Andrew Posted January 8, 2006 Share Posted January 8, 2006 Sometimes AVG will pop up something like this:The thing is I never send emails, and I never send emails to that address.This has been going on for a long time, and it happens maybe once a week.This time it stayed up there for about 1 min doing the same thing.I use the latest AVG, and the latest ad-aware. I've noticed this popping up for about a year, and I've never known what it was doing as I don't send email through a pop3 thingy (just gmail and hotmail etc).Only thing I did different today was disable firewall on router, then about 2 min later made the cable cord go from my computer straight into the high speed box instead of going to the router, then to the high speed box.Popped up again about 10 min later. same thing. Quote Link to comment Share on other sites More sharing options...
erjin999 Posted January 8, 2006 Share Posted January 8, 2006 Dont disable firewall. Blueyonder is the cable company I use to connect to internet here in England, and as far as I am aware, they are not international, so you shouldnt have any links with them.Does AVG log the programs it is scanning emails for/from ?Also, I dont think gmail or hotmail would cause a scan if you are using webmail, or are you using outlook or outlook express to send/recieve ? If you are using a local client Outlook/Express then it might. What I want to say is if you are NOT, then set firewall to internet access to AVG on port 25.That should stop emails going out. If AVG does scan outgoing legitimate emails from Outlook/express... Well then you need to start scanning quicker :).Get Sysinternals Process Explorer...or is it Winternals ? Google it. That will probably be helpful in finding out what is running on your comp. Sorry I cant be more helpful but it is fsat approaching 4:00am...time to sleep, me thinks. Might be back tomorrow, if not I am shure some other helpful soul will be.And rememeber, vitually NEVER is turning off the firewall the right answer. If you have to, reconfigure it. Quote Link to comment Share on other sites More sharing options...
Andrew Posted January 8, 2006 Author Share Posted January 8, 2006 This doesn't occur when I send any emails. I don't use outlook or any email client.AVG log from today:7.1.2006 14:28:15 AutoPOP3(10110): Connection from process 12887.1.2006 14:28:15 AutoPOP3(10110): Connection from 127.0.0.1:44167.1.2006 14:28:15 AutoPOP3(10110): Client connected7.1.2006 14:28:20 AutoPOP3(10110): Cannot connect to wifi.zno.skynet.cz:1107.1.2006 14:28:20 AutoPOP3(10110): Connect: No connection could be made because the target machine actively refused it. (10061)7.1.2006 14:28:20 AutoPOP3(10110): Client disconnected7.1.2006 20:57:19 AutoPOP3(10110): Connection from process 33527.1.2006 20:57:19 AutoPOP3(10110): Connection from 127.0.0.1:23487.1.2006 20:57:19 AutoPOP3(10110): Client connected7.1.2006 21:00:23 AutoPOP3(10110): Cannot connect to 82-33-10-129.cable.ubr14.newt.blueyonder.co.uk:1107.1.2006 21:00:23 AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)7.1.2006 21:00:23 AutoPOP3(10110): Pop-C: An existing connection was forcibly closed by the remote host. (10054)7.1.2006 21:00:23 AutoPOP3(10110): Client disconnected7.1.2006 21:15:21 AutoPOP3(10110): Connection from process 33527.1.2006 21:15:21 AutoPOP3(10110): Connection from 127.0.0.1:33397.1.2006 21:15:21 AutoPOP3(10110): Client connected7.1.2006 21:15:44 AutoPOP3(10110): Cannot connect to 82-33-10-129.cable.ubr14.newt.blueyonder.co.uk:1107.1.2006 21:15:44 AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)7.1.2006 21:15:44 AutoPOP3(10110): Pop-C: An existing connection was forcibly closed by the remote host. (10054)7.1.2006 21:15:44 AutoPOP3(10110): Client disconnectedAttached is the complete log since June 2005, with instances that are similar to above.Search for: AutoPOP3(10110)EDIT:Interestingly, google search found others with this problem, and it seems they didn't really find solutions.http://www.google.ca/search?hl=en&q=avg+autopop3&btnG=Google+Search&meta=[attachment archived by Gobalopper] Quote Link to comment Share on other sites More sharing options...
