Author Topic: Open Ports  (Read 18979 times)

0 Members and 1 Guest are viewing this topic.

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Open Ports
« Reply #15 on: November 23, 2005, 01:15:16 PM »
Bullseye, in this case I would definitely run lspfix and/or hijackthis. I see several unknown open ports inside the WebShield process. WebShield does not open these ports, the only way how they can be opened inside webshield process is a dll loaded into in (e.g. LSP dll or some other hooking dll). However the same technique is used by some firewalls (eg. ZoneAlarm) - so this mere fact does not necessary mean it is something unwanted running on your pc. It might be interresting to know whose ports are these.

Lukas.

Bullseye

  • Guest
Re: Open Ports
« Reply #16 on: November 24, 2005, 01:25:20 AM »
Thanks guys,
I'll try lspfix and/or hijackthis and post my reports.

Alanrf: I don't think its any host file, I've just reformated the drive,
so unless when I start thunderbird up its dropping a host file in the system32
directory. but I'll check it out.

Bullseye

  • Guest
Re: Open Ports
« Reply #17 on: November 24, 2005, 01:49:37 AM »
Okay, heres my Hijackthis log,
I don't see any unfamiliar exe's running.

I did a google for Ispfix and couldn't find it,
have you got any links for it ?

cheers

Logfile of HijackThis v1.99.1
Scan saved at 10:42:49 AM, on 24/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\foobar2000\foobar2000.exe
\Wyndorf\Duncs\software\anti virus software\hijackthis\New\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Open Ports
« Reply #18 on: November 24, 2005, 09:50:39 AM »
Okay, heres my Hijackthis log,
I don't see any unfamiliar exe's running.

Nor do I. Lspfix can be downloaded here:
http://www.cexx.org/lspfix.htm

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Open Ports
« Reply #19 on: November 24, 2005, 09:59:30 AM »
It seems that we have come no closer to determining the cause of Bullseye's unfortunate encounter with reverse.the.planet during the Thunderbird session.

Bullseye

  • Guest
Re: Open Ports
« Reply #20 on: November 24, 2005, 11:44:32 AM »

Well I uninstall Avast  and installed NOD32 Antivirus software
,scanned my drive and now its gone :)
No more reverse.the.plant.com.
I didn't quantine the bug, I deleted it so I don't know
what it was.

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Open Ports
« Reply #21 on: November 24, 2005, 11:47:43 AM »
It seems that we have come no closer to determining the cause of Bullseye's unfortunate encounter with reverse.the.planet during the Thunderbird session.

true.

If just re-read the thread, if the small icon is avast's Mail Scanner's icon, we can determine who is connecting to it from the log.
Enable logging for Mail Scanner and post it here.

(to enable logging, edit the avast4.ini file, add the line "Log=20" (without quotes) to the section "[MailScanner]")
Eg.
[MailScanner]
Log=20

The log will then be created in the c:\program files\alwil software\avast4\data\log\ashmaisv.log

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Open Ports
« Reply #22 on: November 24, 2005, 11:49:24 AM »

Well I uninstall AvastĀ  and installed NOD32 Antivirus software
,scanned my drive and now its gone :)
No more reverse.the.plant.com.
I didn't quantine the bug, I deleted it so I don't know
what it was.


If it really was the icon from avast's mail scanner you have solved nothing - altought I must admit that the avast's Mail Scanner Icon is not obviously shown in NOD32. Anyway there are other ways how to HIDE THE ICON ;-)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Open Ports
« Reply #23 on: November 24, 2005, 11:49:52 AM »
Well I uninstall AvastĀ  and installed NOD32 Antivirus software
Just a curiosity, how much is NOD32 license right now?
The best things in life are free.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Open Ports
« Reply #24 on: November 24, 2005, 11:59:50 AM »
We're not here to criticize NOD32, it certainly has a good reputation. 

However, I hope that Bullseye might reconsider, come back and see if there is a way that we can help resolve this issue - and the logging proposed by Lukas is a great step (that I wish I had thought to propose earlier). 

That way Bullseye might clear up a problem and provide some help to others who could encounter the same issue. 

Bullseye

  • Guest
Re: Open Ports
« Reply #25 on: November 25, 2005, 12:50:42 AM »
Is this the log your after ?
You guys were right, I didn't realise it was avast email scanner bringing the icon
up in the system tray. So I reinstalled avast and its still there.
But when NOD32 did a complete disk scan it found some virus in my email.
I thought that it had got it.

