you connect, this may be coincidental. But after what you wrote I would assume that these black listings are due to your computer...

Gerald

Reply to
Gerald Vogt

only 5? I have more ;-).

tasklist /svc should tell you what services are running in which process.

Good idea...

Gerald

Reply to
Gerald Vogt

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.