Think i've been hijacked

SB118 · 20 Dec 2006 at 15:20

Just had this pop u pin the corner of my screen, the AVG email scanner. Which is odd as i only use webmail :confused:

I'm thinking some sort of trojan or keyloger has snuck in (i'm not the only one who uses this computer!

), and i get my dodgy porn from torrent sites, so it's not that.

Any ideas?

Cheers.

bledd · 20 Dec 2006 at 15:25

SB118 said:
i get my dodgy porn from torrent sites

As tempting as it may be please do not ask for porn links.

disable system restore, use nod32 trial and windows defneder

run spybot s&d, then adaware after

Curiosityx · 20 Dec 2006 at 15:27

Do you connect to your webmail using Outlook express or another MAPI program?

SB118 · 20 Dec 2006 at 15:57

Curiosityx said:
Do you connect to your webmail using Outlook express or another MAPI program?

Nope, direct to the websites.

SB118 · 20 Dec 2006 at 16:12

Hmm, dunno if it's related or not but my windows has just thrown up the WGA icon in the task bar saying my copy is a fake. :confused:

Curiosityx · 20 Dec 2006 at 16:26

SB118 said:
Hmm, dunno if it's related or not but my windows has just thrown up the WGA icon in the task bar saying my copy is a fake.

Well youve either got an illegal copy of Windows or WGA (Windows Genuine Advantage) has detected a false positive and a call to Microsoft is needed to obtain a new product key.

SB118 · 20 Dec 2006 at 16:33

Curiosityx said:
Well youve either got an illegal copy of Windows or WGA (Windows Genuine Advantage) has detected a false positive and a call to Microsoft is needed to obtain a new product key.

14 month old PB lappy, just about ready for the bin really. iss poor build quality

adaware found a handfull of tracking cookies, defender doesn't find anything. just rebooting to finish installing NOD32.

SB118 · 20 Dec 2006 at 17:04

damn i'm popular, just had a nose in my router logs..

2006.12.20 17:59:47 **UDP Flood to Host** 218.1.153.224, 31848->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:59:47 **UDP Flood to Host** 196.202.33.108, 23733->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:59:47 **UDP Flood to Host** 219.249.45.72, 65201->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:59:42 **UDP Flood to Host** 75.82.187.24, 2505->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:59:42 **UDP Flood to Host** 83.49.28.118, 12989->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:59:15 **UDP Flood to Host** 58.9.157.223, 16794->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:59:15 **UDP Flood to Host** 61.54.78.30, 20004->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:58:23 **UDP Flood to Host** 125.31.26.111, 9495->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:58:10 **UDP Flood to Host** 200.206.201.7, 61746->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:58:09 **UDP Flood to Host** 58.216.57.248, 16748->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:58:09 **UDP Flood to Host** 218.79.141.74, 8443->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:55:57 **UDP Flood to Host** 74.103.142.87, 60371->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:55:57 **UDP Flood to Host** 218.200.123.138, 1759->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:55:57 **UDP Flood to Host** 218.1.168.171, 19301->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:55:09 **UDP Flood to Host** 218.85.43.185, 20000->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:55:01 **UDP Flood to Host** 59.121.106.213, 18917->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:54:50 **UDP Flood to Host** 128.239.159.246, 16471->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:54:50 **UDP Flood to Host** 203.198.116.153, 34349->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:54:08 **UDP Flood to Host** 86.84.110.64, 61681->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:54:08 **UDP Flood to Host** 218.206.109.194, 25931->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:54:08 **UDP Flood to Host** 61.149.26.180, 22801->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:54:08 **UDP Flood to Host** 218.72.70.52, 18484->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:54:01 **UDP Flood to Host** 218.65.180.217, 9426->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:53:14 **UDP Flood to Host** 221.219.203.30, 23004->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:52:59 **UDP Flood to Host** 61.15.105.22, 8285->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:51:34 **UDP Flood to Host** 85.187.191.147, 21731->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:51:13 **UDP Flood to Host** 85.221.97.177, 63317->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:51:13 **UDP Flood to Host** 61.230.223.175, 415->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:51:13 **UDP Flood to Host** 84.75.209.103, 21168->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:50:51 **UDP Flood to Host** 85.89.162.45, 16350->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:50:49 **UDP Flood to Host** 58.136.96.231, 14338->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:50:45 **UDP Flood to Host** 210.24.109.100, 17960->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:50:45 **UDP Flood to Host** 61.134.127.58, 61927->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:50:45 **UDP Flood to Host** 83.179.207.64, 11600->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:50:45 **UDP Flood to Host** 219.78.150.239, 23520->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:50:43 **UDP Flood to Host** 203.204.89.26, 12929->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:50:43 **UDP Flood to Host** 91.139.144.155, 13471->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:50:31 **UDP Flood to Host** 61.64.149.175, 51253->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:49:31 **UDP Flood to Host** 222.141.242.171, 9711->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:49:29 **UDP Flood to Host** 88.22.164.245, 11371->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:49:29 **UDP Flood to Host** 195.210.225.55, 10756->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:49:29 **UDP Flood to Host** 83.255.6.16, 11030->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:49:24 **UDP Flood to Host** 200.150.56.20, 60239->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:49:24 **UDP Flood to Host** 83.52.92.142, 10178->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:48:51 **TCP FIN Scan** 192.168.1.2, 1300->> 67.19.161.130, 80 (from PVC1 Outbound)
2006.12.20 17:48:36 **UDP Flood to Host** 58.33.122.173, 11651->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:48:36 **UDP Flood to Host** 163.23.224.73, 16465->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:48:33 **UDP Flood to Host** 90.31.235.85, 26544->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:48:33 **UDP Flood to Host** 213.243.61.21, 10765->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:48:08 **UDP Flood to Host** 58.251.83.108, 10969->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:48:08 **UDP Flood to Host** 85.195.58.25, 26799->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:48:08 **UDP Flood to Host** 60.181.165.246, 25360->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:46:40 **UDP Flood to Host** 81.84.150.144, 16881->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:46:28 **UDP Flood to Host** 58.246.82.98, 36359->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:46:28 **UDP Flood to Host** 82.224.242.241, 13050->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:46:28 **UDP Flood to Host** 222.137.53.174, 14088->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:46:17 **UDP Flood to Host** 85.176.185.200, 22721->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:45:50 **UDP Flood to Host** 87.120.162.66, 8739->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:45:50 **UDP Flood to Host** 62.57.73.141, 29302->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:45:45 **SYN Flood to Host** 192.168.1.2, 1263->> 62.3.251.3, 80 (from PVC1 Outbound)
2006.12.20 17:45:28 **UDP Flood to Host** 194.8.195.53, 33777->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:45:23 **UDP Flood to Host** 219.114.8.136, 17940->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:45:08 **UDP Flood to Host** 222.183.92.23, 21958->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:45:04 **UDP Flood to Host** 202.178.155.225, 15181->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:41:50 **TCP FIN Scan** 192.168.1.2, 1153->> 195.92.248.7, 80 (from PVC1 Outbound)
2006.12.20 17:41:50 **TCP FIN Scan** 192.168.1.2, 1117->> 209.85.50.13, 80 (from PVC1 Outbound)
2006.12.20 17:41:50 **TCP FIN Scan** 192.168.1.2, 1126->> 213.84.203.196, 80 (from PVC1 Outbound)
2006.12.20 17:41:27 192.168.1.2 login success
2006.12.20 17:39:19 **UDP Flood to Host** 86.215.170.98, 12021->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:39:19 **UDP Flood to Host** 61.180.120.52, 63541->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:39:18 **UDP Flood to Host** 85.255.171.149, 58771->> 88.109.217.92, 49469 (from PVC1 Inbound)
2006.12.20 17:38:54 NTP Date/Time updated.
2003.01.01 00:01:45 If(PVC1) PPP connection ok !

