Open Ports

system · November 24, 2005, 10:44am

Well I uninstall Avast and installed NOD32 Antivirus software
,scanned my drive and now its gone
No more reverse.the.plant.com.
I didn’t quantine the bug, I deleted it so I don’t know
what it was.

lukor · November 24, 2005, 10:47am

true.

If just re-read the thread, if the small icon is avast’s Mail Scanner’s icon, we can determine who is connecting to it from the log.
Enable logging for Mail Scanner and post it here.

(to enable logging, edit the avast4.ini file, add the line “Log=20” (without quotes) to the section “[MailScanner]”)
Eg.
[MailScanner]
Log=20

The log will then be created in the c:\program files\alwil software\avast4\data\log\ashmaisv.log

lukor · November 24, 2005, 10:49am

If it really was the icon from avast’s mail scanner you have solved nothing - altought I must admit that the avast’s Mail Scanner Icon is not obviously shown in NOD32. Anyway there are other ways how to HIDE THE ICON

Lisandro · November 24, 2005, 10:49am

Just a curiosity, how much is NOD32 license right now?

alanrf · November 24, 2005, 10:59am

We’re not here to criticize NOD32, it certainly has a good reputation.

However, I hope that Bullseye might reconsider, come back and see if there is a way that we can help resolve this issue - and the logging proposed by Lukas is a great step (that I wish I had thought to propose earlier).

That way Bullseye might clear up a problem and provide some help to others who could encounter the same issue.

system · November 24, 2005, 11:50pm

Is this the log your after ?
You guys were right, I didn’t realise it was avast email scanner bringing the icon
up in the system tray. So I reinstalled avast and its still there.
But when NOD32 did a complete disk scan it found some virus in my email.
I thought that it had got it.

11/25/05 09:43:14 0000068C: Started as service, Log = 1(0x00000001)
11/25/05 09:43:14 0000068C: Build 4.6.731
11/25/05 09:43:14 0000068C: Windows XP Workstation (Service Pack 2)
11/25/05 09:43:14 0000068C: Using WinSock 2.0
11/25/05 09:43:15 0000068C: AutoRedirect settings changed 1(0x00000001)
11/25/05 09:43:15 0000068C: IgnoreLocalhost settings changed 1(0x00000001)
11/25/05 09:43:15 0000068C: POP Start settings changed: 1
11/25/05 09:43:15 0000068C: POP Listen settings changed: 127.0.0.1 12110
11/25/05 09:43:15 0000068C: POP RedirectPort: 110
11/25/05 09:43:15 0000068C: SMTP Start settings changed: 1
11/25/05 09:43:15 0000068C: SMTP Listen settings changed: 127.0.0.1 12025
11/25/05 09:43:15 0000068C: SMTP RedirectPort: 25
11/25/05 09:43:15 0000068C: IMAP Start settings changed: 1
11/25/05 09:43:15 0000068C: IMAP Listen settings changed: 127.0.0.1 12143
11/25/05 09:43:15 0000068C: IMAP RedirectPort: 143
11/25/05 09:43:15 0000068C: NNTP Start settings changed: 1
11/25/05 09:43:15 0000068C: NNTP Listen settings changed: 127.0.0.1 12119
11/25/05 09:43:15 0000068C: NNTP RedirectPort: 119

Lisandro · November 25, 2005, 12:09am

Did you add the line?

Log=20

into avast4.ini file?
it seems a poor log, without enough information.

system · November 25, 2005, 1:47am

Aaaah nup, I’ll do that.
I wasn’t sure were to do it.
I thought I was a check box.

edit:

I just looked at my ini file and it has logmaxsize=20.
Is that it ?

system · November 25, 2005, 1:55am

Okay just checked out the avast4.ini thread and realised I had add it in the mail section
of the ini file.
Here’s my new aswMaiSv log file. Hope this is it

