Possible virus?

[Andrew]

Sometimes AVG will pop up something like this:

The thing is I never send emails, and I never send emails to that address.

This has been going on for a long time, and it happens maybe once a week.

This time it stayed up there for about 1 min doing the same thing.

I use the latest AVG, and the latest ad-aware. I've noticed this popping up for about a year, and I've never known what it was doing as I don't send email through a pop3 thingy (just gmail and hotmail etc).

Only thing I did different today was disable firewall on router, then about 2 min later made the cable cord go from my computer straight into the high speed box instead of going to the router, then to the high speed box.

Popped up again about 10 min later. same thing.

[erjin999]

Dont disable firewall. Blueyonder is the cable company I use to connect to internet here in England, and as far as I am aware, they are not international, so you shouldnt have any links with them.

Does AVG log the programs it is scanning emails for/from ?

Also, I dont think gmail or hotmail would cause a scan if you are using webmail, or are you using outlook or outlook express to send/recieve ? If you are using a local client Outlook/Express then it might. What I want to say is if you are NOT, then set firewall to internet access to AVG on port 25.

That should stop emails going out. If AVG does scan outgoing legitimate emails from Outlook/express... Well then you need to start scanning quicker :).

Get Sysinternals Process Explorer...or is it Winternals ? Google it. That will probably be helpful in finding out what is running on your comp. Sorry I cant be more helpful but it is fsat approaching 4:00am...time to sleep, me thinks. Might be back tomorrow, if not I am shure some other helpful soul will be.

And rememeber, vitually NEVER is turning off the firewall the right answer. If you have to, reconfigure it.

[Andrew]

This doesn't occur when I send any emails. I don't use outlook or any email client.

AVG log from today:

7.1.2006 14:28:15 AutoPOP3(10110): Connection from process 1288

7.1.2006 14:28:15 AutoPOP3(10110): Connection from 127.0.0.1:4416

7.1.2006 14:28:15 AutoPOP3(10110): Client connected

7.1.2006 14:28:20 AutoPOP3(10110): Cannot connect to wifi.zno.skynet.cz:110

7.1.2006 14:28:20 AutoPOP3(10110): Connect: No connection could be made because the target machine actively refused it. (10061)

7.1.2006 14:28:20 AutoPOP3(10110): Client disconnected

7.1.2006 20:57:19 AutoPOP3(10110): Connection from process 3352

7.1.2006 20:57:19 AutoPOP3(10110): Connection from 127.0.0.1:2348

7.1.2006 20:57:19 AutoPOP3(10110): Client connected

7.1.2006 21:00:23 AutoPOP3(10110): Cannot connect to 82-33-10-129.cable.ubr14.newt.blueyonder.co.uk:110

7.1.2006 21:00:23 AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)

7.1.2006 21:00:23 AutoPOP3(10110): Pop-C: An existing connection was forcibly closed by the remote host. (10054)

7.1.2006 21:00:23 AutoPOP3(10110): Client disconnected

7.1.2006 21:15:21 AutoPOP3(10110): Connection from process 3352

7.1.2006 21:15:21 AutoPOP3(10110): Connection from 127.0.0.1:3339

7.1.2006 21:15:21 AutoPOP3(10110): Client connected

7.1.2006 21:15:44 AutoPOP3(10110): Cannot connect to 82-33-10-129.cable.ubr14.newt.blueyonder.co.uk:110

7.1.2006 21:15:44 AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)

7.1.2006 21:15:44 AutoPOP3(10110): Pop-C: An existing connection was forcibly closed by the remote host. (10054)

7.1.2006 21:15:44 AutoPOP3(10110): Client disconnected

Attached is the complete log since June 2005, with instances that are similar to above.

Search for:  AutoPOP3(10110)

EDIT:

Interestingly, google search found others with this problem, and it seems they didn't really find solutions.

http://www.google.ca/search?hl=en&q=avg+autopop3&btnG=Google+Search&meta=

[attachment archived by Gobalopper]

[gryphon]

And rememeber, vitually NEVER is turning off the firewall the right answer. If you have to, reconfigure it.

Tell that to your Cisco instructor ;)

Disabeling your Firewall or other sotfware of that nature is actually one of the first things you do to troubleshoot any errors. Right after you have taken the computer of the network / internet and placing it in an environment you controle, can monitor and know what is happening all the time. ;)

The AVG antivirus client installes a POP server of it's own inorder to scan email you get for viri (does the same trick for outgoing mail). Your logs show a connection to port 110 which just as the warning indicates you are trying to retrieve an email from that address.

Mayby you have a program installed with a default email client still active, something like that.