Never knew so many people wanted to contact me :eek:

Curiosityx · 20 Dec 2006 at 17:11

Are you running any p2p apps on a different port number say "49469" on another note what do you hope to get out of this thread?!? You keep changing the subject.

Ps: Its connectionless UDP traffic possibly a port scan or p2p as mentioned.

SB118 · 20 Dec 2006 at 17:17

Curiosityx said:
Are you running any p2p apps on a different port number say "49469" on another note what do you hope to get out of this thread?!? You keep changing the subject.

Ps: Its connectionless UDP traffic possibly a port scan or p2p as mentioned.

I've not had any p2p running since about midday.

I'm not changing the subject, i'm just giving all the possible information i think might be useful. The WGA popup seems to have cured itself.

I'm trying to work out where this hidden email is springing from and if somebody is trying to get information out of my pc.

NOD32 found 0 threats.

Dr_Evil · 20 Dec 2006 at 17:21

is BT your ISP?

SB118 · 20 Dec 2006 at 17:24

Running Tiscali, but it's basically rebranded BT isn't it?

Dr_Evil · 20 Dec 2006 at 17:27

AVG must have picked up on some POP3 email settings as it's trying to retrieve messages from some BT mailserver.

SB118 · 20 Dec 2006 at 17:29

But i don't have any pop3 email setup, i use hotmail and yahoo mail, using the web interface.

Dr_Evil · 20 Dec 2006 at 17:31

maybe some BT installer configured it for you? Check your outlook express (or whatever email client you have installed) to see if there is a profile already.

SB118 · 20 Dec 2006 at 17:34

Just checked OE, no accounts setup there. Never run any "account setup" type programs.

Dr_Evil · 20 Dec 2006 at 17:42

Hmm. very strange then - better contact your ISP about it maybe?

Hodders · 20 Dec 2006 at 19:18

This message simply means that AVG is detecting outbound comms on POP3.

P2P sharing sometimes use POP3 ports as the peers sometimes are set up to use POP3 ports as the users are behind a firewall that allows POP3 traffic through.

It is almost certainly OK - unless you are not running P2P in which case run all the spyware/trojan detectors you can find :eek:

suarve · 20 Dec 2006 at 19:20

SB118 said:
Just had this pop u pin the corner of my screen, the AVG email scanner. Which is odd as i only use webmail

I'm thinking some sort of trojan or keyloger has snuck in (i'm not the only one who uses this computer! ), and i get my dodgy porn from torrent sites, so it's not that.

Any ideas?

Cheers.

try disabling it in the AVG options menu, shouldn't apear anymore...

Deathwish · 20 Dec 2006 at 19:42

Could try running Sysinternals TCPView to look at all the connections to and from your machine.

Might be worth running the Sophos Anti-Rootkit too (its a free download on sophos.com)

Also, that IP is not a BT mailserver, its just a general BT IP range that would be given out to a punter:

http://whois.domaintools.com/81.155.35.122

Its also blacklisted