More system info:
OS Name Microsoft Windows 2000 Professional
OS Language English (United States)
OS Kernel Type Multiprocessor Free
OS Version 5.0.2195 (Win2000 Retail)
OS Service Pack Service Pack 4
Motherboard:
CPU Type DualCore AMD Athlon 64 X2, 2000 MHz (10 x 200) 3800+
Motherboard Name MSI K8N Diamond / K8N SLI Platinum (MS-7100) (3 PCI, 2 PCI-E x16, 4 DDR DIMM, Audio, Gigabit LAN, IEEE-1394)
Motherboard Chipset nVIDIA nForce4 SLI, AMD Hammer
System Memory 1024 MB (PC3200 DDR SDRAM)
BIOS Type Award (09/09/05)
Communication Port Communications Port (COM1)
Communication Port Printer Port (LPT1)
Display:
Video Adapter NVIDIA GeForce 6600 (512 MB)
3D Accelerator nVIDIA GeForce 6600 PCI-E
Do you have any tasks in the Control Panel > Scheduled Tasks that you do not recognize?
The IP address address you posted above is registered to an outfit in Montevideo, Uruguay. Do you know of any reason you would be connecting to a server in Uruguay? Might you be checking with a software development group in Uruguay for product update information (yes, there are software development groups in Uruguay)?
I think it might prove useful to create (for a while) a more detailed avast! log of your mail connections.
You can get the mailscanner to log your connections by editing the avast4.ini file (in Program Files\Alwil Software\Avast4\DATA folder).
In the section headed:
[MailScanner]
add the line:
Log=20
and save the updated file.
The log will be in Program Files\Alwil Software\Avast4\DATA\log\ashmaisv.log
Good point and good advice regarding creation of mail activity log file… aleph, do that and post back.
However, Montevideo, Uruguay is just “first stop” for this IP range… This IP address range is under LACNIC ( whois.lacnic.net ), and this is what I get when checking that IP over there at LACNIC:
% Joint Whois - whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries
% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2005-12-06 07:13:04 (BRST -02:00)
inetnum: 200.104.0/18
status: allocated
owner: VTR BANDA ANCHA S.A.
ownerid: CL-VPNS-LACNIC
responsible: Italo Sambuceti
address: Reyes Lavalle, 3340, 4th floor
address: 6760335 - Santiago -
country: CL
phone: +56 02 3101502
owner-c: ISO
tech-c: ISO
inetrev: 200.104.0/18
nserver: NS00.VTR.NET
nsstat: 20051202 AA
nslastaa: 20051202
nserver: NS01.VTR.NET
nsstat: 20051202 AA
nslastaa: 20051202
created: 20021223
changed: 20021223
Hmmm… the address and Uruguay kinda rang a bell. Abou a month ago, I was setting up a firewall on another computer and the 201.8.6.145 address showed up in the blocked log. As far as I know, the only thing on that computer, besides Windows, was shareza. But it generally commuicates through a set port. Perhaps someone looking for music?
Even if this was the case and aleph has a file sharing program on his computer, it doesn’t explain the mail sanner icon.
whois lookup
OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC
Address: Potosi 1517
City: Montevideo
StateProv:
PostalCode: 11500
Country: UY
ReferralServer: whois://whois.lacnic.net
NetRange: 201.0.0.0 - 201.255.255.255
CIDR: 201.0.0.0/8
NetName: LACNIC-201
NetHandle: NET-201-0-0-0-1
Parent:
NetType: Allocated to LACNIC
NameServer: NS.LACNIC.NET
NameServer: NS2.DNS.BR
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
NameServer: SEC3.APNIC.NET
NameServer: NS1.AFRINIC.NET
Comment: This IP address range is under LACNIC responsibility
Comment: for further allocations to users in LACNIC region.
Comment: Please see http://www.lacnic.net/ for further details,
Comment: or check the WHOIS server located at whois.lacnic.net
RegDate: 2003-04-03
Updated: 2005-12-05
Comment: This IP address range is under LACNIC responsibility
Comment: for further allocations to users in LACNIC region.
Comment: [b]Please see http://www.lacnic.net/ for further details[/b],
Comment: or check the WHOIS server located at whois.lacnic.net
You’ll spot the information I marked in BLUE.
When you search that IP at LACNIC, you get exactly what I posted above in my previous reply.
Thanks for all your help. Alan, I have NO scheduled tasks. I had already whois’ed them to see if there might be some reason why I’d have a mail connection to them. None that I can think of. I will change the logging settings and get back when I find something.
No, it specifies the level of logging: disable log = 0; basic information (only initial loading info, errors and avast4.ini changes; default) = 1, all the communication data between the Mail scanner and mail servers = 20. Other values between 0 and 20 are not significant. Information is written into AswMaiSv.log file in Avast4\Data\LOG folder.
Are you connecting to a usenet (nntp) server by any chance?
That will be scanned by the internet mail provider as well, causing the same icon to appear.
I have the same problem as the originator of this thread, every now and then, the email scanner icon appears with a strange Ip address. However, i also get a internet connection timeout from avast with the IP address on port 110 but the originating program is shareaza.exe. There was a previous post where shareaza was mentioned, i would like to know if i should answer yes or no to the timeout window, but it would seem that this problem may be linked to shareaza.
If you see IP addresses that are unknown to you then that should raise a red flag and prompt you to investigate further.
Are you getting a timeout message from avast! or just seeing these strange addresses? If you are getting a timeout message what are the exact contents?
Tech has advised in this thread how to generate a more detailed log of your connections to the ports scanned by the Internet Mail provider. It would probably make sense for you to follow that advice for a while and check the log to see what connections your system is making.