AVG scanning outgoing mail - Not sending any?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by MC DUI, Oct 20, 2005.

  1. MC DUI

    MC DUI Private E-2

    Hello guys, just have a little problem and I was hoping you could give me some advice.

    Just FYI I have followed your basic tutorial on Spyware fixes and found nothing.
    My PC has been running with the following for about 2 months (updated programs every few days) -

    Windows Xp with Service Pack 2
    Mozilla Firefox Browser (With noscript extension)
    AVG Antivirus
    Adware SE Personal with VX2 Plugin
    Spybot S&D
    Microsoft Antispyware
    Spyware Guard
    Spyware Blaster
    a-squared program

    Now in the last week or so AVG pop-ups have been coming up stating that it is scanning outgoing e-mail, I'm sending nothing so I'm assuming I have some sort of nasty, I'm especially worried that it is a keylogger or something or that nature.
    I was unaware of the frequency of these contacts till I turned on the logging feature of AVG last night, checking the log this morning shows that this crap is attempting to connect around every 30 mins or so.

    Running all of my antivirus and antispyware programs listed above find nothing, additionally I have run a couple of online scans including Pandascan and they have found nothing. Also I have run Hijack this and run the log through the online analysis and nothing looks suspicious.

    Currently I'm at work and so I cannot post a log of what is being sent but I found a person who had a similar problem and here is their AVG log -

    5.3.2005 15:44:27 [12c] AutoPOP3(10110): Connection from 127.0.0.1:2737
    5.3.2005 15:44:27 [c58] AutoPOP3(10110): Client connected
    5.3.2005 15:45:09 [c58] AutoPOP3(10110): Cannot connect to OL130-184.fibertel.com.ar:10111
    5.3.2005 15:45:09 [c58] AutoPOP3(10110): Connect: The operation completed successfully. (0)
    5.3.2005 15:45:09 [c58] AutoPOP3(10110): Client disconnected


    Its not exactly the same as mine but the company name FIBERTEL is exactly what my log says as well, but the ip is different.

    If you guys could possibly post some suggestions as to scanning options or any other solutions then I can try them out when I get home.
    I'll post my AVG log when I get home and attach a copy of my Hijack this log.

    Thanks in advance.
     
  2. MC DUI

    MC DUI Private E-2

    BUMP

    (sorry if bumping isn't condoned, just didn't want my post to die :( )
     
  3. MC DUI

    MC DUI Private E-2

    Has anybody got any suggestions for me?

    I have checked all my programs updates updates and re-run all my spyware programs in normal and safe mode including -
    MS Antispyware
    Adaware SE
    Spybot S&D
    a-squared
    AVG antivirus

    and they have all come back clean as a whistle.

    I have attached my HJT log, it looks clean though.

    Any suggestions would be much appreciated.
     

    Attached Files:

