Something's trying to send e-mails from my PC

[Unfocused]

When I disable my Norton firewall, after some time I get loads of notifications that Norton is scanning an e-mail that I'm sending (the usual check whenever I send an e-mail), followed by an error like "unknown recipent", "mail server rejected" etc. The problem is, I'm not sending any e-mails by myself at the time, and those windows come up, it seems, without an end (I think I got to over a hundred before I terminated the e-mail check process). Looks like something is trying to send some junk, using my PC.

Screenie (that's after I already closed a bunch of windows, before I thought of terminating the whole process; rearranged the windows so you could see at least some of the messages)

Sure, I could keep the firewall on, but sometimes the other PC in my house has trouble connecting to the net via this one, even though I set Norton to let it through, so sometimes I have to disable it.

Anyway, I don't want any unneccessary activity, be it in the background or with those annoying windows popping up, and would like to get rid of this shit. Anyone else had such problem? I checked for spyware with a few applications and they didn't find anything. I guess I'll run a complete system scan during the night, but I'd like to hear your suggestions first, as to which antivirus app would you recommend to scan for stuff like that, or maybe there's a way to stop it otherwise?

 

[WhiteZero]

You probably got hit with something that installed a spam bot.
If your antivirus dosent catch it, u may just have to format or just scour your open processes for the bot.

 

[ELITE COMBINE]

My old pc was hit with a blaster viris that caused nt authority shut downs still does. But I don't care I have the new laptop pc its ALL MIGHTY ALL HAIL ITS AWSOME POWER!!!!!!!!!! I can play half life and install something at the same time:E :E :E :E virises are bad

 

[Unfocused]

My old pc was hit with a blaster viris that caused nt authority shut downs still does. But I don't care I have the new laptop pc its ALL MIGHTY ALL HAIL ITS AWSOME POWER!!!!!!!!!! I can play half life and install something at the same time:E :E :E :E virises are bad

Very helpful, thx :angel:

 

[Unfocused]

My connection is really slow now. I have a 512kbit connection, I checked the speed with YourSpeed and got 409kbit/s, however it certainly feels slower. When I try to view something on youtube, for example, it takes about 20-50kbits of bandwidth. Pings look normal somehow. I'm thinking it might be those e-mails slowing stuff down, trying to get sent. This is what netstat gave me after I visited google.com and then went to this thread. The "gadugadu" process is an internet messanger BTW.


Protokół Adres lokalny Obcy adres Stan
TCP unfocuse-sj5vad:1949 64.233.187.99:http USTANOWIONO
TCP unfocuse-sj5vad:1951 fk-in-f99.google.com:http USTANOWIONO
TCP unfocuse-sj5vad:1953 fk-in-f99.google.com:http USTANOWIONO
TCP unfocuse-sj5vad:1996 rev-85.232.233.10.gadu-gadu.pl:http CZAS_OCZEKI
WANIA
TCP unfocuse-sj5vad:1998 m2.gadugadu.pl:https USTANOWIONO
TCP unfocuse-sj5vad:2013 www.halflife2.net:http CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:2015 www.halflife2.net:http USTANOWIONO
TCP unfocuse-sj5vad:2024 fk-in-f147.google.com:http USTANOWIONO
TCP unfocuse-sj5vad:2025 www.halflife2.net:http USTANOWIONO
TCP unfocuse-sj5vad:2026 www.halflife2.net:http USTANOWIONO
TCP unfocuse-sj5vad:2029 www.halflife2.net:http USTANOWIONO
TCP unfocuse-sj5vad:2030 www.halflife2.net:http USTANOWIONO
TCP unfocuse-sj5vad:1025 localhost:1940 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1942 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1944 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1948 USTANOWIONO
TCP unfocuse-sj5vad:1025 localhost:1950 USTANOWIONO
TCP unfocuse-sj5vad:1025 localhost:1952 USTANOWIONO
TCP unfocuse-sj5vad:1025 localhost:1954 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1956 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1958 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1959 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1961 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1965 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1966 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1967 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1975 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1978 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1980 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1982 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1983 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1985 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1986 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1987 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1994 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:1999 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:2001 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:2003 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:2005 OCZEKIWANIE_FIN__2
TCP unfocuse-sj5vad:1025 localhost:2008 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1025 localhost:2010 USTANOWIONO
TCP unfocuse-sj5vad:1025 localhost:2017 USTANOWIONO
TCP unfocuse-sj5vad:1025 localhost:2018 OCZEKIWANIE_FIN__2
TCP unfocuse-sj5vad:1025 localhost:2019 USTANOWIONO
TCP unfocuse-sj5vad:1025 localhost:2020 USTANOWIONO
TCP unfocuse-sj5vad:1025 localhost:2021 OCZEKIWANIE_FIN__2
TCP unfocuse-sj5vad:1025 localhost:2022 USTANOWIONO
TCP unfocuse-sj5vad:1025 localhost:2023 USTANOWIONO
TCP unfocuse-sj5vad:1938 localhost:1939 USTANOWIONO
TCP unfocuse-sj5vad:1939 localhost:1938 USTANOWIONO
TCP unfocuse-sj5vad:1946 localhost:1025 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1948 localhost:1025 USTANOWIONO
TCP unfocuse-sj5vad:1950 localhost:1025 USTANOWIONO
TCP unfocuse-sj5vad:1952 localhost:1025 USTANOWIONO
TCP unfocuse-sj5vad:1964 localhost:1025 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1972 localhost:1025 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1974 localhost:1025 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1984 localhost:1025 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:1995 localhost:1025 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:2005 localhost:1025 OCZEKIWANIE_ZAMKN
TCP unfocuse-sj5vad:2007 localhost:1025 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:2010 localhost:1025 USTANOWIONO
TCP unfocuse-sj5vad:2011 localhost:1025 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:2012 localhost:1025 CZAS_OCZEKIWANIA
TCP unfocuse-sj5vad:2017 localhost:1025 USTANOWIONO
TCP unfocuse-sj5vad:2018 localhost:1025 OCZEKIWANIE_ZAMKN
TCP unfocuse-sj5vad:2019 localhost:1025 USTANOWIONO
TCP unfocuse-sj5vad:2020 localhost:1025 USTANOWIONO
TCP unfocuse-sj5vad:2021 localhost:1025 OCZEKIWANIE_ZAMKN
TCP unfocuse-sj5vad:2022 localhost:1025 USTANOWIONO
TCP unfocuse-sj5vad:2023 localhost:1025 USTANOWIONO


