Problem with email, no idea ??

[nigeldocherty]

I have copied my original query below, i was advised to submit a hijack this log file to see if there is any hacking attempt on my pc. Thanks to Han for taking the time to reply and thanks in advance for any help given.

outgoing email mystery

--------------------------------------------------------------------------------

Hi there,
looking for some advice on this.
On two occasions today my antivirus software has popped up showing that itis scanning outgoing email. I am puzzled as i am not sending any emails at the time it happened.
The following message pops up

auto pop3 connecting to c11rba 233 absamail.co.za

This email address means nothing to me so i am obviously concerned that something is trying to obtain info from my pc.

Can anyone throw any light on this. As i stated i do not have outlook or anything running, and am doing nothing that should be sending an email.

Thanks in advance for any help offered

Win xp professional, service pack 2 installed, avg free edition, spybot and spyware blaster installed



#2 Today, 10:36 PM Click Here to Expand Forum to Full Width
HAN
Virtual PC Surgeon! Join Date: Feb 2002
Location: Indiana, USA
Posts: 1,093

Hmmmm... Absamail is related to a South African Banking site. Plus, a POP3 connection is an incoming email connection. Outbound is SMTP. So that is even more odd.

You may want to start doing some checking into this thread at the Hijack This forum and try to figure out what is going on.

Log file below.
Logfile of HijackThis v1.99.1
Scan saved at 23:38:48, on 09/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\RAM Idle\RAM_2K.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Nigel\LOCALS~1\Temp\~e5.0001
C:\DOCUME~1\Nigel\LOCALS~1\Temp\~e5.0001
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe
C:\Program Files\Ahead\nero\nero.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.javacoolsoftware.com/sbupdate.html
O2 - BHO: (no name) - s - (no file)
O2 - BHO: (no name) - SlimBho2.dll' - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: OrbiscomROTBho2 Class - {D81AB57B-7327-4347-B7C7-9EF7CA87CE09} - C:\WINDOWS\system32\SlimBho2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RAM Idle Pro] C:\Program Files\RAM Idle\RAM_2K.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[nigeldocherty]

new addition this morning.
avg reports scan happening on pop3 connecting to telkomadsl.za

looked further into avg and found the following log

12.10.2005 08:05:30 [e28] AutoPOP3(10110): Cannot connect to rrba-146-98-21.telkomadsl.co.za:110
12.10.2005 08:05:30 [e28] AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)
12.10.2005 08:05:30 [e28] AutoPOP3(10110): Client disconnected
12.10.2005 08:06:38 [558] AutoPOP3(10110): Cannot connect to rrba-146-98-21.telkomadsl.co.za:110
12.10.2005 08:06:38 [558] AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)
12.10.2005 08:06:39 [558] AutoPOP3(10110): Client disconnected

can anyone throw any light on this

[nigeldocherty]

Got the message about auto pop 3 connecting again.
See the log i copied from AVG antivirus email log below.
13.10.2005 18:06:07 [1f8] AutoPOP3(10110): Connection from process 2492
13.10.2005 18:06:07 [1f8] AutoPOP3(10110): Connection from 127.0.0.1:1159
13.10.2005 18:06:08 [cd8] AutoPOP3(10110): Client connected
13.10.2005 18:06:12 [1f8] AutoPOP3(10110): Connection from process 2492
13.10.2005 18:06:12 [1f8] AutoPOP3(10110): Connection from 127.0.0.1:1166
13.10.2005 18:06:12 [2bc] AutoPOP3(10110): Client connected
13.10.2005 18:06:45 [1f8] AutoPOP3(10110): Connection from process 2492
13.10.2005 18:06:45 [1f8] AutoPOP3(10110): Connection from 127.0.0.1:1218
13.10.2005 18:06:45 [4b8] AutoPOP3(10110): Client connected
13.10.2005 18:06:47 [1f8] AutoPOP3(10110): Connection from process 2492
13.10.2005 18:06:47 [1f8] AutoPOP3(10110): Connection from 127.0.0.1:1224
13.10.2005 18:06:47 [554] AutoPOP3(10110): Client connected

I am starting to worry here as i cannot understand how i can be getting pop3 connection when i dont have outlook open.