Spyware, Viruses, & Security forum

General discussion

email scanner accessing 59.60.149.118

by Willy3 / November 11, 2008 1:27 AM PST

Running XP - SP3 with all updates, AVG 8.0.175. I frequently get a small popup that says the AVG email scanner is checking for updates at 59.60.149.118. I have run AVG complete scan, spybot, gmer, catchme and finally loaded Avira. Avira found approx. 20 "suspected or infected" files, which were all quarantined. I have noticed that the AVG update process fails to connect more often than not, but after repeated attempts it says that I am up to date and "fully protected" After running all of the above, I still get the popup. I can only find two instances of the same problem through google, but no resolution is reported. Anyone have any thoughts as to what this is?

Discussion is locked
You are posting a reply to: email scanner accessing 59.60.149.118
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: email scanner accessing 59.60.149.118
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
59.60.149.118
by Marianna Schmudlach / November 11, 2008 1:59 AM PST

I just ran a traceroute and it ends up in China . so... "something is wrong" Sad

Collapse -
I ran a WhoIs and got a similiar result
by roddy32 / November 11, 2008 3:20 AM PST

as Marianna.

Partial results here


inetnum: 59.56.0.0 - 59.61.255.255
netname: CHINANET-FJ
descr: CHINANET fujian province network
descr: China Telecom
descr: No1,jin-rong Street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: CA67-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-FJ
mnt-routes: MAINT-CHINANET-FJ

Collapse -
59.60.149.118
by Willy3 / November 11, 2008 3:33 AM PST

I reran gmer and I have a serious problem. My disc info is being duplicated on my other drive partitions. I run 2 300 GB drives partitioned C,I,J and K,L. There are no directories shown in "my computer" that match the directories scanned in gmer, and none show up at the command prompt, but all of my files are listed. I have deleted AVG and Avria and I am going to download a new copy of AVG to install.

Collapse -
59.60.149.118
by Willy3 / November 11, 2008 3:45 AM PST
In reply to: 59.60.149.118

I just reinstalled AVG and whatever this is, it also interferes with the AVG update process, as the program would not update to the latest virus database.

Collapse -
Give this a try......
by Marianna Schmudlach / November 11, 2008 3:57 AM PST
In reply to: 59.60.149.118

Please download Malwarebytes Anti-Malware or alternate download link

* Make sure you are connected to the Internet.
* Double-click on Download_mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
* - Update Malwarebytes' Anti-Malware
* - Launch Malwarebytes' Anti-Malware
* Then click Finish.
* MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
* If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

* On the Scanner tab:
* - Make sure the "Perform Quick Acan" option is selected.
* - Then click on the Scan button.
* The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.
* Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

* -- Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

**If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll


...

Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".

Collapse -
59.60.149.118
by Willy3 / November 11, 2008 11:27 AM PST
In reply to: Give this a try......

Thanks for the help.

I am amazed at what AVG, Avira and Spybot missed. I hope I got them all. For anyone else that has a similiar issue, this is what I found:

First Scan (Quick):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted
egistry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Ipwindows (Trojan.Rond) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ClickToFindandFixErrors_Intl.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_RON.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_RON_Intl.ico (Malware.Trace) -> Quarantined and deleted successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\flac (Trojan.Vundo) -> Quarantined and deleted

Second Scan (Full Scan):


Files Infected:

C:\Program Files\FLAC\uninstall.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C91589B8-6580-431E-9DD1-72B4E3B61780}\RP344\A0084860.sys (Trojan.Downloader) -> Quarantined and deleted successfully.

I:\Program Downloads\flac-1.2.1b.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

Collapse -
59.60.149.118
by Willy3 / November 11, 2008 3:04 PM PST
In reply to: 59.60.149.118

It's Back!! I have run the malware detection program three times, but it does not show any problems. Am currently running SuperAnti Spyware one more time (third).

Collapse -
Let's give this a try...
by Marianna Schmudlach / November 12, 2008 12:20 AM PST
In reply to: 59.60.149.118

Run MBAM once again - FULL scan......

next:

With the computer still connected to the internet:

Please go to Start > Control Panel > Network and Internet Connections > Network Connections. Then right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using dial-up, and left-click on the Properties option. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says "Obtain DNS servers automatically". Click OK twice, and restart your computer.

Go to Start > Run.... In the Open: field type cmd and press the OK button. This will open a Command Prompt.
Type or copy & paste the entire contents inside the QUOTE box below into the command window:

QUOTE
ipconfig /flushdns [/QUOTE]

Hit Enter and exit the Command Prompt.