11/25/05 09:43:14 0000068C:   Started as service, Log = 1(0x00000001)
11/25/05 09:43:14 0000068C:   Build 4.6.731
11/25/05 09:43:14 0000068C:   Windows XP Workstation (Service Pack 2)
11/25/05 09:43:14 0000068C:   Using WinSock 2.0
11/25/05 09:43:15 0000068C:   AutoRedirect settings changed 1(0x00000001)
11/25/05 09:43:15 0000068C:   IgnoreLocalhost settings changed 1(0x00000001)
11/25/05 09:43:15 0000068C:   POP Start settings changed: 1
11/25/05 09:43:15 0000068C:   POP Listen settings changed: 127.0.0.1 12110
11/25/05 09:43:15 0000068C:   POP RedirectPort: 110
11/25/05 09:43:15 0000068C:   SMTP Start settings changed: 1
11/25/05 09:43:15 0000068C:   SMTP Listen settings changed: 127.0.0.1 12025
11/25/05 09:43:15 0000068C:   SMTP RedirectPort: 25
11/25/05 09:43:15 0000068C:   IMAP Start settings changed: 1
11/25/05 09:43:15 0000068C:   IMAP Listen settings changed: 127.0.0.1 12143
11/25/05 09:43:15 0000068C:   IMAP RedirectPort: 143
11/25/05 09:43:15 0000068C:   NNTP Start settings changed: 1
11/25/05 09:43:15 0000068C:   NNTP Listen settings changed: 127.0.0.1 12119
11/25/05 09:43:15 0000068C:   NNTP RedirectPort: 119

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Open Ports
« Reply #26 on: November 25, 2005, 01:09:41 AM »
Is this the log your after ?
Did you add the line?

Log=20

into avast4.ini file?
it seems a poor log, without enough information.
The best things in life are free.

Bullseye

  • Guest
Re: Open Ports
« Reply #27 on: November 25, 2005, 02:47:08 AM »
Aaaah nup, I'll do that.
I wasn't sure were to do it.
I thought I was a check box.

edit:

I just looked at my ini file and it has logmaxsize=20.
Is that it ?
« Last Edit: November 25, 2005, 02:50:10 AM by Bullseye »

Bullseye

  • Guest
Re: Open Ports
« Reply #28 on: November 25, 2005, 02:55:02 AM »
Okay just checked out the avast4.ini thread and realised I had add it in the mail section
of the ini file.
Here's my new aswMaiSv log file. Hope this is it :)