gryphon Posted January 8, 2006 Share Posted January 8, 2006 And rememeber, vitually NEVER is turning off the firewall the right answer. If you have to, reconfigure it.Tell that to your Cisco instructor ;)Disabeling your Firewall or other sotfware of that nature is actually one of the first things you do to troubleshoot any errors. Right after you have taken the computer of the network / internet and placing it in an environment you controle, can monitor and know what is happening all the time. ;)The AVG antivirus client installes a POP server of it's own inorder to scan email you get for viri (does the same trick for outgoing mail). Your logs show a connection to port 110 which just as the warning indicates you are trying to retrieve an email from that address.Mayby you have a program installed with a default email client still active, something like that.Note that you also have a outgoing pop connection to wifi.zno.skynet.cz in your logfile, a server claiming to be the email server for oknet.cz. The first host does seem to be active at this time, although filtering / blocking all incomming connections. Quote Link to comment Share on other sites More sharing options...
erjin999 Posted January 8, 2006 Share Posted January 8, 2006 Tell that to your Cisco instructor ;)Disabeling your Firewall or other sotfware of that nature is actually one of the first things you do to troubleshoot any errors. Right after you have taken the computer of the network / internet and placing it in an environment you controle, can monitor and know what is happening all the time. ;)I dont get what you mean about telling that to my cisco instructor. ???And I dont think somehow Andrew is in the situation where he is troubleshooting errors. If there is a possible infiltration, he needs to stop it, not see what happens when he disables his firewall (cos nothings has stopped working). Yes, if he couldnt play a game or his updates for something didnt work, yeah, check firewall.Unknown emails being sent ? Disable firewall to troubleshoot ? ??? Quote Link to comment Share on other sites More sharing options...
gryphon Posted January 8, 2006 Share Posted January 8, 2006 I dont get what you mean about telling that to my cisco instructor. ???If you follow Cisco cources, in this case Troubeshooting Cisco routers and networks you learn (sometimes the hard way) that disabling the firewall / packetfilters / ACL is one of the first things you do.Unknown emails being sent ? Disable firewall to troubleshoot ? ???My comment was not per-see for this scenario. Just about troubleshooting and disabling firewalls. Quote Link to comment Share on other sites More sharing options...
Andrew Posted January 9, 2006 Author Share Posted January 9, 2006 Well, I've enabled the firewall on the router, and am running through the router again.I think I had this problem more this summer when I was connected directly to a wireless box that went to a satellite which connects to highspeed internet.I was just wondering why it popped up, as I wasn't sending/receiving any email. Quote Link to comment Share on other sites More sharing options...
gryphon Posted January 9, 2006 Share Posted January 9, 2006 I was just wondering why it popped up, as I wasn't sending/receiving any email.It's recieving ;) And mayby you have a program with a email client configured by default in it.You can try the program Erjin suggested to track which application is trying to send email, or make the connection to port 110. Quote Link to comment Share on other sites More sharing options...
erjin999 Posted January 9, 2006 Share Posted January 9, 2006 If you follow Cisco cources, in this case Troubeshooting Cisco routers and networks you learn (sometimes the hard way) that disabling the firewall / packetfilters / ACL is one of the first things you do.My comment was not per-see for this scenario. Just about troubleshooting and disabling firewalls.Ah, sorry, I thought you were talking specific to this scenario...Yeah, if you need to see where the issue lies with, maybe emperor not connecting or anything else, you can test without software firewall, or bypass hardware firewall if need be...then reconfigure it if you find it is where the fault lies. Quote Link to comment Share on other sites More sharing options...
Phoenix Posted January 11, 2006 Share Posted January 11, 2006 here is one following Cisco CCNP8 (Network Troubleshooting ) :Dand ofcourse first turn off any securities, so you know its not something that does some blocking here and there...But in this context its not actually going from bottom up (layer 1, then layer 2, etc..) in this it has to do with that AVG. Quote Link to comment Share on other sites More sharing options...
erjin999 Posted January 12, 2006 Share Posted January 12, 2006 yes Quote Link to comment Share on other sites More sharing options...
