Prev: Error: SHRerGetValueW
Next: Spyerase
From: dennispublic on 30 Aug 2006 12:57 To recap: my avg email scanner keeps contacting a strange IP address, when I am not running any email programs on this computer. There is no reason for -any- POP3 activity to be going on. So today the AVG Email Scanner went off again, and here's a clip of the warning: File Version : 7.1.0.400 File Description : AVG E-Mail Scanner (avgemc.exe) File Path : C:\Program Files\AVG Free\avgemc.exe Process ID : 0x784 (Heximal) 1924 (Decimal) Connection origin : local initiated Protocol : TCP Local Address : 192.168.0.101 Local Port : 2221 Remote Name : ip24-255-115-60.dc.dc.cox.net Remote Address : 24.255.115.60 Remote Port : 110 (POP3 - Post Office Protocol - Version 3) .....so I quicky launched the tcpview utility from sysinternals, and I jumped to a dos prompt and did a netstat -a I found nothing... neither utility showed any reference to this cox ip address, and there was no reference to port 110 or 2221. I've been using AVG for years on multiple systems and I've never seen this bizzare behaviour before. I even did a few checks for rootkits, found nothing. I'm stumped, and annoyed....
From: MoiMoi on 6 Sep 2006 21:30 In article <1156957047.243157.101990(a)m73g2000cwd.googlegroups.com>, dennispublic(a)hotmail.com says... > To recap: my avg email scanner keeps contacting a strange IP address, > when I am not running any email programs on this computer. There is no > reason for -any- POP3 activity to be going on. > > So today the AVG Email Scanner went off again, and here's a clip of the > warning: > > File Version : 7.1.0.400 > File Description : AVG E-Mail Scanner (avgemc.exe) > File Path : C:\Program Files\AVG Free\avgemc.exe > Process ID : 0x784 (Heximal) 1924 (Decimal) > > Connection origin : local initiated > Protocol : TCP > Local Address : 192.168.0.101 > Local Port : 2221 > Remote Name : ip24-255-115-60.dc.dc.cox.net > Remote Address : 24.255.115.60 > Remote Port : 110 (POP3 - Post Office Protocol - Version 3) > > ....so I quicky launched the tcpview utility from sysinternals, and I > jumped to a dos prompt and did a netstat -a > > I found nothing... neither utility showed any reference to this cox ip > address, and there was no reference to port 110 or 2221. > > I've been using AVG for years on multiple systems and I've never seen > this bizzare behaviour before. I even did a few checks for rootkits, > found nothing. I'm stumped, and annoyed.... Well, anything new? Ever find out anything? Guess you've run several spyware checkers? Maybe the multi AV thing that David Lipman always mentions? MM
From: dennispublic on 20 Sep 2006 13:47 MoiMoi wrote: > In article <1156957047.243157.101990(a)m73g2000cwd.googlegroups.com>, > dennispublic(a)hotmail.com says... > > To recap: my avg email scanner keeps contacting a strange IP address, > > when I am not running any email programs on this computer. There is no > > reason for -any- POP3 activity to be going on. > > > > So today the AVG Email Scanner went off again, and here's a clip of the > > warning: > > > > File Version : 7.1.0.400 > > File Description : AVG E-Mail Scanner (avgemc.exe) > > File Path : C:\Program Files\AVG Free\avgemc.exe > > Process ID : 0x784 (Heximal) 1924 (Decimal) > > > > Connection origin : local initiated > > Protocol : TCP > > Local Address : 192.168.0.101 > > Local Port : 2221 > > Remote Name : ip24-255-115-60.dc.dc.cox.net > > Remote Address : 24.255.115.60 > > Remote Port : 110 (POP3 - Post Office Protocol - Version 3) > > > > ....so I quicky launched the tcpview utility from sysinternals, and I > > jumped to a dos prompt and did a netstat -a > > > > I found nothing... neither utility showed any reference to this cox ip > > address, and there was no reference to port 110 or 2221. > > > > I've been using AVG for years on multiple systems and I've never seen > > this bizzare behaviour before. I even did a few checks for rootkits, > > found nothing. I'm stumped, and annoyed.... > > Well, anything new? > Ever find out anything? > Guess you've run several spyware checkers? > Maybe the multi AV thing that David Lipman always mentions? > > MM After many weeks, I have determined that it is being caused by uTorrent, the program I use for file sharing via torrents. For some reason people are trying to make POP connections with my computer as evidenced in the AVG email log (process #3920 is utorrent): 18.9.2006 14:58:50.859 [70c] AutoPOP3(10110): Connection from process 3920 18.9.2006 14:58:50.859 [70c] AutoPOP3(10110): Connection from 127.0.0.1:3995 18.9.2006 14:58:50.859 [70c] AutoPOP3(10110): Will connect to 85.182.69.225:110 18.9.2006 14:58:50.859 [cb0] AutoPOP3(10110): Client connected Based on the info I have, I've concluded it is someone out there trying to connect to my utorrent client using the POP protocol, and this (or my computer responding to this) is triggering the AVG email scanner. My first theory (wild guess) is that its being caused by someone using a different kind of torrent downloading program (new? rare? perhaps hacked or poorly coded?) that is sending pop packets, perhaps somehow related to mixing newsgroup file sharing with torrent filesharing. My second theory (another wild guess) is that someone has used an email port to run their torrent program on, and it is somehow conflicting with email / pop. Any Thoughts?
From: MoiMoi on 22 Sep 2006 21:50
In article <1158774788.141427.192880(a)d34g2000cwd.googlegroups.com>, dennispublic(a)hotmail.com says... ...... > Yes for anyone who is curious, or has this problem in the future, I > think it's been confirmed.. it is related to torrents and improper port > settings that some people are using. Thanks for the update...I *was* curious, since you seemed to have a clean system, virus/spyware wise. MM |