AVG Email Scanner contacting strange IP address
in [Viruses]
|
Prev: Error: SHRerGetValueW
Next: Spyerase
From: MoiMoi on 27 Aug 2006 11:26 In article <1156665707.186021.44340(a)i42g2000cwa.googlegroups.com>, dennispublic(a)hotmail.com says... > > MoiMoi wrote: > > > > How can I further investigate whats triggering this behaviour? > > ======= > > It's not email, just update check and download. > > Look in AVG update manager, you can see that it checks at > > update.grisoft.cz > > It's not AVG site its contacting, and I'm talking about the Email > scanner, not the update manager. > > Tonight it randomly tried to connect to an IP in North America (cox). > Does anyone out there have any ideas why is AVG Email scanner being > triggered and talking to this IP address? My system must be sending an > email, right? > > > --------------sysgate firewall log below--------------------- > > File Version : 7.1.0.400 > File Description : AVG E-Mail Scanner (avgemc.exe) > File Path : C:\Program Files\AVG Free\avgemc.exe > Process ID : 0x6B8 (Heximal) 1720 (Decimal) > > Connection origin : local initiated > Protocol : TCP > Local Address : 192.168.0.101 > Local Port : 2042 > Remote Name : ip24-255-115-60.dc.dc.cox.net > Remote Address : 24.255.115.60 > Remote Port : 110 (POP3 - Post Office Protocol - Version 3) > > Ethernet packet details: > Ethernet II (Packet Length: 76) > Destination: 00-0d-88-c4-79-b7 > Source: 00-13-d4-b8-4c-03 > Type: IP (0x0800) > Internet Protocol > Version: 4 > Header Length: 20 bytes > Flags: > .1.. = Don't fragment: Set > ..0. = More fragments: Not set > Fragment offset:0 > Time to live: 128 > Protocol: 0x6 (TCP - Transmission Control Protocol) > Header checksum: 0x734c (Correct) > Source: 192.168.0.101 > Destination: 24.255.115.60 ================= Ah, okay... 192.168.0.101: this is your router? or broadband modem/router? Is Cox your ISP? Or does Cox "own" your ISP? What's sysgate firewall? You type this in, should be "sygate"? Do you have an email program set to check for new mail at regular interval? Port 2042 is generally TCP and/or UDP ISIS, which are internet protocals. I'd guess, if Cox is involved in your internet accesses somewhere, and your emailer is not set to auto check for mail, that this might be a DNS server update check, although I admit I didn't know POP protocol is used for that. I'm sure someone here will know more about this part than I do. MM
From: dennispublic on 28 Aug 2006 13:33 > Ah, okay... > > 192.168.0.101: this is your router? or broadband modem/router? > Is Cox your ISP? Or does Cox "own" your ISP? My ISP is "Rogers", in Canada. As far as I know it is unrelated to Cox. > Do you have an email program set to check for new mail at regular > interval? No... that is why this is all so concerning...... > might be a DNS server update check I really doubt it.... anyone else have any theories?
From: dennispublic on 28 Aug 2006 17:28 More clues!!! This time I made AVG do a log. If anyone can explain what is on here it would be appreciated. How do I find out what "process 2620" is? ----------avg email log---------------------- 28.8.2006 17:21:25.750 [a8] AutoPOP3(10110): Connection from process 2620 28.8.2006 17:21:25.750 [a8] AutoPOP3(10110): Connection from 127.0.0.1:3712 28.8.2006 17:21:25.750 [a8] AutoPOP3(10110): Will connect to 24.255.115.60:110 28.8.2006 17:21:25.750 [1f8] AutoPOP3(10110): Client connected 28.8.2006 17:21:25.750 [1f8] OpenInternet = 0 28.8.2006 17:21:25.750 [1f8] AddTrayIcon() 28.8.2006 17:21:46.750 [1f8] AutoPOP3(10110): Cannot connect to ip24-255-115-60.dc.dc.cox.net:110 28.8.2006 17:21:46.750 [1f8] AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060) 28.8.2006 17:21:46.781 [1f8] AutoPOP3(10110): PROXY:S:-ERR AVG POP3 Proxy Server: Cannot connect to the mail server! 28.8.2006 17:21:46.781 [1f8] CloseInternet = 1 28.8.2006 17:21:46.781 [1f8] RemoveTrayIcon() 28.8.2006 17:21:46.781 [1f8] AutoPOP3(10110): Client disconnected ------------------------------------------------------------
From: David W. Hodgins on 28 Aug 2006 18:44 On Mon, 28 Aug 2006 17:28:17 -0400, <dennispublic(a)hotmail.com> wrote: > More clues!!! This time I made AVG do a log. Get tcpview, and process explorer from http://www.sysinternals.com What does "netstat -a" show? Regards, Dave Hodgins -- Change nomail.afraid.org to ody.ca to reply by email. (nomail.afraid.org has been set up specifically for use in usenet. Feel free to use it yourself.)
From: dennispublic on 29 Aug 2006 13:47
> Get tcpview, and process explorer from http://www.sysinternals.com Hmmm thanks, great link, looks like this might help me. I'll let you what I find when I can catch it in the act again! |