Andrew Posted January 12, 2006 Author Share Posted January 12, 2006 I would say the worst thing about this popup, is that I have no control of making it go away. Once it pops up, I can not make it go away until it is done doing whatever it is it is doing (then it disappears).I guess the only way would be to disable the plugin. I'm guessing, doing such a thing would not be a big security risk? Quote Link to comment Share on other sites More sharing options...
gryphon Posted January 13, 2006 Share Posted January 13, 2006 If you ask me trying to make that popup go away is the wrong way to deal with it. AVG probably is doing it because it does recieve an outgoing connection to port 110. Finding that source is the solution. Not keeping AVG from displaying itI guess the only way would be to disable the plugin. I'm guessing, doing such a thing would not be a big security risk?The plugin is just for email. And as you mentioned before you don't use an email client. So no need for the plugin in the first place. Quote Link to comment Share on other sites More sharing options...
erjin999 Posted January 13, 2006 Share Posted January 13, 2006 If you ask me trying to make that popup go away is the wrong way to deal with it. AVG probably is doing it because it does recieve an outgoing connection to port 110. Finding that source is the solution. Not keeping AVG from displaying itAgreed. Cure the cause, not the symptoms. Quote Link to comment Share on other sites More sharing options...
Andrew Posted January 14, 2006 Author Share Posted January 14, 2006 Popped up again14.1.2006 04:25:20 AutoPOP3(10110): Connection from process 108814.1.2006 04:25:20 AutoPOP3(10110): Connection from 127.0.0.1:346214.1.2006 04:25:20 AutoPOP3(10110): Client connected14.1.2006 04:25:23 AutoPOP3(10110): Cannot connect to wifi.zno.skynet.cz:11014.1.2006 04:25:23 AutoPOP3(10110): Connect: No connection could be made because the target machine actively refused it. (10061)14.1.2006 04:25:23 AutoPOP3(10110): Client disconnected14.1.2006 04:45:12 AutoPOP3(10110): Connection from process 108814.1.2006 04:45:12 AutoPOP3(10110): Connection from 127.0.0.1:117214.1.2006 04:45:12 AutoPOP3(10110): Client connected14.1.2006 04:45:32 AutoPOP3(10110): Cannot connect to wifi.zno.skynet.cz:11014.1.2006 04:45:32 AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)14.1.2006 04:45:32 AutoPOP3(10110): Pop-C: An existing connection was forcibly closed by the remote host. (10054)14.1.2006 04:45:32 AutoPOP3(10110): Client disconnected14.1.2006 07:59:55 AutoPOP3(10110): Connection from process 108814.1.2006 07:59:55 AutoPOP3(10110): Connection from 127.0.0.1:191114.1.2006 07:59:55 AutoPOP3(10110): Client connected14.1.2006 07:59:56 AutoPOP3(10110): Cannot connect to wifi.zno.skynet.cz:11014.1.2006 07:59:56 AutoPOP3(10110): Connect: No connection could be made because the target machine actively refused it. (10061)14.1.2006 07:59:56 AutoPOP3(10110): Client disconnected14.1.2006 09:42:09 AutoPOP3(10110): Connection from process 108814.1.2006 09:42:09 AutoPOP3(10110): Connection from 127.0.0.1:253014.1.2006 09:42:09 AutoPOP3(10110): Client connected14.1.2006 09:43:40 AutoPOP3(10110): Cannot connect to 203-59-203-22.dyn.iinet.net.au:11014.1.2006 09:43:40 AutoPOP3(10110): Connect: The operation completed successfully. (0)14.1.2006 09:43:40 AutoPOP3(10110): Client disconnectedThe first connection probably did not connect as I was asleep so my firewall did not allow connection, but when I woke up allowed the second connection (I don't know why I decided to).I just downloaded Sysinternals Process ExplorerI'm not exacty sure how it will work or what to do. I don't notice any send/recieve internet related options. Quote Link to comment Share on other sites More sharing options...
erjin999 Posted January 14, 2006 Share Posted January 14, 2006 It tells you what processes are running, so we are going to need to find out what process is sending the email, or recieving, as the case may be.It mentinos the process number in the logs, match that to the process that the proggy you downloaded shows, and you may/should have your culprit. Quote Link to comment Share on other sites More sharing options...