Note that you also have a outgoing pop connection to wifi.zno.skynet.cz in your logfile, a server claiming to be the email server for oknet.cz. The first host does seem to be active at this time, although filtering / blocking all incomming connections.

[erjin999]

Tell that to your Cisco instructor ;)

Disabeling your Firewall or other sotfware of that nature is actually one of the first things you do to troubleshoot any errors. Right after you have taken the computer of the network / internet and placing it in an environment you controle, can monitor and know what is happening all the time. ;)

I dont get what you mean about telling that to my cisco instructor.  ???

And I dont think somehow Andrew is in the situation where he is troubleshooting errors. If there is a possible infiltration, he needs to stop it, not see what happens when he disables his firewall (cos nothings has stopped working). Yes, if he couldnt play a game or his updates for something didnt work, yeah, check firewall.

Unknown emails being sent ? Disable firewall to troubleshoot ?  ??? 

[gryphon]

I dont get what you mean about telling that to my cisco instructor.  ???

If you follow Cisco cources, in this case Troubeshooting Cisco routers and networks you learn (sometimes the hard way) that disabling the firewall / packetfilters / ACL is one of the first things you do.

Unknown emails being sent ? Disable firewall to troubleshoot ?  ???

My comment was not per-see for this scenario. Just about troubleshooting and disabling firewalls.

[Andrew]

Well, I've enabled the firewall on the router, and am running through the router again.

I think I had this problem more this summer when I was connected directly to a wireless box that went to a satellite which connects to highspeed internet.

I was just wondering why it popped up, as I wasn't sending/receiving any email.

[gryphon]

I was just wondering why it popped up, as I wasn't sending/receiving any email.

It's recieving ;) And mayby you have a program with a email client configured by default in it.

You can try the program Erjin suggested to track which application is trying to send email, or make the connection to port 110.

[erjin999]

If you follow Cisco cources, in this case Troubeshooting Cisco routers and networks you learn (sometimes the hard way) that disabling the firewall / packetfilters / ACL is one of the first things you do.

My comment was not per-see for this scenario. Just about troubleshooting and disabling firewalls.

Ah, sorry, I thought you were talking specific to this scenario...

Yeah, if you need to see where the issue lies with, maybe emperor not connecting or anything else, you can test without software firewall, or bypass hardware firewall if need be...

then reconfigure it if you find it is where the fault lies.

[Phoenix]

here is one following Cisco CCNP8 (Network Troubleshooting ) :D

and ofcourse first turn off any securities, so you know its not something that does some blocking here and there...

But in this context its not actually going from bottom up (layer 1, then layer 2, etc..) in this it has to do with that AVG.

[erjin999]

yes

[Andrew]

I would say the worst thing about this popup, is that I have no control of making it go away. Once it pops up, I can not make it go away until it is done doing whatever it is it is doing (then it disappears).

I guess the only way would be to disable the plugin. I'm guessing, doing such a thing would not be a big security risk?

[gryphon]

If you ask me trying to make that popup go away is the wrong way to deal with it. AVG probably is doing it because it does recieve an outgoing connection to port 110. Finding that source is the solution. Not keeping AVG from displaying it

I guess the only way would be to disable the plugin. I'm guessing, doing such a thing would not be a big security risk?

The plugin is just for email. And as you mentioned before you don't use an email client. So no need for the plugin in the first place.

[erjin999]

If you ask me trying to make that popup go away is the wrong way to deal with it. AVG probably is doing it because it does recieve an outgoing connection to port 110. Finding that source is the solution. Not keeping AVG from displaying it

Agreed. Cure the cause, not the symptoms.

[Andrew]

Popped up again

14.1.2006 04:25:20 AutoPOP3(10110): Connection from process 1088

14.1.2006 04:25:20 AutoPOP3(10110): Connection from 127.0.0.1:3462

14.1.2006 04:25:20 AutoPOP3(10110): Client connected

14.1.2006 04:25:23 AutoPOP3(10110): Cannot connect to wifi.zno.skynet.cz:110

14.1.2006 04:25:23 AutoPOP3(10110): Connect: No connection could be made because the target machine actively refused it. (10061)

14.1.2006 04:25:23 AutoPOP3(10110): Client disconnected

14.1.2006 04:45:12 AutoPOP3(10110): Connection from process 1088

14.1.2006 04:45:12 AutoPOP3(10110): Connection from 127.0.0.1:1172

14.1.2006 04:45:12 AutoPOP3(10110): Client connected

14.1.2006 04:45:32 AutoPOP3(10110): Cannot connect to wifi.zno.skynet.cz:110

14.1.2006 04:45:32 AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)

14.1.2006 04:45:32 AutoPOP3(10110): Pop-C: An existing connection was forcibly closed by the remote host. (10054)