11/25/05 09:43:14 0000068C:   Started as service, Log = 1(0x00000001)
11/25/05 09:43:14 0000068C:   Build 4.6.731
11/25/05 09:43:14 0000068C:   Windows XP Workstation (Service Pack 2)
11/25/05 09:43:14 0000068C:   Using WinSock 2.0
11/25/05 09:43:15 0000068C:   AutoRedirect settings changed 1(0x00000001)
11/25/05 09:43:15 0000068C:   IgnoreLocalhost settings changed 1(0x00000001)
11/25/05 09:43:15 0000068C:   POP Start settings changed: 1
11/25/05 09:43:15 0000068C:   POP Listen settings changed: 127.0.0.1 12110
11/25/05 09:43:15 0000068C:   POP RedirectPort: 110
11/25/05 09:43:15 0000068C:   SMTP Start settings changed: 1
11/25/05 09:43:15 0000068C:   SMTP Listen settings changed: 127.0.0.1 12025
11/25/05 09:43:15 0000068C:   SMTP RedirectPort: 25
11/25/05 09:43:15 0000068C:   IMAP Start settings changed: 1
11/25/05 09:43:15 0000068C:   IMAP Listen settings changed: 127.0.0.1 12143
11/25/05 09:43:15 0000068C:   IMAP RedirectPort: 143
11/25/05 09:43:15 0000068C:   NNTP Start settings changed: 1
11/25/05 09:43:15 0000068C:   NNTP Listen settings changed: 127.0.0.1 12119
11/25/05 09:43:15 0000068C:   NNTP RedirectPort: 119
11/25/05 11:52:07 0000068C:   Log settings changed 20(0x00000014)
11/25/05 11:52:21 00000884:   POP accept connection from: 127.0.0.1
11/25/05 11:52:21 00000884:   Connection handler: 0x00000A0C
11/25/05 11:52:21 00000A0C:   Ignored PIDs: 1588 1840
11/25/05 11:52:21 00000A0C:   Ignored Addresses: 192.168.1.3:119 127.0.0.1:119 192.168.1.3:143 127.0.0.1:143 192.168.1.3:25 127.0.0.1:25 192.168.1.3:110 127.0.0.1:110 72.3.135.203:80 193.243.128.78:80 193.243.128.76:80 62.132.1.234:80 198.200.173.74:80 198.200.173.139:80 127.0.0.1:80
11/25/05 11:52:21 00000A0C:   Ignored Processes: avgemc.exe forx.exe FXMadeEasy.exe aoltpspd.exe waol.exe ypager.exe V3P3AT.EXE bitcomet.exe mpftray.exe ABC.EXE CZDCPlusPlus.ex CRAXY.EXE NETMONSV.EXE SYMPROXYSVC.EXE NAVAPW32.EXE WEBPROXY.EXE EMULE.EXE TMPROXY.EXE isafe.exe SMPROXY.EXE ccLgView.exe ccSetMgr.exe ccPwdSvc.exe ccApp.exe ccProxy.exe ccPxySvc.exe ccEvtMgr.exe winroute.exe avast.setup
11/25/05 11:52:21 00000A0C:   --POP command REDIRECT 70.86.95.34:110 3200
11/25/05 11:52:21 00000A0C:   PATH: \Device\HarddiskVolume1\PROGRA~1\MOZILL~2\THUNDE~1.EXE
11/25/05 11:52:22 00000A0C:   Connected to POP server 70.86.95.34 110
11/25/05 11:52:22 00000A0C:   received 45(0x0000002D)
11/25/05 11:52:22 00000A0C:   <-POP  +OK POP3 devo [cppop 20.0] at [70.86.95.34]
11/25/05 11:52:22 00000A0C:   sent 45(0x0000002D)
11/25/05 11:52:22 00000A0C:   received 1(0x00000001)
11/25/05 11:52:22 00000A0C:   received 1(0x00000001)
11/25/05 11:52:22 00000A0C:   received 1(0x00000001)
11/25/05 11:52:22 00000A0C:   received 1(0x00000001)
11/25/05 11:52:22 00000A0C:   received 1(0x00000001)
11/25/05 11:52:22 00000A0C:   received 1(0x00000001)
11/25/05 11:52:22 00000A0C:   ->POP AUTH
11/25/05 11:52:22 00000A0C:   sent 6(0x00000006)
11/25/05 11:52:22 00000A0C:   --POP Before ReadFromPop
11/25/05 11:52:22 00000A0C:   received 30(0x0000001E)
11/25/05 11:52:22 00000A0C:   --POP ReadFromPop ...
11/25/05 11:52:22 00000A0C:   <-POP  -ERR Command not implemented
11/25/05 11:52:22 00000A0C:   sent 30(0x0000001E)
11/25/05 11:52:22 00000A0C:   received 1(0x00000001)
11/25/05 11:52:22 00000A0C:   received 1(0x00000001)
11/25/05 11:52:22 00000A0C:   received 1(0x00000001)
11/25/05 11:52:22 00000A0C:   received 1(0x00000001)
11/25/05 11:52:22 00000A0C:   received 1(0x00000001)
11/25/05 11:52:22 00000A0C:   received 1(0x00000001)
11/25/05 11:52:22 00000A0C:   ->POP CAPA
11/25/05 11:52:22 00000A0C:   sent 6(0x00000006)
11/25/05 11:52:22 00000A0C:   --POP Before ReadFromPop
11/25/05 11:52:23 00000A0C:   received 29(0x0000001D)
11/25/05 11:52:23 00000A0C:   received 51(0x00000033)
11/25/05 11:52:23 00000A0C:   --POP ReadFromPop ...
11/25/05 11:52:23 00000A0C:   <-POP +OK Capability list follows
TOP
USER
UIDL
XSENDER
IMPLEMENTATION cppop
.
11/25/05 11:52:23 00000A0C:   <-POP  +OK Capability list follows
