Question

Unwanted SMTP connections from services.exe slowing internet connection

Asked by: RobDeBob

Using the command prompt and netstat I have determined that about half of my traffic at any given moment is smtp connections from services.exe. Spybot, Adaware, and AVG can't find anything, so I suspect a rootkit is involved. How do I stop this, and where can I start?

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    ROBDEBOB:3268          mg.mx.aol.com:smtp     SYN_SENT        872
  [services.exe]

  TCP    ROBDEBOB:3269          dimail3.emirates.net.ae:smtp  SYN_SENT        872
  [services.exe]

  TCP    ROBDEBOB:3270          mxl144v13.mxlogic.net:smtp  SYN_SENT        872
  [services.exe]

  TCP    ROBDEBOB:3271          mx.uniserve.ca:smtp    SYN_SENT        872
  [services.exe]

  TCP    ROBDEBOB:3272          smtppool2.skynet.be:smtp  SYN_SENT        872
  [services.exe]

  TCP    ROBDEBOB:3273          *.s8b1.psmtp.com:smtp  SYN_SENT        872
  [services.exe]

  TCP    ROBDEBOB:3274          mta-v1.mail.vip.in2.yahoo.com:smtp  SYN_SENT        872
  [services.exe]

  TCP    ROBDEBOB:3275          mx3.vip.sina.com:smtp  SYN_SENT        872
  [services.exe]

  TCP    ROBDEBOB:3276          mail.global.frontbridge.com:smtp  SYN_SENT        872
  [services.exe]

  TCP    ROBDEBOB:3277          9.mx.freenet.de:smtp   SYN_SENT        872
  [services.exe]

  TCP    ROBDEBOB:1641          localhost:1642         ESTABLISHED     1800
  [firefox.exe]

  TCP    ROBDEBOB:1642          localhost:1641         ESTABLISHED     1800
  [firefox.exe]

  TCP    ROBDEBOB:1643          localhost:1644         ESTABLISHED     1800
  [firefox.exe]

  TCP    ROBDEBOB:1644          localhost:1643         ESTABLISHED     1800
  [firefox.exe]

  TCP    ROBDEBOB:2643          by1msg2245418.gateway.edge.messenger.live.com:1863  ESTABLISHED     768
  [MsnMsgr.Exe]

  TCP    ROBDEBOB:4131          cds24.sea.llnw.net:http  CLOSE_WAIT      2696
  [Steam.exe]



                                  
1:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2007-12-09 at 10:41:50ID23011744
Tags

smtp

,

connections

Topics

Anti-Virus

,

Simple Mail Transfer Protocol (SMTP)

,

Networking Security Vulnerabilities

Participating Experts
2
Points
500
Comments
20

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. SERVICES.EXE grabs 99% of CPU
    Recently whenever I run ipconfig /release or ipconfig /renew (in a CMD window) the whole system seems to hang for a minute or so. Checking Task Manager, I find that SERVICES.EXE is running 99% of the CPU. (Occasionally, other functions will also cause this, like a simple Wind...
  2. 2 services.exe running
    I'm working on a system that has 2 services.exe running. One is where it should be, system32 but the other is in ether the windows or system directory. It seams to move around. In any case I know this is a trojan.virus infection but I can not get rid of it. The trojan/virus r...
  3. C:\\WINDOWS\system32\services.exe'
    I am getting this error message The system process C:\\WINDOWS\system32\services.exe' terminated unexpectedly with status code 203. The system will now shut down and restart. After which my computer shuts down after 60 seconds. I don't think t his is because of the sasser...
  4. services.exe uses 100% CPU when new Hardware det…
    I have been having a major problem installing new Hardware onto my Sony VAIO VGN-S2XP Laptop for about 4 or 5 months now and I've just about run out of ideas. Basically, when I plug in any new USB device (or connect a new Bluetooth device) services.exe begins to take 99-100%...
  5. services.exe - bad image
    HI THere, On start up, I receive 2 bad image error as follow. title "services.exe - bad image" and "Isass.exe - bad image" Content: "The application or DLL C:\Progra~1\Google\Google~1\GOEC62~1.DLL is not a valid windows image. Please check this a...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: freymishPosted on 2007-12-09 at 13:18:28ID: 20438219

Check here http://www.pcsupportadvisor.com/rootkits.htm for a rootkit detectors.  They list several.