Andrew Posted January 14, 2006 Author Share Posted January 14, 2006 Ok, the program shows all the processes and cpu usage, although I'm not sure how I am supposed to tell which one is recieving the email.Do I need to keep the program running at all times to catch it when it happens?Or if I notice the email scanner pops up, open the program and it should tell me. Quote Link to comment Share on other sites More sharing options...
erjin999 Posted January 15, 2006 Share Posted January 15, 2006 Well the process ID number should be enough to catch the bugger.I cant tell you exactly where to look for that in that program, as I cant run it (seems I am missing some important bits on my system :P XPLite !!!).You can also get that info from Taks Manager (Ctrl + Alt + Del) but perhaps with less "meaning". Go to View menu, and Select Columns. Find the second one called PID (Process Identifier). Then look for the number which matches the process ID reported by AVG. In your logs it was the number 1088.See which process that shows up as. If its not an easy one to detect, as in you dont know what it is, where it is located, etc. then use Proces Explorer to get you the path to the image/program. Now you should know exactly what is recieving emails.You only need to run Process Explorer when you find you have had one of those warnings come up. Then start it up without logging off or shutting down, and odds are that unknown program will still be there with the same ID. Good luck ! Quote Link to comment Share on other sites More sharing options...
Andrew Posted January 15, 2006 Author Share Posted January 15, 2006 Ok, I now see the connection with 14.1.2006 07:59:55 AutoPOP3(10110): Connection from process 1088and the PID in the program.Currently no 1088 running, but will look when avg email scanner pops up.Thanks!EDIT:Seems sygate personal firewall also is able to check the process #. That should make it easier to find, as sygate is always running. Actually, sygate should have a log...Damn, sygate log file size was limited to 512kb, thus it is ony showing todays log. I increased log size to 2000kb.Oddly while playing around with the logs, sygate crashed. Quote Link to comment Share on other sites More sharing options...
Andrew Posted January 21, 2006 Author Share Posted January 21, 2006 I got some popups again, after looking at the avg log, it is now 21.1.2006 09:31:38 AutoPOP3(10110): Connection from process 2236And using process viewer this turns out to be from utorrent.So my guess is these are from torrent programs (and in the past).Although this doesn't seem to explain what an email scanner would be doing while getting torrents through a torrent program. Quote Link to comment Share on other sites More sharing options...
erjin999 Posted January 21, 2006 Share Posted January 21, 2006 Ah, right. I have my p2p proggy, emule, trying to send emails. Zonealarm alerts me to this. I am not sure about this, as in why or if they are indeed even emails but perhaps this is related ?I also had this on eDonkey. Maybe an idea checking if google shows anything up on this ?I dont really bother to block those communications, as I trust emule. but blocking them doesnt seem to negatively impact at all.I only get the popups occassionally. Quote Link to comment Share on other sites More sharing options...
Andrew Posted January 21, 2006 Author Share Posted January 21, 2006 I use emule as well.Google to the rescue! Quote Link to comment Share on other sites More sharing options...
gryphon Posted January 21, 2006 Share Posted January 21, 2006 it doesn't really have to be email. It uses port 110 which in commenly the port for POP email. Although you can do basically whatever you want on that port. Quote Link to comment Share on other sites More sharing options...
erjin999 Posted January 21, 2006 Share Posted January 21, 2006 Well, thats what I thought, but shurely AVG is more intelligent then to assume anything on port 110 is email, as you pointed out, it doesnt have to be. I know my NOD doesnt scan as email those things that use port 110 when Zonealarm does think it is email. Quote Link to comment Share on other sites More sharing options...
gryphon Posted January 21, 2006 Share Posted January 21, 2006 but shurely AVG is more intelligent then to assume anything on port 110 is emailDon't bet on it ;)I remembert both hosts the connection goes to are up and have filesharing ports open.(portscanned them both last time) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.