Question

Post scanning on port 25

Asked by: zehren

I have a window 2003 standard server run exchange 2003. I believe I have virus or malware on this server because we are getting a TON of port 25 connections. I do not believe I have an open relay because I've gone through the open relay solutions on this site. Here's the out put from hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:55 PM, on 10/16/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Adaptec\SMBE\afaagent.exe
C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe
C:\WINNT\system32\serverappliance\appmgr.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
c:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\WINNT\system32\cisvc.exe
D:\Program Files\GFI\ContentSecurity\MiddleLayer\ContentSecurity.ML.SVC.Attendant.exe
C:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\serverappliance\elementmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\GFI\MailEssentials\msecatt.exe
C:\Program Files\GFI\MailEssentials\MiddleLayer\contentsecurity.as.attendant.exe
C:\Program Files\GFI\MailEssentials\mestrxsvc.exe
C:\Program Files\Common Files\GFI\ReportCenter\Framework v3.5\gfireporterservice.exe
C:\iFtpSvc\iFtpSvc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\iNtfySvc\intfysvc.exe
C:\Program Files\Adaptec\SMBE\iomgr.exe
C:\Program Files\Common Files\GFI\ReportCenter\Framework v3.5\rcsvcmon.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINNT\system32\serverappliance\srvcsurg.exe
C:\Program Files\SUPERMICRO\SDIII\NTService.exe
C:\WINNT\system32\SD3Service.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\TIMESYNC.EXE
C:\WINNT\System32\wins.exe
C:\WINNT\system32\WinVNC.exe
C:\Program Files\SUPERMICRO\SDIII\Xitami\xisrv32.exe
C:\Program Files\Adaptec\SMBE\arcpd.exe
C:\Program Files\Symantec\Backup Exec\beremote.exe
C:\WINNT\system32\Dfssvc.exe
C:\Program Files\GFI\MailEssentials\pop2exch.exe
D:\Exchsrvr\bin\exmgmt.exe
D:\Exchsrvr\bin\mad.exe
C:\WINNT\system32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Adaptec\SMBE\notify.exe
D:\Program Files\GFI\ContentSecurity\MailSecurity\GFIScanM.exe
C:\Program Files\GFI\MailEssentials\listserv.exe
D:\Program Files\GFI\ContentSecurity\MailSecurity\MiddleLayer\ContentSecurity.ML.SVC.Attendant.exe
D:\Exchsrvr\bin\store.exe
D:\Exchsrvr\bin\emsmta.exe
C:\WINNT\system32\rsmsink.exe
D:\Program Files\GFI\ContentSecurity\contentsecurity.autoupdate.ausvc.exe
C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\dmadmin.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
c:\winnt\system32\inetsrv\w3wp.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\G-VGA.exe
C:\Program Files\Print Audit Inc\Print Audit 5\Data\pa5clcfg.exe
C:\WINNT\system32\WDBtnMgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Symmetricom\SymmTime\GeTTime.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\GFI\MailEssentials\gfimntr.exe
C:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NVRTCLK] C:\WINNT\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VGAUtil] C:\WINNT\system32\G-VGA.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [PA5 Comm Config] C:\Program Files\Print Audit Inc\Print Audit 5\Data\pa5clcfg.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKLM\..\RunOnce: [PBEUninstAgent] cmd /C "del /F/Q C:\DOCUME~1\ADMINI~1.000\LOCALS~1\Temp\1\Set???.tmp C:\DOCUME~1\ADMINI~1.000\LOCALS~1\Temp\1\IEC???.tmp C:\WINNT\system32\APCSnmp.dll | rmdir /S/Q "C:\Program Files\InstallShield Installation Information\{BCE9F441-9027-4911-82E0-5FB28057897D}""
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1202660629-1644491937-839522115-1021\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'brianh')
O4 - HKUS\S-1-5-21-1801674531-1275210071-682003330-2225\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'BESAdmin')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Supero Doctor III Client.lnk = C:\Program Files\SUPERMICRO\SDIII\SuperoDoctor.exe
O4 - Global Startup: SymmTime.lnk = C:\Program Files\Symmetricom\SymmTime\GeTTime.exe
O15 - ESC Trusted Zone: http://download.avgfree.com
O15 - ESC Trusted Zone: http://kbase.gfi.com
O15 - ESC Trusted Zone: http://software.gfi.com
O15 - ESC Trusted Zone: http://support.gfi.com
O15 - ESC Trusted Zone: http://www.gfi.com
O15 - ESC Trusted Zone: http://www.googleadservices.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.vailsrv02
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://vailsrv02.zerhen.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zehren.com
O17 - HKLM\Software\..\Telephony: DomainName = zehren.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CCD2298-C54B-4D31-9B6B-482F49FCF139}: NameServer = 192.168.1.3,192.168.1.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{B09C258D-BDCF-494A-9DA2-48ACB3A036CC}: Domain = zehren.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B09C258D-BDCF-494A-9DA2-48ACB3A036CC}: NameServer = 192.168.1.8,192.168.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zehren.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = zehren.com,santabarbara.zehren.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = zehren.com,santabarbara.zehren.com