11/25/05 09:43:14 0000068C: Started as service, Log = 1(0x00000001)
11/25/05 09:43:14 0000068C: Build 4.6.731
11/25/05 09:43:14 0000068C: Windows XP Workstation (Service Pack 2)
11/25/05 09:43:14 0000068C: Using WinSock 2.0
11/25/05 09:43:15 0000068C: AutoRedirect settings changed 1(0x00000001)
11/25/05 09:43:15 0000068C: IgnoreLocalhost settings changed 1(0x00000001)
11/25/05 09:43:15 0000068C: POP Start settings changed: 1
11/25/05 09:43:15 0000068C: POP Listen settings changed: 127.0.0.1 12110
11/25/05 09:43:15 0000068C: POP RedirectPort: 110
11/25/05 09:43:15 0000068C: SMTP Start settings changed: 1
11/25/05 09:43:15 0000068C: SMTP Listen settings changed: 127.0.0.1 12025
11/25/05 09:43:15 0000068C: SMTP RedirectPort: 25
11/25/05 09:43:15 0000068C: IMAP Start settings changed: 1
11/25/05 09:43:15 0000068C: IMAP Listen settings changed: 127.0.0.1 12143
11/25/05 09:43:15 0000068C: IMAP RedirectPort: 143
11/25/05 09:43:15 0000068C: NNTP Start settings changed: 1
11/25/05 09:43:15 0000068C: NNTP Listen settings changed: 127.0.0.1 12119
11/25/05 09:43:15 0000068C: NNTP RedirectPort: 119
11/25/05 11:52:07 0000068C: Log settings changed 20(0x00000014)
11/25/05 11:52:21 00000884: POP accept connection from: 127.0.0.1
11/25/05 11:52:21 00000884: Connection handler: 0x00000A0C
11/25/05 11:52:21 00000A0C: Ignored PIDs: 1588 1840
11/25/05 11:52:21 00000A0C: Ignored Addresses: 192.168.1.3:119 127.0.0.1:119 192.168.1.3:143 127.0.0.1:143 192.168.1.3:25 127.0.0.1:25 192.168.1.3:110 127.0.0.1:110 72.3.135.203:80 193.243.128.78:80 193.243.128.76:80 62.132.1.234:80 198.200.173.74:80 198.200.173.139:80 127.0.0.1:80
11/25/05 11:52:21 00000A0C: Ignored Processes: avgemc.exe forx.exe FXMadeEasy.exe aoltpspd.exe waol.exe ypager.exe V3P3AT.EXE bitcomet.exe mpftray.exe ABC.EXE CZDCPlusPlus.ex CRAXY.EXE NETMONSV.EXE SYMPROXYSVC.EXE NAVAPW32.EXE WEBPROXY.EXE EMULE.EXE TMPROXY.EXE isafe.exe SMPROXY.EXE ccLgView.exe ccSetMgr.exe ccPwdSvc.exe ccApp.exe ccProxy.exe ccPxySvc.exe ccEvtMgr.exe winroute.exe avast.setup
11/25/05 11:52:21 00000A0C: --POP command REDIRECT 70.86.95.34:110 3200
11/25/05 11:52:21 00000A0C: PATH: \Device\HarddiskVolume1\PROGRA~1\MOZILL~2\THUNDE~1.EXE
11/25/05 11:52:22 00000A0C: Connected to POP server 70.86.95.34 110
11/25/05 11:52:22 00000A0C: received 45(0x0000002D)
11/25/05 11:52:22 00000A0C: <-POP +OK POP3 devo [cppop 20.0] at [70.86.95.34]
11/25/05 11:52:22 00000A0C: sent 45(0x0000002D)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: ->POP AUTH
11/25/05 11:52:22 00000A0C: sent 6(0x00000006)
11/25/05 11:52:22 00000A0C: --POP Before ReadFromPop
11/25/05 11:52:22 00000A0C: received 30(0x0000001E)
11/25/05 11:52:22 00000A0C: --POP ReadFromPop …
11/25/05 11:52:22 00000A0C: <-POP -ERR Command not implemented
11/25/05 11:52:22 00000A0C: sent 30(0x0000001E)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: ->POP CAPA
11/25/05 11:52:22 00000A0C: sent 6(0x00000006)
11/25/05 11:52:22 00000A0C: --POP Before ReadFromPop
11/25/05 11:52:23 00000A0C: received 29(0x0000001D)
11/25/05 11:52:23 00000A0C: received 51(0x00000033)
11/25/05 11:52:23 00000A0C: --POP ReadFromPop …
11/25/05 11:52:23 00000A0C: <-POP +OK Capability list follows
TOP
USER
UIDL
XSENDER
IMPLEMENTATION cppop
.
11/25/05 11:52:23 00000A0C: <-POP +OK Capability list follows
11/25/05 11:52:23 00000A0C: sent 29(0x0000001D)
11/25/05 11:52:23 00000A0C: <-POP TOP
11/25/05 11:52:23 00000A0C: sent 5(0x00000005)
11/25/05 11:52:23 00000A0C: <-POP USER
11/25/05 11:52:23 00000A0C: sent 6(0x00000006)
11/25/05 11:52:23 00000A0C: <-POP UIDL
11/25/05 11:52:23 00000A0C: sent 6(0x00000006)
11/25/05 11:52:23 00000A0C: <-POP XSENDER
11/25/05 11:52:23 00000A0C: sent 9(0x00000009)
11/25/05 11:52:23 00000A0C: <-POP IMPLEMENTATION cppop
11/25/05 11:52:23 00000A0C: sent 22(0x00000016)
11/25/05 11:52:23 00000A0C: <-POP .
11/25/05 11:52:23 00000A0C: sent 3(0x00000003)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: ->POP USER …
11/25/05 11:52:23 00000A0C: sent 35(0x00000023)
11/25/05 11:52:23 00000A0C: --POP Before ReadFromPop
11/25/05 11:52:24 00000A0C: received 21(0x00000015)
11/25/05 11:52:24 00000A0C: --POP ReadFromPop …
11/25/05 11:52:24 00000A0C: <-POP +OK Need a password
11/25/05 11:52:24 00000A0C: sent 21(0x00000015)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: ->POP PASS …
11/25/05 11:52:24 00000A0C: sent 16(0x00000010)
11/25/05 11:52:24 00000A0C: --POP Before ReadFromPop
11/25/05 11:52:24 00000A0C: received 117(0x00000075)
11/25/05 11:52:24 00000A0C: --POP ReadFromPop …
11/25/05 11:52:24 00000A0C: <-POP +OK You have 0 messages totaling 557 octets from /home/shazz450/mail/shazzamstudios.com/wonderboy/inbox (full load)
11/25/05 11:52:24 00000A0C: sent 117(0x00000075)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: ->POP STAT
11/25/05 11:52:24 00000A0C: sent 6(0x00000006)
11/25/05 11:52:24 00000A0C: --POP Before ReadFromPop
11/25/05 11:52:24 00000A0C: received 9(0x00000009)
11/25/05 11:52:24 00000A0C: --POP ReadFromPop …
11/25/05 11:52:24 00000A0C: <-POP +OK 0 0
11/25/05 11:52:24 00000A0C: sent 9(0x00000009)
11/25/05 11:52:25 00000A0C: received 1(0x00000001)
11/25/05 11:52:25 00000A0C: received 1(0x00000001)
11/25/05 11:52:25 00000A0C: received 1(0x00000001)
11/25/05 11:52:25 00000A0C: received 1(0x00000001)
11/25/05 11:52:25 00000A0C: received 1(0x00000001)
11/25/05 11:52:25 00000A0C: received 1(0x00000001)
11/25/05 11:52:25 00000A0C: ->POP QUIT
11/25/05 11:52:25 00000A0C: sent 6(0x00000006)
11/25/05 11:52:25 00000A0C: --POP Before ReadFromPop
11/25/05 11:52:25 00000A0C: received 10(0x0000000A)
11/25/05 11:52:25 00000A0C: --POP ReadFromPop …
11/25/05 11:52:25 00000A0C: <-POP +OK Bye!
11/25/05 11:52:25 00000A0C: sent 10(0x0000000A)
11/25/05 11:52:25 00000A0C: connection closed 0(0x00000000)
11/25/05 11:52:25 00000A0C: --POP Finishing connection handler

