From: dennispublic on
To recap: my avg email scanner keeps contacting a strange IP address,
when I am not running any email programs on this computer. There is no
reason for -any- POP3 activity to be going on.

So today the AVG Email Scanner went off again, and here's a clip of the
warning:

File Version : 7.1.0.400
File Description : AVG E-Mail Scanner (avgemc.exe)
File Path : C:\Program Files\AVG Free\avgemc.exe
Process ID : 0x784 (Heximal) 1924 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 192.168.0.101
Local Port : 2221
Remote Name : ip24-255-115-60.dc.dc.cox.net
Remote Address : 24.255.115.60
Remote Port : 110 (POP3 - Post Office Protocol - Version 3)

.....so I quicky launched the tcpview utility from sysinternals, and I
jumped to a dos prompt and did a netstat -a

I found nothing... neither utility showed any reference to this cox ip
address, and there was no reference to port 110 or 2221.

I've been using AVG for years on multiple systems and I've never seen
this bizzare behaviour before. I even did a few checks for rootkits,
found nothing. I'm stumped, and annoyed....

From: MoiMoi on
In article <1156957047.243157.101990(a)m73g2000cwd.googlegroups.com>,
dennispublic(a)hotmail.com says...
> To recap: my avg email scanner keeps contacting a strange IP address,
> when I am not running any email programs on this computer. There is no
> reason for -any- POP3 activity to be going on.
>
> So today the AVG Email Scanner went off again, and here's a clip of the
> warning:
>
> File Version : 7.1.0.400
> File Description : AVG E-Mail Scanner (avgemc.exe)
> File Path : C:\Program Files\AVG Free\avgemc.exe
> Process ID : 0x784 (Heximal) 1924 (Decimal)
>
> Connection origin : local initiated
> Protocol : TCP
> Local Address : 192.168.0.101
> Local Port : 2221
> Remote Name : ip24-255-115-60.dc.dc.cox.net
> Remote Address : 24.255.115.60
> Remote Port : 110 (POP3 - Post Office Protocol - Version 3)
>
> ....so I quicky launched the tcpview utility from sysinternals, and I
> jumped to a dos prompt and did a netstat -a
>
> I found nothing... neither utility showed any reference to this cox ip
> address, and there was no reference to port 110 or 2221.
>
> I've been using AVG for years on multiple systems and I've never seen
> this bizzare behaviour before. I even did a few checks for rootkits,
> found nothing. I'm stumped, and annoyed....

Well, anything new?
Ever find out anything?
Guess you've run several spyware checkers?
Maybe the multi AV thing that David Lipman always mentions?

MM
From: dennispublic on

MoiMoi wrote:
> In article <1156957047.243157.101990(a)m73g2000cwd.googlegroups.com>,
> dennispublic(a)hotmail.com says...
> > To recap: my avg email scanner keeps contacting a strange IP address,
> > when I am not running any email programs on this computer. There is no
> > reason for -any- POP3 activity to be going on.
> >
> > So today the AVG Email Scanner went off again, and here's a clip of the
> > warning:
> >
> > File Version : 7.1.0.400
> > File Description : AVG E-Mail Scanner (avgemc.exe)
> > File Path : C:\Program Files\AVG Free\avgemc.exe
> > Process ID : 0x784 (Heximal) 1924 (Decimal)
> >
> > Connection origin : local initiated
> > Protocol : TCP
> > Local Address : 192.168.0.101
> > Local Port : 2221
> > Remote Name : ip24-255-115-60.dc.dc.cox.net
> > Remote Address : 24.255.115.60
> > Remote Port : 110 (POP3 - Post Office Protocol - Version 3)
> >
> > ....so I quicky launched the tcpview utility from sysinternals, and I
> > jumped to a dos prompt and did a netstat -a
> >
> > I found nothing... neither utility showed any reference to this cox ip
> > address, and there was no reference to port 110 or 2221.
> >
> > I've been using AVG for years on multiple systems and I've never seen
> > this bizzare behaviour before. I even did a few checks for rootkits,
> > found nothing. I'm stumped, and annoyed....
>
> Well, anything new?
> Ever find out anything?
> Guess you've run several spyware checkers?
> Maybe the multi AV thing that David Lipman always mentions?
>
> MM

After many weeks, I have determined that it is being caused by
uTorrent, the program I use for file sharing via torrents. For some
reason people are trying to make POP connections with my computer as
evidenced in the AVG email log (process #3920 is utorrent):

18.9.2006 14:58:50.859 [70c] AutoPOP3(10110): Connection from process
3920
18.9.2006 14:58:50.859 [70c] AutoPOP3(10110): Connection from
127.0.0.1:3995
18.9.2006 14:58:50.859 [70c] AutoPOP3(10110): Will connect to
85.182.69.225:110
18.9.2006 14:58:50.859 [cb0] AutoPOP3(10110): Client connected

Based on the info I have, I've concluded it is someone out there trying
to connect to my utorrent client using the POP protocol, and this (or
my computer responding to this) is triggering the AVG email scanner.

My first theory (wild guess) is that its being caused by someone using
a different kind of torrent downloading program (new? rare? perhaps
hacked or poorly coded?) that is sending pop packets, perhaps somehow
related to mixing newsgroup file sharing with torrent filesharing.

My second theory (another wild guess) is that someone has used an email
port to run their torrent program on, and it is somehow conflicting
with email / pop.

Any Thoughts?

From: MoiMoi on
In article <1158774788.141427.192880(a)d34g2000cwd.googlegroups.com>,
dennispublic(a)hotmail.com says...

......

> Yes for anyone who is curious, or has this problem in the future, I
> think it's been confirmed.. it is related to torrents and improper port
> settings that some people are using.

Thanks for the update...I *was* curious, since you seemed to have a
clean system, virus/spyware wise.

MM
First  |  Prev  | 
Pages: 1 2 3
Prev: Error: SHRerGetValueW
Next: Spyerase