O23 - Service: Adaptec RAID Remote Services Agent (AAC_AGENT) - Adaptec, Inc. - C:\Program Files\Adaptec\SMBE\afaagent.exe
O23 - Service: AdaptecStorageManagerAgent - Adaptec Incorporated - C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe
O23 - Service: Adaptec Web Server (ARCPD) - Unknown owner - C:\Program Files\Adaptec\SMBE\arcpd.exe
O23 - Service: Adaptec Storage Manager Notifier (ASMBENotify) - Unknown owner - C:\Program Files\Adaptec\SMBE\notify.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beserver.exe
O23 - Service: BlackBerry Attachment Service (BBAttachServer) - Research In Motion Limited - C:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
O23 - Service: BelMonitor Service (BelMonitorService) - Belarc, Inc. - C:\PROGRA~1\Belarc\BelMonitor\BANTMonitorSvc.exe
O23 - Service: BlackBerry Controller - Research In Motion Limited - C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryController.exe
O23 - Service: BlackBerry Database Consistency Service - Research In Motion Limited - C:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\DBConsistency.exe
O23 - Service: BlackBerry Dispatcher - Research In Motion Limited - C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryDispatcher.exe
O23 - Service: BlackBerry MDS Connection Service - Research In Motion - C:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\bmds.exe
O23 - Service: BlackBerry Policy Service - Research In Motion Limited - C:\Program Files\Research In Motion\BlackBerry Enterprise Server\ITAdminServer.exe
O23 - Service: BlackBerry Router - Research In Motion Limited - C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BypassRouter\BlackberryRouter.exe
O23 - Service: BlackBerry Alert (BlackBerry Server Alert) - Research In Motion Limited - C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BESAlert.exe
O23 - Service: BlackBerry Synchronization Service (BlackBerry SyncServer) - Research In Motion Limited - C:\Program Files\Research In Motion\BlackBerry Enterprise Server\SyncServer\BlackBerrySyncServer.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited  - c:\centenn.ial\audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited  - c:\centenn.ial\audit\xferwan.exe
O23 - Service: GFI Content Security Attendant Service (csecmlhost) -   - D:\Program Files\GFI\ContentSecurity\MiddleLayer\ContentSecurity.ML.SVC.Attendant.exe
O23 - Service: Backup Exec DLO Administration Service (DLOAdminSvcu) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe
O23 - Service: Backup Exec DLO Maintenance Service (DLOMaintenanceSvc) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe
O23 - Service: GFI MailEssentials Legacy Attendant Service - GFI Software Ltd. - C:\Program Files\GFI\MailEssentials\msecatt.exe
O23 - Service: GFI POP2Exchange - GFI Software Ltd. - C:\Program Files\GFI\MailEssentials\pop2exch.exe
O23 - Service: GFI MailEssentials Managed Attendant Service (gfiasmlhost) - GFI Software Ltd - C:\Program Files\GFI\MailEssentials\MiddleLayer\contentsecurity.as.attendant.exe
O23 - Service: GFI MailEssentials Enterprise Transfer Service (GFIMETRXSVC) - GFI - C:\Program Files\GFI\MailEssentials\mestrxsvc.exe
O23 - Service: GFI MailSecurity Scan Engine (GFIScanM) - Unknown owner - D:\Program Files\GFI\ContentSecurity\MailSecurity\GFIScanM.exe
O23 - Service: GFI ReportCenter 3.5 (GFI_ReportCenter35) - GFI Software Ltd. - C:\Program Files\Common Files\GFI\ReportCenter\Framework v3.5\gfireporterservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Ipswitch WS_FTP Service (iFtpSvc) - Ipswitch, Inc.  10 Maguire Road - Suite 220 Lexington MA. - C:\iFtpSvc\iFtpSvc.exe
O23 - Service: Ipswitch Notification Server (inotifysvr) - Ipswitch, Inc.  10 Maguire Road - Suite 220 Lexington MA.  - C:\iNtfySvc\intfysvc.exe
O23 - Service: Adaptec I/O Manager Server (IOManager) - Unknown owner - C:\Program Files\Adaptec\SMBE\iomgr.exe
O23 - Service: GFI List Server (listserv) - GFI Software Ltd - C:\Program Files\GFI\MailEssentials\listserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: GFI Content Security Auto-Updater Service (msecavupdate) -   - D:\Program Files\GFI\ContentSecurity\contentsecurity.autoupdate.ausvc.exe
O23 - Service: GFI MailSecurity Attendant Service (msecmlhost) -   - D:\Program Files\GFI\ContentSecurity\MailSecurity\MiddleLayer\ContentSecurity.ML.SVC.Attendant.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Print Audit 5 Client Communicator (PA5ClientCommunicator) - PJLM Software Inc. - C:\Program Files\Print Audit Inc\Print Audit 5\Data\pa5clcom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SuperMicro Health Assistant - Unknown owner - C:\Program Files\SUPERMICRO\SDIII\NTService.exe
O23 - Service: Supero SD3Service Daemon - Unknown owner - C:\WINNT\system32\SD3Service.exe
O23 - Service: Time Synchronization (TimeSync) - Franz Krainer - C:\WINNT\System32\TIMESYNC.EXE
O23 - Service: TridiaVNC Server (winvnc) - Tridia Corporation - C:\WINNT\system32\WinVNC.exe
O23 - Service: Xitami Web Server (Xitami) - Unknown owner - C:\Program Files\SUPERMICRO\SDIII\Xitami\xisrv32.exe
 
