I bought a new Toshiba laptop back in November in the States, and am currently in Tokyo.

Sometime ago I noticed AVG had popped up a note about the email scanner checking an outgoing pop3 to an IP address. Since all my email is done by Yahoo webmail, I couldnt figure out what was going on. Before I could grab the IP, it was gone. This happened 1 or 2 times, then I forgot about it.

Tonight, I spotted it again, but this time got the IP. I tracked it down to somewhere in the RIPE region, and from RIPE, tracked it back to English ISP.

So, if you have any ideas what I can do at this point to see whats what, please PM me.

note: I ran Hijackthis, and didnt spot anything especially odd. There is only one piece of adware on my machine that I know of: the one that gets installed when you installed BSPlayer, whenu.com. However, that's a New York outfit, so I don't know why they'd get info from an English IP address.

EDITED to add: looking thru my AVG logs: evidently, a pop3 to a Norway provider a few weeks ago. Very odd.

It's could be a spyware rather than a virus - try running Spybot S&D or Ad-Aware.

I had something similiar where my PC kept sending emails to a foreign IP, but I managed to get rid of it with spybot.

Do you not have a firewall to prevent this sort of thing? That at least would tell you which application is dialling out. And I obviously don't mean the XP firewall, which is fine at what it does, but what it does ain't checking outbound connections.

Cheers,
Rat.

I ran ad-aware and it detected a casino adware, and something known as extra.exe. We'll see if that did the trick.

Here's the attempt made on 5/9. If you type the IP address into a browser, you'll see the site owner has noticed a very large amount of visitors to that IP, and has written up a little Shockwave note to visitors to the page:

9.5.2006 14:38:12.250 [7b0] AutoPOP3(10110): Connection from process 4004
9.5.2006 14:38:12.250 [7b0] AutoPOP3(10110): Connection from 127.0.0.1:1263
9.5.2006 14:38:12.250 [7b0] AutoPOP3(10110): Will connect to 193.216.31.4:110
9.5.2006 14:38:12.250 [b6c] AutoPOP3(10110): Client connected
9.5.2006 14:38:12.250 [b6c] OpenInternet = 0
9.5.2006 14:38:12.250 [b6c] AddTrayIcon()
9.5.2006 14:38:13.578 [b6c] AutoPOP3(10110): Connected to 216-31-4.0505.adsl.tele2.no:110
9.5.2006 14:38:13.578 [b6c] AutoPOP3(10110): PROXY:R:+OK Microsoft Windows POP3 Service Version 1.0 <119082593@media> ready.
9.5.2006 14:38:13.578 [b6c] AutoPOP3(10110): PROXY:S:+OK AVG POP3 Proxy Server <119082593@media> 7.1.371/7.1.392 [268.5.5/333]

Do you not have a firewall to prevent this sort of thing? That at least would tell you which application is dialling out. And I obviously don't mean the XP firewall, which is fine at what it does, but what it does ain't checking outbound connections.

Cheers,
Rat.

I recommend Kerio.

too late now, but the first line in that log indicates it is process 4004 that is inititating the connection. Bring up the task manager and see what process 4004 is.

That's what I might do the next time it shows itself. Or: I might just get a firewall to prevent ever messing with it.

My worry is that the 'process' will turn out to be a a just-created, randomly-named file like ahajdskfh.dll, which will be auto-delected anyway once the pop3 has been sent.