Strange message

mel.b

I don't know if I have posted this is the correct section, so mods, please feel free to move it.

I use AVG free, windows live mail and Windows 7. With the AVG free, a little pop up box comes up when it is syncing or checking to see if you have any mail. Normally it says it is connecting to my normal mail provider (as it should). However i just noticed that it popped up and said 'connecting to rd.ists.pl' I use 02 mobile broadband and am worried that maybe someone is trying to (or has) access my internet connection, email, passwords or whatever.

Any info or help would be great.

Cheers,
Mel.b

mel.b

Anyone? Any ideas?

wolfric

i don't think avg has anything to do with that message. How does that message normally correspond to you checking your email? (before it changed)

RoadKillTs

Sounds like the pc might be sending out spam.

biko

Assuming you're Irish in Ireland that does seems weird.

I suggest you start using Sygate Personal Firewall, it'll show any traffic going out or in to your computer.
Also scan the PC with MBAM and other AV software.
Download and run a scan with Hijackthis. You can post the log here after and I'll take a look.
At least after this we can probably rule out bad software.

marco_polo

They appear to be a legitimate polish VOIP / ISP company, if that rings any bells? However unless you know somebody who is Polish and has been using your laptop recently to check email, then whatever is connecting to it may not be so legitimate.

http://www.ists.pl/

mel.b

Thanks for the info. No-one Polish would have access to my computer. I'll run through the steps listed by Magnus above and post the results.

Mel.b

mel.b

Magnus wrote: »

Assuming you're Irish in Ireland that does seems weird.

I suggest you start using Sygate Personal Firewall, it'll show any traffic going out or in to your computer.
Also scan the PC with MBAM and other AV software.
Download and run a scan with Hijackthis. You can post the log here after and I'll take a look.
At least after this we can probably rule out bad software.

Thanks Magnus,

I couldn't install the personal firewall as it said it wasn't compatiable with Windows 7. Do you know of something similar that is?

The scan with MBAM was clear...

Internet Explorer 8.0.7600.16385
25/01/2010 10:43:59 PM
mbam-log-2010-01-25 (22-43-59).txt
Scan type: Full Scan (C:\|)
Objects scanned: 170722
Time elapsed: 26 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


And this is the scan from hijackthis...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:50 PM, on 26/01/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\StikyNot.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\O2\O2 Broadband USB Modem\O2 Broadband\O2 Broadband.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/heraldsun
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51F4C1A7-93CA-47CF-BE7F-544045E3486E}: NameServer = 62.40.32.33 8.8.8.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{51F4C1A7-93CA-47CF-BE7F-544045E3486E}: NameServer = 62.40.32.33 8.8.8.8
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences\FencesMenu.dll
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
--
End of file - 5287 bytes

Any info would be great. I'll also change the password to my email account if that will help.

Cheers,
Mel.b

marco_polo

Try Comodo instead it is very good and definately works with Win 7. Just be sure to only install the firewall part as you already have an antivirus program.

http://www.comodo.com/home/download/download.php?prod=firewall

mel.b

Cheers Marco Polo I've installed that software (and have a lot of learning to do with it!), but already it has come up with a message that said "System is a safe application. However you are about to receive a connection from another computer. If you are not sure what to do you should block this request'

Obviously I blocked this request. It gave the ip address that was trying to access my computer. is there any way to track this? Is it possible that this is what I was seeing coming up the other night in the AVG message?

Thanks,
Mel.b

marco_polo

mel.b wrote: »

Cheers Marco Polo I've installed that software (and have a lot of learning to do with it!), but already it has come up with a message that said "System is a safe application. However you are about to receive a connection from another computer. If you are not sure what to do you should block this request'

Obviously I blocked this request. It gave the ip address that was trying to access my computer. is there any way to track this? Is it possible that this is what I was seeing coming up the other night in the AVG message?

Thanks,
Mel.b

You said that it was Live mail that caused the popup? It could be worth poking around in the mail settings of that program to see if anything has been changed (pop3/ smtp settings etc), looks like it may be trying to connect to another email server.

Nothing is jumping out at me from the Hijackthis logs as suspicious. However no harm in making sure that AVG and MWB are fully up to date, and doing another scan if not.

mel.b

Thanks. I've had a look in the properties of the email account and everything seems the same.

However since installing Comodo it now says there have been 11 intrusion attempts that have been blocked. Would this be pretty normal or not? I guess I'm just starting to get a little paranoid!

Cheers,

Mel.b

biko

Run Hijackthis again and this time tick these enteries for removal

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe

O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe

It's adware - it's not bad per se but you're better off without it.
There doesn't seem to be anything evil on your PC but there are several online virus scanners available:
housecall.trendmicro.com
www.bitdefender.com/scanner/online/free.html
http://security.symantec.com/sscv6/home.asp?langid=ie&venid=sym&close_parent=true
and more

The "intrusion attempts" could be just someone scanning the network.
If you get an IP you can just google it and see what you get in response.

mel.b

Thanks, I've removed those mentioned above. One (hopefully) final question is when I search for an IP address how can I tell if it's an address to be suspicious about?

Cheers,
mel.b