11/25/05 11:52:23 00000A0C:   sent 29(0x0000001D)
11/25/05 11:52:23 00000A0C:   <-POP  TOP
11/25/05 11:52:23 00000A0C:   sent 5(0x00000005)
11/25/05 11:52:23 00000A0C:   <-POP  USER
11/25/05 11:52:23 00000A0C:   sent 6(0x00000006)
11/25/05 11:52:23 00000A0C:   <-POP  UIDL
11/25/05 11:52:23 00000A0C:   sent 6(0x00000006)
11/25/05 11:52:23 00000A0C:   <-POP  XSENDER
11/25/05 11:52:23 00000A0C:   sent 9(0x00000009)
11/25/05 11:52:23 00000A0C:   <-POP  IMPLEMENTATION cppop
11/25/05 11:52:23 00000A0C:   sent 22(0x00000016)
11/25/05 11:52:23 00000A0C:   <-POP  .
11/25/05 11:52:23 00000A0C:   sent 3(0x00000003)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   received 1(0x00000001)
11/25/05 11:52:23 00000A0C:   ->POP USER ...
11/25/05 11:52:23 00000A0C:   sent 35(0x00000023)
11/25/05 11:52:23 00000A0C:   --POP Before ReadFromPop
11/25/05 11:52:24 00000A0C:   received 21(0x00000015)
11/25/05 11:52:24 00000A0C:   --POP ReadFromPop ...
11/25/05 11:52:24 00000A0C:   <-POP  +OK Need a password
11/25/05 11:52:24 00000A0C:   sent 21(0x00000015)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   ->POP PASS ...
11/25/05 11:52:24 00000A0C:   sent 16(0x00000010)
11/25/05 11:52:24 00000A0C:   --POP Before ReadFromPop
11/25/05 11:52:24 00000A0C:   received 117(0x00000075)
11/25/05 11:52:24 00000A0C:   --POP ReadFromPop ...
11/25/05 11:52:24 00000A0C:   <-POP  +OK You have 0 messages totaling 557 octets from /home/shazz450/mail/shazzamstudios.com/wonderboy/inbox (full load)
11/25/05 11:52:24 00000A0C:   sent 117(0x00000075)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   received 1(0x00000001)
11/25/05 11:52:24 00000A0C:   ->POP STAT
11/25/05 11:52:24 00000A0C:   sent 6(0x00000006)
11/25/05 11:52:24 00000A0C:   --POP Before ReadFromPop
11/25/05 11:52:24 00000A0C:   received 9(0x00000009)
11/25/05 11:52:24 00000A0C:   --POP ReadFromPop ...
11/25/05 11:52:24 00000A0C:   <-POP  +OK 0 0
11/25/05 11:52:24 00000A0C:   sent 9(0x00000009)
11/25/05 11:52:25 00000A0C:   received 1(0x00000001)
11/25/05 11:52:25 00000A0C:   received 1(0x00000001)
11/25/05 11:52:25 00000A0C:   received 1(0x00000001)
11/25/05 11:52:25 00000A0C:   received 1(0x00000001)
11/25/05 11:52:25 00000A0C:   received 1(0x00000001)
11/25/05 11:52:25 00000A0C:   received 1(0x00000001)
11/25/05 11:52:25 00000A0C:   ->POP QUIT
11/25/05 11:52:25 00000A0C:   sent 6(0x00000006)
11/25/05 11:52:25 00000A0C:   --POP Before ReadFromPop
11/25/05 11:52:25 00000A0C:   received 10(0x0000000A)
11/25/05 11:52:25 00000A0C:   --POP ReadFromPop ...
11/25/05 11:52:25 00000A0C:   <-POP  +OK Bye!
11/25/05 11:52:25 00000A0C:   sent 10(0x0000000A)
11/25/05 11:52:25 00000A0C:   connection closed 0(0x00000000)
11/25/05 11:52:25 00000A0C:   --POP  Finishing connection handler

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Open Ports
« Reply #29 on: November 25, 2005, 05:54:20 AM »
It would appear from this log that you just had a rather normal connection to a POP3 mail server, you were logged on successfully and there were no messages in the mailbox. 

There POP3 connection was to a mail server at IP address 70.86.95.34.

This IP addressed is owned by ThePlanet.com Internet Services, Inc.

The similarilty of  service name of ThePlanet.com and your original report of reverse.the.planet seems just a bit more than coincidental.

Going back to your original post:

Quote
When I click get mail the little thundbird logo pops up in the sytem tray
with the ip address reverse.the.planet.com and some ip number.
 

As I mentioned earlier there is no Thunderbird icon in the task bar.  The icon that does appear is the avast blue light and when you mouse over that icon you do not get an IP address you get the server name.   

So right now - I do not think we have seen any evidence that you did connect to reverse.the.planet unless you can help us with some more details.
 
« Last Edit: November 25, 2005, 06:08:38 AM by alanrf »