 

by: jared_lukerPosted on 2007-12-09 at 13:22:43ID: 20438232

It's not a long term fix, but you could use a personal firewall, or maybe even the windows firewall to block port 25 so that you can at least stop being their little relay buddy.

Try root kit revealer (formerly a sysinternals and now a MS product)

http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx

 

by: RobDeBobPosted on 2007-12-09 at 19:07:35ID: 20439279

Jared, this is all I gleaned from RootkitRevealer:

HKU\S-1-5-21-1606980848-2111687655-725345543-1004\Software\Adobe\MediaBrowser\MRU\Photoshop\ApplicationPath      12/6/2007 12:23 AM      81 bytes      Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-1606980848-2111687655-725345543-1004\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY*      9/27/2007 6:08 PM      0 bytes      Key name contains embedded nulls (*)
HKU\S-1-5-21-1606980848-2111687655-725345543-1004\Software\Valve\Steam\Steam.exe\UpTimeMostRecent      12/9/2007 6:46 PM      4 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC*      2/18/2007 5:02 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*      2/18/2007 5:02 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg      2/25/2007 3:03 PM      0 bytes      Access is denied.
HKLM\SYSTEM\ControlSet001\Services\xpdx      11/22/2007 5:40 PM      0 bytes      Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\xpdx      11/22/2007 5:40 PM      0 bytes      Hidden from Windows API.

I'm not sure if that helps. I know I need to find the file(s) involved in sending the smtp packets. It does say they originated from services.exe, which I cannot terminate because it is a "critical process." Isn't "services.exe" just a mask for whatever is causing trouble to hide behind?

 

by: jared_lukerPosted on 2007-12-09 at 19:29:42ID: 20439369

It's hard to say.  Malware can use legit files to do it's evil bidding.

Have you used HiJackThis at all?

You can download it from here:

http://www.hijackthis.de/

Run it and save a log file.  Then copy and paste the text file into the place provided.  Check out the results and check any nasty entries.

You can also paste your log into the analyzer here for a second opinion

http://hjt.networktechs.com/

 

by: jared_lukerPosted on 2007-12-09 at 19:35:50ID: 20439397

You can also use Process Explorer to look and see the location of services.exe that has been executed and is running.

If it's anywhere other than c:\windows\system32 then it's not the legit one.

http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx

 

by: RobDeBobPosted on 2007-12-09 at 20:15:11ID: 20439514

With Process Explorer I confirmed that services.exe is running from C:\WINDOWS\system32\.  I see a bunch of svchost.exe processes in the services.exe process tree. The rest can be identified as legitimate. Could these be causing the problem?