14.1.2006 04:45:32 AutoPOP3(10110): Client disconnected

14.1.2006 07:59:55 AutoPOP3(10110): Connection from process 1088

14.1.2006 07:59:55 AutoPOP3(10110): Connection from 127.0.0.1:1911

14.1.2006 07:59:55 AutoPOP3(10110): Client connected

14.1.2006 07:59:56 AutoPOP3(10110): Cannot connect to wifi.zno.skynet.cz:110

14.1.2006 07:59:56 AutoPOP3(10110): Connect: No connection could be made because the target machine actively refused it. (10061)

14.1.2006 07:59:56 AutoPOP3(10110): Client disconnected

14.1.2006 09:42:09 AutoPOP3(10110): Connection from process 1088

14.1.2006 09:42:09 AutoPOP3(10110): Connection from 127.0.0.1:2530

14.1.2006 09:42:09 AutoPOP3(10110): Client connected

14.1.2006 09:43:40 AutoPOP3(10110): Cannot connect to 203-59-203-22.dyn.iinet.net.au:110

14.1.2006 09:43:40 AutoPOP3(10110): Connect: The operation completed successfully. (0)

14.1.2006 09:43:40 AutoPOP3(10110): Client disconnected

The first connection probably did not connect as I was asleep so my firewall did not allow connection, but when I woke up allowed the second connection (I don't know why I decided to).

I just downloaded Sysinternals Process Explorer

I'm not exacty sure how it will work or what to do. I don't notice any send/recieve internet related options.

[erjin999]

It tells you what processes are running, so we are going to need to find out what process is sending the email, or recieving, as the case may be.

It mentinos the process number in the logs, match that to the process that the proggy you downloaded shows, and you may/should have your culprit.

[Andrew]

Ok, the program shows all the processes and cpu usage, although I'm not sure how I am supposed to tell which one is recieving the email.

Do I need to keep the program running at all times to catch it when it happens?

Or if I notice the email scanner pops up, open the program and it should tell me.

[erjin999]

Well the process ID number should be enough to catch the bugger.

I cant tell you exactly where to look for that in that program, as I cant run it (seems I am missing some important bits on my system :P XPLite !!!).

You can also get that info from Taks Manager (Ctrl + Alt + Del) but perhaps with less "meaning". Go to View menu, and Select Columns. Find the second one called PID (Process Identifier). Then look for the number which matches the process ID reported by AVG. In your logs it was the number 1088.

See which process that shows up as. If its not an easy one to detect, as in you dont know what it is, where it is located, etc. then use Proces Explorer to get you the path to the image/program. Now you should know exactly what is recieving emails.

You only need to run Process Explorer when you find you have had one of those warnings come up. Then start it up without logging off or shutting down, and odds are that unknown program will still be there with the same ID. Good luck !

[Andrew]

Ok, I now see the connection with

14.1.2006 07:59:55 AutoPOP3(10110): Connection from process 1088

and the PID in the program.

Currently no 1088 running, but will look when avg email scanner pops up.

Thanks!

EDIT:

Seems sygate personal firewall also is able to check the process #. That should make it easier to find, as sygate is always running. Actually, sygate should have a log...

Damn, sygate log file size was limited to 512kb, thus it is ony showing todays log. I increased log size to 2000kb.

Oddly while playing around with the logs, sygate crashed.

[Andrew]

I got some popups again, after looking at the avg log, it is now

21.1.2006 09:31:38 AutoPOP3(10110): Connection from process 2236

And using process viewer this turns out to be from utorrent.

So my guess is these are from torrent programs (and in the past).

Although this doesn't seem to explain what an email scanner would be doing while getting torrents through a torrent program.

[erjin999]

Ah, right. I have my p2p proggy, emule, trying to send emails. Zonealarm alerts me to this. I am not sure about this, as in why or if they are indeed even emails but perhaps this is related ?

I also had this on eDonkey. Maybe an idea checking if google shows anything up on this ?

I dont really bother to block those communications, as I trust emule. but blocking them doesnt seem to negatively impact at all.

I only get the popups occassionally.

[Andrew]

I use emule as well.

Google to the rescue!

[gryphon]

it doesn't really have to be email. It uses port 110 which in commenly the port for POP email. Although you can do basically whatever you want on that port.

[erjin999]

Well, thats what I thought, but shurely AVG is more intelligent then to assume anything on port 110 is email, as you pointed out, it doesnt have to be. I know my NOD doesnt scan as email those things that use port 110 when Zonealarm does think it is email.

[gryphon]

but shurely AVG is more intelligent then to assume anything on port 110 is email

Don't bet on it ;)

I remembert both hosts the connection goes to are up and have filesharing ports open.

(portscanned them both last time)