AVG email scan connection worry

Hi,

Hope this post is ok here and apologies up front for the length.

I am using AVG Anti Virus at the moment and all has been fine untill i noticed some pop ups appering on my screen yesterday saying that a connection was being attempted either too or from students.liberty.edu.

I was a bit concerned as i cant see any reason why this connection would be made. I dont actually use the email scanner and havent configured any thing on it since installing.

A ping result on students.liberty.edu produces the IP of 65.161.73.251, but the ping and a tracert time out.

So, I decided to have a look at the emc.log file of AVG. I found this info on the attempted connection.

10.9.2005 14:32:59 AVG for E-mail [7.0.338] started
10.9.2005 14:33:02 Using AVG Kernel: 7.0.344 [267.10.21]
10.9.2005 14:33:02 Config: C:\Documents and Settings\Benji\Application Data\AVG7\avgemc.cfg
10.9.2005 14:33:04 Using Cyrus SASL 2.1.13
10.9.2005 14:33:05 Starting the main loop
10.9.2005 14:33:05 Redirector version 70004
10.9.2005 14:33:05 [98c] AutoPOP3(10110): Starting server
10.9.2005 14:33:05 Queue processing started
10.9.2005 16:26:20 [98c] AutoPOP3(10110): Connection from process 4040
10.9.2005 16:26:20 [98c] AutoPOP3(10110): Connection from 127.0.0.1:3586
10.9.2005 16:26:21 [868] AutoPOP3(10110): Client connected
10.9.2005 16:26:44 [868] AutoPOP3(10110): Cannot connect to students.liberty.edu:110
10.9.2005 16:26:44 [868] AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)
10.9.2005 16:26:44 [868] AutoPOP3(10110): Client disconnected

This happens several times throughout the day and from different ports ( I assume that’s what they are)

Whilst looking through the log file a found another address had done a similar thing.

5.9.2005 23:02:11 [f0c] AutoPOP3(10110): Connection from process 2116
5.9.2005 23:02:11 [f0c] AutoPOP3(10110): Connection from 127.0.0.1:4363
5.9.2005 23:02:11 [6c4] AutoPOP3(10110): Client connected
5.9.2005 23:02:55 [6c4] AutoPOP3(10110): Cannot connect to ha198.internetdsl.tpnet.pl:110
5.9.2005 23:02:55 [6c4] AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)
5.9.2005 23:02:55 [6c4] AutoPOP3(10110): Client disconnected
5.9.2005 23:03:40 [f0c] AutoPOP3(10110): Connection from process 2116
5.9.2005 23:03:40 [f0c] AutoPOP3(10110): Connection from 127.0.0.1:4422
5.9.2005 23:03:40 [c7c] AutoPOP3(10110): Client connected
5.9.2005 23:04:02 [c7c] AutoPOP3(10110): Cannot connect to ha198.internetdsl.tpnet.pl:110
5.9.2005 23:04:02 [c7c] AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)
5.9.2005 23:04:02 [c7c] AutoPOP3(10110): Pop-C: An existing connection was forcibly closed by the remote host. (10054)
5.9.2005 23:04:02 [c7c] AutoPOP3(10110): Client disconnected

Now this address ha198.internetdsl.tpnet.pl reveals the IP of 80.53.78.198 and does do a trace

Tracing route to ha198.internetdsl.tpnet.pl [80.53.78.198]
over a maximum of 30 hops:

1 10 ms 3 ms 3 ms 192.168.1.1
2 14 ms 40 ms 10 ms 10.63.64.1
3 15 ms 13 ms 11 ms gsr01-sm.blueyonder.co.uk [62.30.193.129]
4 16 ms 15 ms 55 ms 172.18.14.58
5 15 ms 14 ms 14 ms tele2-witt-pos.telewest.net [194.117.136.18]
6 16 ms 13 ms 15 ms bcr1-so-2-0-0.Londonlnx.savvis.net [206.24.169.89]
7 14 ms 16 ms 16 ms bcr2-so-0-0-0.Londonlnx.savvis.net [204.70.193.117]
8 34 ms 17 ms 26 ms P4-0.LONBB3.London.opentransit.net [206.24.169.158]
9 17 ms 40 ms 20 ms so-3-0-0-0.loncr2.London.opentransit.net [193.251.128.206]
10 53 ms 30 ms 48 ms so-2-0-0-0.fftcr2.Frankfurt.opentransit.net [193.251.242.137]
11 34 ms 57 ms 58 ms so-1-0-0-0.fftcr1.Frankfurt.opentransit.net [193.251.132.89]
12 58 ms 60 ms 54 ms so-0-1-0-0.wrsbb1.Warsawa.opentransit.net [193.251.240.170]
13 53 ms 69 ms 60 ms tpsa-2.GW.opentransit.net [193.251.248.58]
14 72 ms 56 ms 70 ms ha197.internetdsl.tpnet.pl [80.53.78.197]
15 79 ms 70 ms 78 ms ha198.internetdsl.tpnet.pl [80.53.78.198]

Trace complete.