  4. MC DUI

    MC DUI Private E-2

    BTW here is a quick snippet of my AVG email scanning log from today -

    21.10.2005 17:26:43.132 [e44] AutoPOP3(10110): Connection from process 3424
    21.10.2005 17:26:43.132 [e44] AutoPOP3(10110): Connection from 127.0.0.1:1291
    21.10.2005 17:26:43.132 [e44] AutoPOP3(10110): Will connect to 201.235.46.5:110
    21.10.2005 17:26:43.148 [b2c] AutoPOP3(10110): Client connected
    21.10.2005 17:26:43.148 OpenInternet = 0
    21.10.2005 17:26:43.148 AddTrayIcon()
    21.10.2005 17:27:30.648 CloseInternet = 1
    21.10.2005 17:27:30.648 RemoveTrayIcon()
    21.10.2005 17:27:30.648 [b2c] AutoPOP3(10110): Cannot connect to 5-46-235-201.fibertel.com.ar:110
    21.10.2005 17:27:30.648 [b2c] AutoPOP3(10110): Connect: The operation completed successfully. (0)
    21.10.2005 17:27:30.648 [b2c] AutoPOP3(10110): PROXY:S:-ERR AVG POP3 Proxy Server: Cannot connect to the mail server!
    21.10.2005 17:27:30.851 [b2c] AutoPOP3(10110): Client disconnected
    21.10.2005 17:46:03.820 [e44] AutoPOP3(10110): Connection from process 3424
    21.10.2005 17:46:03.820 [e44] AutoPOP3(10110): Connection from 127.0.0.1:3560
    21.10.2005 17:46:03.820 [e44] AutoPOP3(10110): Will connect to 201.235.46.5:110
    21.10.2005 17:46:03.835 [ec8] AutoPOP3(10110): Client connected
    21.10.2005 17:46:03.835 OpenInternet = 0
    21.10.2005 17:46:03.835 AddTrayIcon()
    21.10.2005 17:46:48.679 [ec8] AutoPOP3(10110): Cannot connect to 5-46-235-201.fibertel.com.ar:110
    21.10.2005 17:46:48.679 [ec8] AutoPOP3(10110): Connect: The operation completed successfully. (0)
    21.10.2005 17:46:48.679 [ec8] AutoPOP3(10110): PROXY:S:-ERR AVG POP3 Proxy Server: Cannot connect to the mail server!
    21.10.2005 17:46:48.679 CloseInternet = 1
    21.10.2005 17:46:48.679 RemoveTrayIcon()
    21.10.2005 17:46:48.882 [ec8] AutoPOP3(10110): Client disconnected
     
  5. MC DUI

    MC DUI Private E-2

    Sorry for the quadrouple posting guys but I'm getting desperate, this thing is popping up ever more frequently and with me using my Netbanking yesterday and today I'm worried this may be some keylogging sh!te that could really funk me over. :(

    BTW if somebody could tell me how to edit my previous posts I'll stop the double, triple, & quadrouple posting, cause damned if I can see where I can edit!

    Thanks in advance!
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is no visible malware in you HJT log.

    Is the below IP address your ISP:
    Code:
    [url="http://samspade.org/t/whois?a=210.15.254.240;server=auto"][color=#0000ff]210.15.254.240[/color][/url] = [ [url="http://samspade.org/t/whois?a=dns1.netspace.net.au;server=auto"][color=#0000ff]dns1.netspace.net.au[/color][/url] ] 
     
      inetnum:	  [url="http://samspade.org/t/whois?a=210.15.224.0;server=auto"][color=#0000ff]210.15.224.0[/color][/url] - [url="http://samspade.org/t/whois?a=210.15.255.255;server=auto"][color=#0000ff]210.15.255.255[/color][/url] 
      netname:	   [url="http://samspade.org/t/whois?a=NETSPACE1-AP;server=whois.apnic.net"][color=#0000ff]NETSPACE1-AP[/color][/url] 
      descr:		NetSpace 
      descr:		level 1 
      descr:		683 Burke Road 
      descr:		Camberwell 
      descr:		VIC 3124 
      country:	  AU 
      
    FiberTel may be some kind of emailing agent. See the below! Does anything look familiar:
    http://www.senderbase.org/search?page=domains&searchString=fibertel.com.ar&searchBy=domain
     
  7. MC DUI

    MC DUI Private E-2

    Yeah Netspace is my ISP, thats fine.

    Don't know anything about that fibertel stuff though, never heard of it.

    Its only been happenning for around a month, and I'm not sending any e-mails so why would it be trying to make contact if it was my mailing agent?

    I've attached a picture of my outlook account details, don't know if that helps?
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Maybe you should check with your ISP to see if they have anything to do with using FiberTel. It seems to be a company in Argentina that is used for sending email. I'm not sure why you would be seeing messages from AVG about it if you are not using email.

    I would suggest that you install a true bi-directional firewall to properly protect you. You are currently relying on only WinXP SP2 and its firewall is not adequate. See this: How to Protect yourself from malware!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds