Also, I've been having a problem retrieving my mail from the server lately. The error is always "too many connections". I am using Opera mail on 6.04.

Hmm, does look a bit suspicious. Does the IP address give any clue - i.e. is it your ISPs mail server, or some other address? (I'm guessing that smpt was a typo for smtp)

>>I have been getting alot of blank and not-deliverable(virus) bounced emails in one of my web accounts.

This is not necessarily anything to do with you - nearly all viruses spoof the reply to address, usually for those that have been harvested from web pages or infected hard drives.

The only (relevant?) thing I can dig up on port 1920 is it's used for for 'bounce server' although I don't really know what that is. It isn't a port that is used by any common TCP services I am aware of.

Suffice to say that this connection should not be open on your machine except if you call an application that uses it.

Do you have any suspicious applications or services running?

Check your system is clean using Ad aware for any kind of mal ware stuff that may be keeping the connection open.

If have the IP trying googling that IP address for mentions in any forums to indicate what it might be and if necessary, how to get rid.

Do you have nay progs running in the Background that might be using it?

Hi,

Thanks for the quick replies!

The ip lookup shows:

Aisa Pacific Network Information Centre

Googling the ip brings no useful info. :(

I will check Ad Aware now. I don't see any odd programs running. Thanks!

These types of problems can be tricky to track down, and if it is trojan related, chances are AdAware or any spyware tool won't find it.

My advice is, use a personal firewall (like Kerio) and block this connection when prompted. This should also tell you which program is requesting the connection.

If you find this causes problems with legitimate software, then re-enable it. Otherwise, you will at least have stopped the problem from continuing.

IMO the IP sounds a bit spoofy, if you goto the Asia Pacific Network Information Centre and then run netstat it brings up nori.apnic.net.

Go with the Firewall like Receptional Andy says

It sounds horribly like you've got a trojan horse in there, possibly acting as a spam gateway. You definitely need to get a good firewall (I use Norton Internet Security 2003) and block this connection off completely. You need also to do a full system scan with your antivirus. You may also want to contact your ISP - if it does prove to be a trojan, and your system has been quietly spamming millions of mailboxes for the last few weeks, you need to get them on your side before they terminate your contract, probably with extreme predjudice!

Let's hope I'm wrong on this... If anything really suspicious turns up, back up all your data files and do a reformat/reinstall of everything from scratch (you don't want to get any work done this week anyway, do you?!).

universalis, I think you are right. After installing Kerio firewall, I'm now seeing alot of connection attempts like this:

'WINKCL.EXE' from your computer wants to connect to ***mail2.*****.net [***.**.**.208], port 25

One of the ips actually resolved, to some mail page from Hong Kong!

I can't find a drop of info on WINKCL.EXE

This is an *outbound* connection to port 25, *not* an inbound connection to port 1920. Please read the netstat headers more closely, the order is: protocol, local, foreign, state.

Most firewalls will tell you which program opened the outbound connection.

I don't really follow, drbrain. I am very green when it comes to my OS, so please bear with me. The firewall I just downloaded is warning me every time my system tries to open an outbound connection. I recieved about twenty in a row and they all looked suspicious. And it is this WINKCL.EXE every time. I have searched high and low for WINKCL.EXE, to no avail.

The other thing bothering me is, every time I try to check all my accounts(only 6) at once with Opera Mail, I get that "too many connections from your ip" error. The connection total is usually over 70.

I'm clueless and do appreciate everyones feedback.

The firewall is showing that your machine is trying to send out email via the mail server listed (mail2.?.net). Question time: are you saying that you can't find winkcl.exe when you do a search on your machine? Are you looking for hidden/system files as well? Is winkcl.exe running as a service? What version of Windows are you running? What mailserver do you use for your own email?

Assuming the outbound connections are happening when you have no programs open, then you have a serious problem. Disconnect, phone your ISP, backup data and prepare to reinstall.

Thanks for replying.

>>are you saying that you can't find winkcl.exe when you do a search on your machine?

No, it's definately on my system in "c:\windows\system".

I was trying to get some info on it's history and function.

>>Is winkcl.exe running as a service?

Not exactly sure how I verify that, but I don't see it with ctrl-alt-del.

>>What version of Windows are you running?

win98

>>What mailserver do you use for your own email?

Opera

>>backup data and prepare to reinstall.

I hope not :(

I was only pointing out which way the connection was flowing. For example, on my machine my active connections are:
TCP myhost:2329 localhost:2330 ESTABLISHED
TCP myhost:2330 localhost:2329 ESTABLISHED
TCP myhost:2083 serverA:1049 ESTABLISHED
TCP myhost:2084 serverB:netbios-ssn ESTABLISHED
TCP myhost:2129 serverA:1070 ESTABLISHED
TCP myhost:2491 serverC:8080 ESTABLISHED
TCP myhost:2471 serverC:8080 ESTABLISHED
TCP myhost:4307 serverD:ftp CLOSE_WAIT

These are all outbound connections to various servers, and no server(s) running currently on my machine have been attached to from another machine. My machine picks a port on my end which it uses to connect to some server on a remote host. The way you display your snips of netstat show that something on your machine is connecting out, and your firewall says that whatever it is is named 'winkcl.exe'

I agree with most everybody else here that winkcl.exe is some kind of trojan/virus on your machine. I believe programs can cloak their names in the windows-world. It may be started as some different name and is just hidden. As universalis suggests, it may be a time to backup, format and reinstall

WIN?.EXE
^^^random characters

This is a virus - Klez or something.