Detection

Netflow flow monitoring alerted us to unusually high rates of outgoing SMTP traffic from an internal host at IP 66.28.172.174

Inbound tcp/53306 connections

ID        0   66.28.172.174:53306   66.232.17.46:1278    TIME_WAIT
PID        0   66.28.172.174:53306   66.232.17.46:1410    TIME_WAIT
PID        0   66.28.172.174:53306   66.232.17.46:3091    TIME_WAIT
PID        0   66.28.172.174:53306   66.232.17.46:3747    TIME_WAIT
PID        0   66.28.172.174:53306   66.232.17.46:4654    TIME_WAIT
PID        0   66.28.172.174:53306   66.232.17.46:4835    TIME_WAIT
PID        0   66.28.172.174:53306   66.232.17.46:4841    TIME_WAIT
PID        0   66.28.172.174:53306   66.232.17.46:4979    TIME_WAIT
PID        0   66.28.172.174:53306   69.56.208.182:1150    TIME_WAIT

TCP table:
PID     2988      0.0.0.0:53306       LISTENING   C:\WINDOWS\system\Msm32.exe

Started using IE Browser Helper objects

IE Browser Helper Objects:
	{1E1B2879-88FF-11D2-8D96-000000000004}
	= 'MSM32 Class'(HTMLEdit.SSocks32.1), "C:\WINDOWS\system\SSocks32.dll"

Msm32 is a SOCKS and HTTP proxy server