Looks like a lot of localhosts, eh? A tad bit too many IMHO.

Talk to me people. How can I manually close these connections (as a temporary "fix" perhaps)?

 

[Cole]

Download hijackthis, make a log, and post it here.

 

[hungryduck]

ewww....spambots are no fun....

 

[Unfocused]

Hm, connection speed seems fine now, maybe it was some ISP error after all. Still lots of localhosts, though, and that can't be a good thing even if it doesn't have a significant impact atm.

Download hijackthis, make a log, and post it here.

I use this program regularily and haven't noticed any changes in the log when I checked it after I realised I've got a problem. Here it is anyway:

Logfile of HijackThis v1.99.1
Scan saved at 16:06:43, on 2006-12-03
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
E:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
E:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\PROGRA~1\Wanadoo\EspaceWanadoo.exe
C:\PROGRA~1\Wanadoo\ComComp.exe
C:\PROGRA~1\Wanadoo\Watch.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Antyad\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMONTRAY] E:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DEF0721-5900-44A8-9FA9-8CBD7EE0A3B8}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - E:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: PCI Latency Tool Service (LtcyCfgSvc) - Unknown owner - E:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe



"Wanadoo" stuff is an application, provided by my ISP, I'm using to access the net, btw.

 

[Fliko]

C:\WINDOWS\system32\CTSvcCDA.EXE - Never seen that before

And whats Gadu-Gadu?

I'd suggest using NOD32

Saves a lot of resources and does a better job then Norton in my opinion. As far as I know, it lacks a real firewall, but NOD32 monitors what comes in and out of your computer, so it pretty much does the same thing if you ask me

 

[Unfocused]

C:\WINDOWS\system32\CTSvcCDA.EXE - Never seen that before

And whats Gadu-Gadu?

I'd suggest using NOD32

Saves a lot of resources and does a better job then Norton in my opinion. As far as I know, it lacks a real firewall, but NOD32 monitors what comes in and out of your computer, so it pretty much does the same thing if you ask me

Gadu-Gadu is an internet messanger.

As for CTSvcCDA.exe:

ctsvccda.exe this process was authored by Creative Labs, and is usually installed alongside Soundblaster card drivers or some Creative Labs applications. It assists Windows manage the CD-ROM on Windows 9x and Me systems, however it has no use on faster CD-ROM drives.

 

[Reaktor4]

run rootkit revealer, but disconnect from the internet and turn all your security software off first.