--
End of file - 15050 bytes

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-16 at 12:17:38ID24819179
Tags

server 2003

,

Virus

,

network

Topics

HijackThis Software

,

Networking Security Vulnerabilities

Participating Experts
2
Points
250
Comments
11

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. malware
    When opeining IE browser, i keep getting little boxes in different parts of the web page say "page cannot be displayed. i noticed that the little boxes are linked to http://eee.jopenqc.com. I can't get rid of the boxes...please help...i ran spyware and malware detector ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: MikeHolcombPosted on 2009-10-16 at 12:24:19ID: 25592489

Would it be possible to provide a sample of the SMTP connections you are seeing?  This would help give us a better idea of what truly is going on.

One thing to consider, especially if you haven't looked at your SMTP connections previously, is that a lot of hosts on the Internet are scanning for SMTP servers and automatically attempting to send spam which might make your stats appear high when it reality this is what we have to deal with when a mail server is connected directly to the Internet unfortunately.

Hope this helps...

Mike

 

by: zehrenPosted on 2009-10-16 at 12:43:41ID: 25592661

I will also have about 5 to 25 smtp connection at any given time

 

by: zehrenPosted on 2009-10-16 at 13:48:54ID: 25593202

This is not any where near the max I've see... I've recieved over 1100 emails in a 6 hour period. I have 10 to 15 mailboxes.

 

by: zehrenPosted on 2009-10-16 at 13:48:55ID: 25593204

This is not any where near the max I've see... I've recieved over 1100 emails in a 6 hour period. I have 10 to 15 mailboxes.

 

by: MesthaPosted on 2009-10-16 at 14:33:29ID: 25593540

Spammers are constantly connecting to servers and probing them. They don't always close the connection correctly.

Do you have recipient filtering enabled?
If not then I would enable it. http://www.amset.info/exchange/filter-unknown.asp
Enable tarpit as well.

I very much doubt if you have anything on the server, this is just standard spammer's behaviour.

