smtpsvc trying to connect to suspicious ip address "SMTP could not connect"

As part of our monthly disaster test, I restored our SBS 2003 server onto a duplicate server in my attic.

The test worked fine, except I noticed some warnings in the event log.  
Now, most of the warnings are to be expected.  For instance, my attic backup server cannot really function as a domain server because the production server i s elsewhere.


But, there was one event id that had a very strange IP address.
Actually 2 suspicious eventids repeat about ever 100 minutes.  There is no system failure so normal forums like eventid.net are not being very helpful, so I need some advice.

first event
source:smtpsvc
eventid:2013
smtp could not connect to any DNS server.

That is strange, because my attic server is connected to the internet using time warner road runner, and most things works fine.

second event

source: smtpsvc
eventid: 2012
SMTP could not connect to the DNS server 19.169.16.2.  The protocol used was 'UDP'. It may be down or inaccessible.



nslookup shows the following
nslookup 19.169.16.2
Server:  dns-cac-lb-01.rr.com
Address:  209.18.47.61
DNS request timed out.
    timeout was 2 seconds.
*** Request to dns-cac-lb-01.rr.com timed-out



A whois on the IP address says tehcnical contact is dnsadmin@ford.com with whom we have absolutely no ties. Also, a whois on ford.com shows technical contact of dnsmgr@ford.com. Note the slight difference in names


A regedit search reveal controlset001 has a tcp interface
5d3e2539 49b5 4559 8f26 539BDFA7BE44 with NameServer value 19.169.16.2

I went to the production server and did not find any SMTPSVC events, so I think this may simply be some weirdness assocated with using road runner in my attic.  In particular, the rr.com SERVERer address shown from nslookup.

But, the weird IP address still bothers me.

Does anybody have advice? Am I wasting my time worrying about this?
LVL 5
rberkeConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

younghvCommented:
Just to check for rogue processes that might be running, you might want to start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
The user can then post the log to be analyzed.

************

I am trying to get confirmation on using RogueKiller on a Server OS and will post back when I hear from the developer.

If it is a go, the link is here:
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
younghvCommented:
Forgot to say - run TDSSKiller - then monitor for a repeat of the event.
rberkeConsultantAuthor Commented:
ran tdsskiller. It said it found nothing.

Ran rogue killer.  it found 700 errors but only would kill 100 unless I paid money.

Of course, most of those errors are not really errors - just innocent activex components etc.

So, I deleted internet history cache etc and reran it hoping to catch another 100.

A second call did NOT delete another 100, in fact, even though it went through the same scan program and ran for two minutes it found 700 and said it would kill 100.  Sounds like it is not really working on my server.

But, it has been two hours now and no further logs.


so, one of the two programs or my own cleanup  seems to have fixed something.

I am going to restore the computer one more time so that the problem is back, then try simply deleting cache and program files.  That will take the rest of the day, I will post me results



Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

younghvCommented:
rberke,
Glad you're making progress - but to clarify:

"RogueKiller" is an entirely free program - no fees of any kind, no matter what it finds.
I am in daily contact with the developer and he is only trying to get exposure for his application. You can 'donate' (PayPal) if you like it, but it is completely free.

I have never seen heard of Kaspersky charging for TDSSKiller either.

Please check and let me know for sure which program is asking for money...it actually sounds like you have some kind of 'scareware' running on there.

Both CCleaner and Malwarebytes are good for Server OS's, so take a look at this one and give them a try:
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

When finished with MBAM, post the log that is generated and let us look at it for you.
rberkeConsultantAuthor Commented:
Both products were free.
thanks to your last comment, I dd not have to try another restore.

Instead, I repeated the download and discovered that I had accidentally clink the wrong link when downloading rogue killer and got aro 2011  from sammsoft.com (I had to ignore the french language dowload page, luckily, the program ran in English.  

I downloaded and ran scan with the correct rogue killer and it produced a short report (20 lines)

sure enough it caught two registry entries with 19.169.16.2.

I next ran a delete and it said 19.169.16.2 not removed run dnsfix.

I next ran dns fix and it replaced nameserver with blank. So, that fixed my attic backup computer.  

I then ran it on the production machine and it DID NOT FIND ANY SUCH ADDRESS !!!!
I used regedit on production server and discovered nameserver parameter was 192.168.16.2 which is the servers local network NIC IP address.

So, where the heck did 19.168.16.2 come from? i rebooted the attic machine. before login I got a message that one service was disabled. The system event log showed that it was the Microsoft Exchange Information Store.  We have exchange installed but we are not really using it.

So, now I am really confused. WHERE THE HECK DID THIS IP ADDRESS COME FROM.  I am going to restore attic from same backup I used before, only this time it will NOT be connected to any network.  (the last restore occurred while attic server was connect to time warner.   I will post results
rberkeConsultantAuthor Commented:
The comment about ignoring french applied to rogue killer, not aro 2011. sorry i typed it in the wrong place
younghvCommented:
That French stuff threw me too (for RogueKiller). I swap email with the developer every day and his English is better than mine (not saying much), but so far he is resisting my requests for an English language Forum/Help Page.

It is a brand new product that looks promising - time will tell.

I'll keep monitoring this for any updates.
rberkeConsultantAuthor Commented:
Well, that's another 2 hours of my life I will never get back.

Sorry to have wasted your time, but it turns out I typed that stupid address myself ! ! !

If you want to see how I got egg on my face, read on. Otherwise, here are your points.


I did not mention it previously, but 3 days ago I was trouble shooting a problem. Every time I tried to change the INTERNET NIC tcp/ip settings, the NCPA.CPL > Internet Protocol Properties dialog froze and would not respond.

I tried a bunch of things to fix it like repair and disable. Before doing a reboot, I decided to see if the LOCAL NIC had the same problem.  I typed in some random characters, 19.169 and clicked apply. It didn't freeze so I rebooted the machine and the rest is history. It was a two second test on a machine that was going to be rebuilt for other purposes in two days, so my inattention was understandable.

We all do stupid things from time to time, and I guess I was due for one.
TigzyCommented:
Hello

but so far he is resisting my requests for an English language Forum/Help Page.

Here's the english page ;)
http://www.geekstogo.com/forum/files/file/413-roguekiller/
TigzyCommented:
I downloaded and ran scan with the correct rogue killer and it produced a short report (20 lines)

Even it's too late, do you still have the report?
I'll explain the lines if you need
rberkeConsultantAuthor Commented:
I do not have the old report, but if I remember correctly, it was entirely English, and easily understood.

The English vs French confusion came only during the download from the website.  It is good that there is now an English page.

No need for futher action but thanks anyhow.
younghvCommented:
Hey Tigzy - thanks for checking in.
Good to see you posting here.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.