Here is my HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 8:10:17 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\RobDeBob\My Documents\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\NETGEAR\WPNT511\wpnt511.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Documents and Settings\RobDeBob\My Documents\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\RobDeBob\My Documents\My Music\JetAudio\JetAudio.exe
C:\Program Files\Media Player Classic\mplayerc.exe
C:\Documents and Settings\RobDeBob\My Documents\Mozilla Firefox\firefox.exe
C:\Program Files\Steam\Steam.exe
C:\Documents and Settings\RobDeBob\My Documents\mIRC\mirc.exe
C:\Documents and Settings\RobDeBob\Desktop\RootkitRevealer.exe
C:\Documents and Settings\RobDeBob\My Documents\Other Stuff\Process Explorer\procexp.exe
C:\Documents and Settings\RobDeBob\My Documents\Other Stuff\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Documents and Settings\RobDeBob\My Documents\Other Stuff\FlashGet\jccatch.dll
O2 - BHO: (no name) - {3535E605-3F5F-4BDC-83F7-178B05599444} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\RobDeBob\MYDOCU~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {700571DE-6297-4DF1-A8D7-3E7F17C1027A} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E271F4E9-D46E-4C7A-8608-AFDD4A87E582} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Documents and Settings\RobDeBob\My Documents\Other Stuff\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Documents and Settings\RobDeBob\My Documents\Other Stuff\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [WPNT511] C:\Program Files\NETGEAR\WPNT511\wpnt511.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AAWTray] C:\Documents and Settings\RobDeBob\My Documents\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Documents and Settings\RobDeBob\My Documents\Other Stuff\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Documents and Settings\RobDeBob\My Documents\Other Stuff\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\DOCUME~1\RobDeBob\MYDOCU~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Documents and Settings\RobDeBob\My Documents\Other Stuff\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Documents and Settings\RobDeBob\My Documents\Other Stuff\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\RobDeBob\MYDOCU~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\RobDeBob\MYDOCU~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171862869402
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171862850980
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BA6DED1-0C23-4015-8FA5-C714FE6E5CF1}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{637EF5AA-CEAF-470F-8544-6C086E38BD46}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{3BA6DED1-0C23-4015-8FA5-C714FE6E5CF1}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: vtuuvvu - vtuuvvu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Documents and Settings\RobDeBob\My Documents\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Documents and Settings\RobDeBob\My Documents\Other Stuff\Sony Vegas\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Documents and Settings\RobDeBob\My Documents\Other Stuff\Sony Vegas\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XBPCT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\RobDeBob\LOCALS~1\Temp\XBPCT.exe

It seems there are a good deal of red entries from the analyzer you referred me to. I'll see if fixing them does anything.

 

by: jared_lukerPosted on 2007-12-09 at 20:19:00ID: 20439526

Yea... those unknown BHO's are trouble!

You should get it cleaned up and switch to firefox! :)

 

by: RobDeBobPosted on 2007-12-09 at 20:33:15ID: 20439568

I have used Mozilla Firefox for years now. I also had the programs you linked me to, but the analyzer was helpful. Fixing the red entries did nothing to stop the smtp communications, though I still need to restart. Any more suggestions? Thanks for your help.

 

by: jared_lukerPosted on 2007-12-09 at 20:38:36ID: 20439584

The last time I got an infestation that I could not identify, I just got another hard drive and re-installed windows.  It's not worth the time or effort to fight these things when you can be up and running faster by just reinstalling fresh.

That way you have the old hard drive in case there is something that you need to retrieve.

I just don't think it's worth the time to "maybe" get it cleaned.

 

by: RobDeBobPosted on 2007-12-09 at 20:59:58ID: 20439647

I have too many programs and data to back up to make it worth starting anew without simply ghosting, which defeats the purpose, especially since this is a minor problem that doesn't even warrant action of that magnitude. The main qualm I have is that my ping in online games is higher than I would like, but otherwise my browser and other applications work fine. All I need to do is find the source of the problem and fix it. I was hoping someone here would be able to help me with that since I'm not as learned or experienced.

 

by: jared_lukerPosted on 2007-12-10 at 07:28:51ID: 20442222

HOw does it look after using hijackthis to fix the red items and rebooting?

 

by: RobDeBobPosted on 2007-12-10 at 15:10:55ID: 20446134

Still plenty of smtp traffic, but all but two of the red entries are gone:

"O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
File Missing
When a file is missing, you should always have HijackThis fix the item.

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)"

 

by: RobDeBobPosted on 2007-12-10 at 15:14:21ID: 20446156

I might add that these are recurring entries that don't seem to want to go away. I can't imagine they're the source of the problem, but you're the expert.

