This has been going on for quite sometime. Here are my logs from AVG Free and a HijackThis Scan
I'm also running Azureus and the process causing all the activity in my AVG Log is javaw.exe also. Sample...
22.11.2005 18:07:58.359 [9e0] AutoPOP3(10110): Connection from process 468
22.11.2005 18:07:58.359 [9e0] AutoPOP3(10110): Connection from 127.0.0.1:1672
22.11.2005 18:07:58.359 [9e0] AutoPOP3(10110): Will connect to 80.195.137.46:110
22.11.2005 18:07:58.375 [a2c] AutoPOP3(10110): Client connected
22.11.2005 18:07:58.375 OpenInternet = 0
22.11.2005 18:07:58.375 AddTrayIcon()
22.11.2005 18:09:31.781 [a2c] AutoPOP3(10110): Cannot connect to 80-195-137-46.cable.ubr05.uddi.blueyonder.co.uk:110
22.11.2005 18:09:31.781 [a2c] AutoPOP3(10110): Connect: The operation completed successfully. (0)
22.11.2005 18:09:31.781 [a2c] AutoPOP3(10110): PROXY:S:-ERR AVG POP3 Proxy Server: Cannot connect to the mail server!
22.11.2005 18:09:31.781 CloseInternet = 1
22.11.2005 18:09:31.781 RemoveTrayIcon()
22.11.2005 18:09:31.796 [a2c] AutoPOP3(10110): Client disconnected
I turned off Azureus and I didn't see anything. WHat could be causing this? By the way. I use Thunderbird right now and when this is happening with the AutoPoP3 its not even on. Kind of creepy. No AntiVirus , Trojan, Spyware, Rootkit Scanner has found anything but a tracking cooking and some false positives.
MOre log file...
18.11.2005 17:54:41 Starting the main loop
18.11.2005 17:54:41 Redirector version 70004
18.11.2005 17:54:41 [9e0] AutoPOP3(10110): Starting server
18.11.2005 17:54:41 [9e4] AutoSMTP(10025): Starting server
18.11.2005 17:54:41 Queue processing started
18.11.2005 18:54:25 [9e0] AutoPOP3(10110): Connection from process 2056
18.11.2005 18:54:25 [9e0] AutoPOP3(10110): Connection from 127.0.0.1:2418
18.11.2005 18:54:25 [f14] AutoPOP3(10110): Client connected
18.11.2005 1821 [f14] AutoPOP3(10110): Cannot connect to 3E6B67E5.rev.stofanet.dk:110
18.11.2005 1821 [f14] AutoPOP3(10110): Connect: The operation completed successfully. (0)
18.11.2005 1821 [f14] AutoPOP3(10110): Client disconnected
18.11.2005 23:31:14 [9e0] AutoPOP3(10110): Connection from process 2056
18.11.2005 23:31:14 [9e0] AutoPOP3(10110): Connection from 127.0.0.1:2652
18.11.2005 23:31:14 [4bc] AutoPOP3(10110): Client connected
18.11.2005 23:33:39 [4bc] AutoPOP3(10110): Cannot connect to 3E6B67E5.rev.stofanet.dk:110
18.11.2005 23:33:39 [4bc] AutoPOP3(10110): Connect: The operation completed successfully. (0)
18.11.2005 23:33:39 [4bc] AutoPOP3(10110): Client disconnected
19.11.2005 01:41:29 [9e4] AutoSMTP(10025): Connection from process 2056
19.11.2005 01:41:29 [9e4] AutoSMTP(10025): Connection from 127.0.0.1:4607
19.11.2005 01:41:29 [9a8] AutoSMTP(10025): Client connected
19.11.2005 01:41:29 [9a8] AutoSMTP(10025): Client closed connection
19.11.2005 01:41:29 [9a8] AutoSMTP(10025): Client disconnected
19.11.2005 02:37:06 [9e4] AutoSMTP(10025): Connection from process 2056
19.11.2005 02:37:06 [9e4] AutoSMTP(10025): Connection from 127.0.0.1:1506
19.11.2005 02:37:06 [4bc] AutoSMTP(10025): Client connected
19.11.2005 02:37:06 [4bc] AutoSMTP(10025): Client closed connection
19.11.2005 02:37:06 [4bc] AutoSMTP(10025): Client disconnected
19.11.2005 13:05:01 [9e0] AutoPOP3(10110): Connection from process 2056
19.11.2005 13:05:01 [9e0] AutoPOP3(10110): Connection from 127.0.0.1:2907
19.11.2005 13:05:01 [f3c] AutoPOP3(10110): Client connected
19.11.2005 13:08:02 [f3c] AutoPOP3(10110): Cannot connect to p54BD2CC2.dip0.t-ipconnect.de:110
19.11.2005 13:08:02 [f3c] AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)
19.11.2005 13:08:02 [f3c] AutoPOP3(10110): Client disconnected
Here is a fresh HijackThis Scan
Logfile of HijackThis v1.99.1
Scan saved at 8:59:23 AM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mozillazine.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mozillazine.org/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0 Pro\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - F:\PROGRA~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Acronis True Image Monitor] "F:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\avgemc.exe
O4 - HKLM\..\Run: [SmcService] F:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [CTDVDDet] F:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\program files\activesync\WCESCOMM.EXE"
O4 - Startup: ATITool.lnk = F:\Program Files\ATI Tool\ATITool\ATITool.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - f:\program files\activesync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - f:\program files\activesync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - f:\program files\activesync\INETREPL.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - F:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - F:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - F:\Program Files\Sygate\smc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Program Files\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe
I've looked on the AVG Free Forum and I see this activity in a number of threads. I've even seen on thread on this forum with some of the same activity in the logs.
