[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Need help removing a SMTP relay.

Posted on 2010-08-31
Medium Priority
Last Modified: 2013-11-22
Hi all,
I have a terrible spam bot I can't seem to find.  In TCP View, I've found PID 732 (services.exe) is rife with smtp connections but I ony see EventLog and PlugandPlay when I look at it via tasklist /svc.  Antimalware Bytes comes up with nothing as does Prevx, Vipre  or Trend.  Also, system restore is missing from Computer properties.  I'm going to try running Stinger, but I haven't had any luck with that in years. I can always block port 25 in windows firewall, but I'd rather a real solution.  Any help would be most appreciated.

BTW - It's an XP SP3 workstation on a SBS 2003 domain. (removed from right now ;-)
Question by:BeechTree
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 14

Expert Comment

ID: 33571365
You can check your open ports with a tool like this:


Expert Comment

ID: 33571490
Open a command prompt and type "netstat -b -a" to display all open ports and the executable associated with them.
LVL 22

Expert Comment

ID: 33571921
Run TdssKiller and Hitmanpro.

If still having issue run Combofix and post log here

>If they still dont run, redownload them but rename them prior to saving them
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.


Author Comment

ID: 33571934
Every smtp connection to a foreign address is PID 732 - services.exe.  

Author Comment

ID: 33571951
Most of the connections are Established.  Some are closed and some are Wait.  Since I can't even identify the infection, I beginning to consider a nuke and pave.  I need to have the ws back in place in the morning.  User was off today so I had some play time.
LVL 22

Expert Comment

ID: 33571989
Try those scanners if you have time. Shouldn't take more than half hour to run all :)

Accepted Solution

BeechTree earned 0 total points
ID: 33577358
I'm going to flatten it.  Nothing has worked so far.  I am able to find a few entries in HKLM that are hidden from the Windows API, but I can't get to them or find the associated files.  Time to push the button.  Thanks to all of you.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question