Simon.

 

by: zehrenPosted on 2009-10-16 at 14:50:54ID: 25593648

Yes, the SMTP is not my number concern. The scanning coming from my server is. Yes & yes to the filter / Tarpit. So I'm not sure if there is something running that is using me a port 25 scanner?

 

by: MesthaPosted on 2009-10-16 at 17:29:52ID: 25594299

It isn't really clear what you are seeing.
A trojan or similar on the server is NOT going to scan itself.
If something got on to a workstation, it is not going to scan your server.

Trojans want to keep out of sight. They send email directly, not through another host.

If your server was compromised then you would know, as the queues would be fully of junk.
These things don't get on to the server on their own, so unless someone has been stupid and browsed from the server, then it is unlikely there is something on there.

Nothing you have posted so far make me believe this is anything other than the standard attacks that any SMTP server gets when exposed to the Internet and that Exchange can fend off.

Simon.

 

by: zehrenPosted on 2009-10-22 at 12:23:58ID: 25637973

Well, sorry not getting back...
I understand about the SMTP connection thing.
As for the Funky Junk. I do have a ton postmaster reply stuff from all the bogus emails which we really have not had in a long time. Like say a year. also on the router I'm seeing a lot of port 53 request to a non DNS server. That is you I've added the Highjackthis log. Something is bogging down the network. Here is a some of the port 53 request.

snip...
udp : BLAH 2948    192.168.1.2:2948      205.171.14.195:53     205.171.14.195:53
udp : BLAH 2952    192.168.1.2:2952      205.171.14.195:53     205.171.14.195:53
udp : BLAH 2955    192.168.1.2:2955      205.171.14.195:53     205.171.14.195:53
udp : BLAH 2959    192.168.1.2:2959      205.171.14.195:53     205.171.14.195:53
udp : BLAH 2964    192.168.1.2:2964      205.171.14.195:53     205.171.14.195:53
udp : BLAH 2969    192.168.1.2:2969      205.171.14.195:53     205.171.14.195:53
udp : BLAH 2973    192.168.1.2:2973      205.171.14.195:53     205.171.14.195:53
udp : BLAH 2976    192.168.1.2:2976      205.171.14.195:53     205.171.14.195:53
udp : BLAH 2980    192.168.1.2:2980      205.171.14.195:53     205.171.14.195:53
udp : BLAH 2985    192.168.1.2:2985      205.171.14.195:53     205.171.14.195:53
udp : BLAH 2990    192.168.1.2:2990      205.171.14.195:53     205.171.14.195:53
udp : BLAH 2994    192.168.1.2:2994      205.171.14.195:53     205.171.14.195:53
udp : BLAH 2997    192.168.1.2:2997      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3001    192.168.1.2:3001      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3006    192.168.1.2:3006      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3011    192.168.1.2:3011      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3015    192.168.1.2:3015      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3018    192.168.1.2:3018      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3022    192.168.1.2:3022      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3026    192.168.1.2:3026      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3029    192.168.1.2:3029      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3048    192.168.1.2:3048      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3061    192.168.1.2:3061      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3071    192.168.1.2:3071      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3075    192.168.1.2:3075      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3078    192.168.1.2:3078      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3082    192.168.1.2:3082      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3087    192.168.1.2:3087      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3092    192.168.1.2:3092      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3096    192.168.1.2:3096      205.171.14.195:53     205.171.14.195:53
udp : BLAH 3099    192.168.1.2:3099      205.171.14.195:53     205.171.14.195:53
snip...
not sure if this question need to be move to a different Zone for a better chance at solution.

 

by: zehrenPosted on 2009-10-22 at 14:11:33ID: 25639086

webpages load very slow on the entire network. Some browsers will not load certain pages like MSN.com

 

by: zehrenPosted on 2009-10-22 at 14:14:12ID: 25639110

by IP address or Url. Strange.

 

by: zehrenPosted on 2009-10-26 at 13:45:21ID: 25666674

I have no idea if these are related issues, but I've open a new question to help resolve my inability to access experts-exchanges website on any work workstations. here is the new question.
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24845137.html
This makes it hard to solve this question as I can no longer access my #1 resource for solutions.
HELP!!
;-0

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...