Thanks for your help.
Last edited by Zevon; 25-11-2005 at 04:19 AM.
Reason: More Details in Title
Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.
5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.
Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal.
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
Turns out I had some extra time. Here are both logs.
Logfile of HijackThis v1.99.1
Scan saved at 12:02:40 PM, on 11/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Ewido found mostly cookies but did find a few bad guys.
Let's dig a little bit deeper but this may not be virus related.
Please download SilentRunners from here: http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.
* Download finditnt2000xp.zip
* Unzip the contents of finditnt2000xp.zip to a convenient location.
* Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
* A command prompt will open and it will search your computer for malicious files.
* Once it has finished a Notepad window will pop up with output.txt.
* Copy the entire contents of output.txt into your next post.
* DON'T delete/modify any files yet
Thanks for looking into this. Here is the latest AVG mail log. Everytime I see this happen its like a new address for the connection.
25.11.2005 14:51:16.437 [8a8] AutoPOP3(10110): Starting server
25.11.2005 14:51:16.437 [8ac] AutoSMTP(10025): Starting server
25.11.2005 14:51:16.437 Queue processing started
25.11.2005 14:51:16.734 Online connection detected
25.11.2005 16:24:08.453 [8a8] AutoPOP3(10110): Connection from process 764
25.11.2005 16:24:08.453 [8a8] AutoPOP3(10110): Connection from 127.0.0.1:3383
25.11.2005 16:24:08.453 [8a8] AutoPOP3(10110): Will connect to 213.208.112.223:110
25.11.2005 16:24:08.453 [7dc] AutoPOP3(10110): Client connected
25.11.2005 16:24:08.453 OpenInternet = 0
25.11.2005 16:24:08.453 AddTrayIcon()
25.11.2005 16:24:30.500 [7dc] AutoPOP3(10110): Cannot connect to ptrewin.gotadsl.co.uk:110
25.11.2005 16:24:30.500 [7dc] AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)
25.11.2005 16:24:30.500 [7dc] AutoPOP3(10110): PROXY:S:-ERR AVG POP3 Proxy Server: Cannot connect to the mail server!
25.11.2005 16:24:30.500 CloseInternet = 1
25.11.2005 16:24:30.500 RemoveTrayIcon()
25.11.2005 16:24:30.734 [7dc] AutoPOP3(10110): Client disconnected
25.11.2005 19:16:08.781 [8a8] AutoPOP3(10110): Connection from process 764
25.11.2005 19:16:08.781 [8a8] AutoPOP3(10110): Connection from 127.0.0.1:3272
25.11.2005 19:16:08.781 [8a8] AutoPOP3(10110): Will connect to 213.208.112.223:110
25.11.2005 19:16:08.781 [b24] AutoPOP3(10110): Client connected
25.11.2005 19:16:08.781 OpenInternet = 0
25.11.2005 19:16:08.781 AddTrayIcon()
25.11.2005 19:16:29.750 [b24] AutoPOP3(10110): Cannot connect to ptrewin.gotadsl.co.uk:110
25.11.2005 19:16:29.750 [b24] AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)
25.11.2005 19:16:29.750 [b24] AutoPOP3(10110): PROXY:S:-ERR AVG POP3 Proxy Server: Cannot connect to the mail server!
25.11.2005 19:16:29.750 CloseInternet = 1
25.11.2005 19:16:29.750 RemoveTrayIcon()
25.11.2005 19:16:29.968 [b24] AutoPOP3(10110): Client disconnected
These scans will take more than an hour to complete, so make sure you have time to let them run thru. Save the Panda scan log and the BitDefender log and post them back here please with a new Hijackthis log.
21 [f14] AutoPOP3(10110): Cannot connect to 3E6B67E5.rev.stofanet.dk:110