alanrf · November 25, 2005, 4:54am

It would appear from this log that you just had a rather normal connection to a POP3 mail server, you were logged on successfully and there were no messages in the mailbox.

There POP3 connection was to a mail server at IP address 70.86.95.34.

This IP addressed is owned by ThePlanet.com Internet Services, Inc.

The similarilty of service name of ThePlanet.com and your original report of reverse.the.planet seems just a bit more than coincidental.

Going back to your original post:

When I click get mail the little thundbird logo pops up in the sytem tray with the ip address reverse.the.planet.com and some ip number.

As I mentioned earlier there is no Thunderbird icon in the task bar. The icon that does appear is the avast blue light and when you mouse over that icon you do not get an IP address you get the server name.

So right now - I do not think we have seen any evidence that you did connect to reverse.the.planet unless you can help us with some more details.

system · November 25, 2005, 5:11am

Thanks Alan,

How come my mail server is connecting to ThePlanet.com ?
My ISP is www.aanet.com.au, not the ThePlanet.com ?
This is getting weird

thanks for your help.

alanrf · November 25, 2005, 5:17am

It is possible they have contracted out their mail service.

What is the server name (just the server name - do not mention userid) that you have set up for your mail in Thunderbird?

alanrf · November 25, 2005, 5:39am

Bullseye,

I think that you have forgotten about the account you have set up in Thunderbird at shazzamstudios.com.

Their mail server mail.shazzamstudios.com has an IP address of 70.86.95.34 and is hosted at ThePlanet.com.

I think we might call this one closed.

system · November 25, 2005, 6:35am

My mail server is mail.aanet.com.au,
Is that what your after ?

cheers

edit:

Thanks Alan,
I’ve just email my webhosting company to find out
where/who my email server guys are.

cheers

alanrf · November 25, 2005, 7:06am

Duncan, I don’t need that information any longer, please read my previous post in this thread.

Thanks,

Alan

system · November 25, 2005, 7:14am

Yep i read your post,
I edited mine.

alanrf · November 25, 2005, 7:33am

I think I understand.

Just so we are clear … this has nothing to do with your ISP aanet.com.au

This is entirely in the province of shazzamstudios.com and the hosting of their mail service at ThePlanet.com.

system · November 25, 2005, 8:05am

Yep we are talking about the same thing.
My web hosting company that hosts Shazzam studios
is Onsmart. There the guys I emailed.

Thanks for all your help.

Open Ports

Announcements