What I really want to know is am I in danger of being attacked. Is this someone trying to use the mail server connection in AVG to access my PC.

I use bittorrent and this hal98 address does look like one of the connections I see when running Netstat, but why would it be trying to connect to my AVG?

Also, is this two pcs on the same network? :

ha197.internetdsl.tpnet.pl [80.53.78.197]
ha198.internetdsl.tpnet.pl [80.53.78.198]

Also, sorry, are there any tools that would help me identify these people more in depth


Thank you for any help you may be able to provide and sorry again for the HUGE post.

 

Have the same thing here...!
I use bitlord client.

Yesterday AVG came up (and also does now while Im typing this) with a message that it was connecting to students.liberty.edu (googling this pointed me to your message).

I scanned my C: drive with AVG, nothing turned up. Scanned for spyware using HitmanPro, nothing turned up.

So I installed Avast, scanned with thourough setting all my files (took about 4 hrs), nothing turned up.

But: looking through my firewall settings (zonealarm), I noticed something that I didnt do myself. I had a setting called 'loopback attack' with IP 127.0.0.1 (looks familiair eh?), set to the trusted zone.
I deleted the entry ofcourse, and also put the setting for trusted zone back to high (it was set to medium).

So I thought I was safe again, and now I'm running avast, avg, zonealarm (and every possible xp-update), and fixed a Firefox problem (see their website).

It's definately not just AVG, cause Avast is also giving popup messages on students.liberty.edu!

It must be something in bitlord that's doing it. My thoughts went in the direction of being used in a zombie network?

Can someone confirm this? I've stopped bitlord, and the messages are gone...

And as well, sorry for the long post!
grtz, Noshado

 

The problem may very well be BitLord.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

IN THE SPYWARE SPECIFIC FORUM

 

I think i may have pin pointed the problem to a trojan called W32/Clicker.PC

Either this or some other annoyance installed a program called msie.exe (or it was maybe msei.exe) this was definetly a trojan and persisted in shutting down my firewall and Microsoft anti Virus.

It runs a service that tries to connect to the net call Microsoft Ansti. So when it pops up requesting net access you kind of see anti spyware and click accept, well thats what i did, stupid I know.

I downloaded a program called Autoruns. You boot into safe mode and run this and it deletes all corresponding elements of a .exe (the file, the reg settings and any other links to that file) this seemed to have fixed the problem. I am nice and clean now and have had no requests for the AVG email service.

There are lots of bugs in the lttle programs that you can download from Bit Torrent clients.

Oh, it could also be Rbot virus that installs the msie.exe. I think i had that aswell.

Just be sure to scan them all first.

hope this helps.

 

@ bentura

You still might want to do the scans in the sticky I linked to in POST #3 of this thread. Then Post a HijackThis Log in a new thread in the Spyware Specific Forum. Make sure when you post that you state you have followed the directions in the Read Me First and I said to post a HJT log. Post the log as an attachment DO NOT copy & paste the log into your post.

 

BitLord *is* the trojan.

I found this post after installing BitLord and experiencing the same behavior immediately after. The first time, I downloaded it through one of the CNET sites (which redirects to the BitLord website on the backend). The download file was BitLord_1.0.exe (which installed as "version 1.1"). I caught quite a bit of odd behavior (the attempts to mail to students.liberty.edu, and a lot of port scanning... attaching to foreign web servers). I uninstalled it last night, and reinstalled a version through a direct link on the BitLord site (BitLord_1.01.exe, which also installed as "version 1.1"). I see the same sort of web server scanning (after tracking some of the IPs, many are servers that are still at a default install page, a couple have been the BBC's news site, etc.).

So, my conclusion to this is that BitLord *is* the problem in this case, and perhaps should be added to the long list of sleezy freeware with secret payloads.

 

And for those wondering, I can say this with certainty since AVG records the process ID with the POP3 request, and the PID matches BitLord. Time to take apart BitLord and find out what he's emailing out...

 

Ah cool. i will have a look at the sticky and post else where if needed.

as for the Bit lord thing, i dont actually use that bit of software. I use bit tornado and have never had this problem untill the other day. I still think it must be something i downloaded and installed that my virus and malware scanning software didnt pick up.

 

Just had the same thing happen to me, but I reckon I know why.
I looked at the peers list in bitlord, and one IP address was

62.209.230.66:110

Isn't 110 the TCP port for POP3?

 

Oops...didn't realise the last post was September in 2005!