 

by: jared_lukerPosted on 2007-12-10 at 20:35:52ID: 20447325

you could try Panda's active scan.

http://www.pandasecurity.com/homeusers/solutions/activescan/  (must use IE)

 

by: RobDeBobPosted on 2007-12-11 at 06:58:14ID: 20449709

It looks like ActiveScan did the trick, but I still need to get rid of everything it detected:


Incident                                                                        Status                        Location                                                                                                                                                                                                                                                        

Spyware:Spyware/Virtumonde                                                      Not disinfected               C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0JKLM56P\fill[1]                                                                                                                                                    
Spyware:Cookie/Com.com                                                          Not disinfected               C:\Documents and Settings\RobDeBob\Application Data\Mozilla\Firefox\Profiles\tjd1vstb.default\cookies.txt[.com.com/]                                                                                                                                            
Spyware:Cookie/Adrevolver                                                       Not disinfected               C:\Documents and Settings\RobDeBob\Cookies\robdebob@adrevolver[1].txt                                                                                                                                                                                          
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\RobDeBob\Cookies\robdebob@atdmt[1].txt                                                                                                                                                                                                
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\RobDeBob\Cookies\robdebob@atdmt[2].txt                                                                                                                                                                                                
Spyware:Cookie/Adrevolver                                                       Not disinfected               C:\Documents and Settings\RobDeBob\Cookies\robdebob@media.adrevolver[3].txt                                                                                                                                                                                    
Virus:Generic Malware                                                           Disinfected                   C:\Documents and Settings\RobDeBob\My Documents\GameSpy Arcade\Services\_common\PortraitLoader.dll                                                                                                                                                              
Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\SDFix\apps\Process.exe                                                                                                                                                                                                                                      
Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\VundoFix Backups\SDFix.exe[SDFix\apps\Process.exe]                                                                                                                                                                                                          
Spyware:Spyware/Virtumonde                                                      Not disinfected               C:\VundoFix Backups\ssqnljj.dll.bad                                                                                                                                                                                                                            
Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\VundoFix Backups\VirtumundoBeGone.exe                                                                                                                                                                                                                        
Virus:Trj/Lzx32.J                                                               Disinfected                   C:\WINDOWS\system32\xpdx.sys                                                                                                                                                                                                                                    

 

by: jared_lukerPosted on 2007-12-11 at 07:05:18ID: 20449757

Sweet... knowing what you are dealing with is the best start.

Try booting up in safe mode and deleting all of those virus files.  Then search the registry or references to the offenders and delete them.

Hopefully that will be enough to break its back.  Often they have some kind of file somewhere else that gets loaded at boot up that will re-infect, but we'll cross our fingers in your case.

 

by: RobDeBobPosted on 2007-12-11 at 21:14:17ID: 20455214

I did exactly as you said, and here are my new scans:

Hijack this (red entries):

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O23 - Service: XBPCT - Unknown owner - C:\DOCUME~1\RobDeBob\LOCALS~1\Temp\XBPCT.exe (file missing)

ActiveScan:

Spyware:Cookie/FastClick                                                        Not disinfected               C:\Documents and Settings\RobDeBob\Cookies\robdebob@fastclick[2].txt                                                                                                                                                                                            
Virus:Trj/Lzx32.J                                                               Disinfected                   C:\WINDOWS\system32\xpdx.sys                                                                                                                                                                                                                                    


It looks like ctfmon.exe keeps coming back, as well as xpdx.sys, the trojan (I had trouble deleting this). As I said, AVG, Spybot S&D, and Adaware don't detect any threats. When I rebooted, I ran a netstat -b which to my surprise showed no smtp connections from services.exe. However, they started to appear on a second test a minute or so later. Any chance of quickly ending this, now that we have an idea of the problem, once and for all?

 

by: RobDeBobPosted on 2007-12-24 at 21:22:36ID: 31413771

ActiveScan determined xpdx.sys as the culprit, but I had to search around for a program that could vanquish it and whatever other files were propagating its existence. Luckily ComboFix did exactly the trick. Absolutely no problems afterward, and it helped me clean up my PC in the process. Thanks for your help, Jared.

 

by: RobDeBobPosted on 2007-12-25 at 20:38:53ID: 20528348

For anyone that views this question in the future: Do everything I did here, but also try running ComboFix.exe, a removal tool. It did wonders for my PC, eliminating the problem in its entirety. Highly recommended.

 

by: jared_lukerPosted on 2007-12-26 at 07:44:35ID: 20529490

Good advice... thanks.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...