Collapse -
59.60.149.118
by Willy3 / November 12, 2008 8:57 AM PST

I reran MBAM and it found 1 infected file:

Files Infected:
C:\System Volume Information\_restore{C91589B8-6580-431E-9DD1-72B4E3B61780}\RP345\A0084993.sys (Trojan.Downloader) -> Quarantined and deleted successfully.

My tcp/ip was set to select DNS automatically, but I reset it anyway, and flushed the DNS. The message "email scanner accessing 59.60.149.118" appeared again right after I rebooted and opened Bit Torrent Ver 6.1.1. Is there any way to check this program before I delete it and reinstall it?

Collapse -
NOT a cure - only a reminder..
by Carol~ Moderator / November 12, 2008 10:18 AM PST
In reply to: 59.60.149.118

Willy...

If you hadn't yet updated to Database Version 1390, at the time you ran this scan yesterday, MBAM was detecting Trojan.Vundo "falsely". In other words, it was a false positive. Since Malwarebytes' fixes them rather quickly, I would make sure to update MBAM before scanning. If not that, go to that part of their forum where False Positive's are reported. See if a false positive has been confirmed, but has yet to be fixed. I realize it's not of importance now, but I do think it's worth noting for the future.

Best of luck getting this all straightened out..
Carol

Collapse -
59.60.149.118
by Willy3 / November 12, 2008 11:34 AM PST

I had updated to ver 1390 before I ran the scan, and I just updated again to ver. 1391. It would appear that the virus is attached to bittorrent as it attempts to email shortly after it loads. I have been using this program for about 9 mos. and have not run into this before last week. Just reviewed the bittorrent troubleshooting forum and this problem has been discussed at length and it appears that it came with their btdna program, a built in trojan from the software developer. I believe it's time to change to another program.

Thanks for the help.

Collapse -
AVG e-mail scanner - connecting to 59.60.149.118
by DirkDigler840 / November 12, 2008 12:25 PM PST
In reply to: 59.60.149.118

I am having the same problem too. I tried every malware/spyware program mentioned, I keep getting the AVG email connecting to 59.60.149.118.
I am using uTorrent. I don't know if they are the same program, but I noticed I'm getting the AVG message shortly after I open uTorrent and it goes away shortly after I shut the program down.
What should I do?
is bittorrent and uTorrent made by the same programmer?
If I remove the program, will that get rid of this?

Collapse -
59.60.149.118
by Willy3 / November 12, 2008 1:21 PM PST

I don't know much about u torrent. I just deleted bittorrent off of my system and I'm going to wait a few days before I load another torrent program so that I can see if there are any other issues. I'll let you know what happens.

See this discussion http://forum.bittorrent.com/viewtopic.php?id=28 for more information.

Collapse -
Bit Torrent DNA
by AgFox70 / November 12, 2008 3:27 PM PST
In reply to: 59.60.149.118

The latest version of BitTorrent has a really useful feature, DNA in it that 'speeds up the internet by downloading in parallel from multiple sources'. So basically your entire web-browsing experience is being posted as a torrent.

What a truly evil piece of malware this is - what are they thinking! I have used BitTorrent for a while for downloading VMWare ISOs and found my web experience just died after this got onto my system. What is the chance of you managing to communicate with other people wanting to access the same content and then pooling resouces?

AVG is about all that picks this up as malware.. BitTorrent admins blame poor heuristic scanning. Considering DNA is installed without telling you and cannot be installed, at best it blurs the border betwen application and malware.... do you want to share out your web activity with some guy in China?! Perhaps our helpful friends in CHINANET-FJ will help me download by online banking details if I'm posting my web behaviour as a torrent?.... great thinking bittorrent!

Of course, it is possible that a rogue developer left backdoors in this technology (or someone is just taking advantage of vulnerability in the software).

Share the user experience in the URL in Willy3's post (also includes regedit installation method as supplied uninstaller does nothing!)

http://forum.bittorrent.com/viewtopic.php?id=28

Collapse -
59.60.149.118
by DirkDigler840 / November 12, 2008 10:12 PM PST
In reply to: Bit Torrent DNA

I have noticed this is happening with most if not all torrent sharing software withing a week.
I just deleted uTorrent, and the AVG e-mail scanner is not accessing 59.60.149.118 anymore.
I don't know if this did the trick.
Looks like no more torrent sharing for a while.

Collapse -
59.60.149.118
by Willy3 / November 16, 2008 5:03 AM PST
In reply to: 59.60.149.118

It's been four days and I haven't had any more problems, although I'm running Mbam every day after each online session. After looking at as many bittorrent programs as I could find, I am trying VUZE (formerly Azereus). Although it's a bit of a memory hog, I haven't had any problems (so far). It doesn't have as many features as bittorrent, it's not as user friendly, and the screen is not as good(less info. available at a quick glance) but it seems to works ok.

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?