View Full Version : No POP3 -- Random, Erratic Occurrences
JDavid \(reverse the d and k\)
December 26th 03, 08:41 PM
I've been tracking this for a couple months, now.
Every few days, on bootup, somehow my system fails to assign port 110 to
pop3, so that when I try to download email, I get no response at the server.
Restarting eliminates the problem, and then everything works fine. This
occurred seven times in the last month -- and there is no pattern I can see
in the occurrences.
I believe this may be a flaw in the operation or setup of PC-cillin'
firewall, or perhaps due to the presence of an illicit ftp program.
However, I can not detect any Trojan residues on scan by PC-cillin.
This problem persisted after a clean reinstall of XP HE, although I used
FASTWiz to save my Files and Settings to CD, and re-loaded same after the
clean reinstall with a fresh, updated download of PC-cillin on board and
real time scan activated to detect viruses and Trojans.
Any suggestions?
--
Dave Kruger
Astoria, OR
David Candy
December 26th 03, 08:41 PM
You don't use 110. The server uses 110.
Record a log file and see what is happening. Type log files in OE's =
help.
--=20
http://www.g2mil.com/Apr2003.htm
http://www.sharpword.com/fascism.htm
---------------------------------------------------------------
David Candy
http://www.mvps.org/serenitymacros
---------------------------------------------------------------
"JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in =
message ...
> I've been tracking this for a couple months, now.
>=20
> Every few days, on bootup, somehow my system fails to assign port 110 =
to
> pop3, so that when I try to download email, I get no response at the =
server.
> Restarting eliminates the problem, and then everything works fine. =
This
> occurred seven times in the last month -- and there is no pattern I =
can see
> in the occurrences.
>=20
> I believe this may be a flaw in the operation or setup of PC-cillin'
> firewall, or perhaps due to the presence of an illicit ftp program.
> However, I can not detect any Trojan residues on scan by PC-cillin.
>=20
> This problem persisted after a clean reinstall of XP HE, although I =
used
> FASTWiz to save my Files and Settings to CD, and re-loaded same after =
the
> clean reinstall with a fresh, updated download of PC-cillin on board =
and
> real time scan activated to detect viruses and Trojans.
>=20
> Any suggestions?
>=20
> --=20
> Dave Kruger
> Astoria, OR
>=20
>=20
JDavid \(reverse the d and k\)
December 26th 03, 08:41 PM
My system does not use port 110 to communicate with my mail server? News to
me. That's what netstat -a and netstat -an show from a Command Prompt.
How do I record a log file?
Thanks.
--
Dave Kruger
Astoria, OR
"David Candy" > wrote in message
...
You don't use 110. The server uses 110.
Record a log file and see what is happening. Type log files in OE's help.
--
http://www.g2mil.com/Apr2003.htm
http://www.sharpword.com/fascism.htm
---------------------------------------------------------------
David Candy
http://www.mvps.org/serenitymacros
---------------------------------------------------------------
"JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in message
...
> I've been tracking this for a couple months, now.
>
> Every few days, on bootup, somehow my system fails to assign port 110 to
> pop3, so that when I try to download email, I get no response at the
server.
> Restarting eliminates the problem, and then everything works fine. This
> occurred seven times in the last month -- and there is no pattern I can
see
> in the occurrences.
>
> I believe this may be a flaw in the operation or setup of PC-cillin'
> firewall, or perhaps due to the presence of an illicit ftp program.
> However, I can not detect any Trojan residues on scan by PC-cillin.
>
> This problem persisted after a clean reinstall of XP HE, although I used
> FASTWiz to save my Files and Settings to CD, and re-loaded same after the
> clean reinstall with a fresh, updated download of PC-cillin on board and
> real time scan activated to detect viruses and Trojans.
>
> Any suggestions?
>
> --
> Dave Kruger
> Astoria, OR
>
>
David Candy
December 26th 03, 08:41 PM
No you connect to port 110 on the server. If netstat shows 110 then it =
means people are picking up their mail off you. Netstat doesn't show 110 =
anyway it shows pop3 for 110.
This is what netstat shows for mail
TCP mymachinename:4098 158.64.60.232:pop3 TIME_WAIT
My port is 4098 and mvps.org port is 110 (shown as pop3)
I told you how to find out how to create a log file.
<quote>
Type log files in OE's help
</quote>
--=20
http://www.g2mil.com/Apr2003.htm
http://www.sharpword.com/fascism.htm
---------------------------------------------------------------
David Candy
http://www.mvps.org/serenitymacros
---------------------------------------------------------------
"JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in =
message ...
> My system does not use port 110 to communicate with my mail server? =
News to
> me. That's what netstat -a and netstat -an show from a Command =
Prompt.
>=20
> How do I record a log file?
>=20
> Thanks.
>=20
> --=20
> Dave Kruger
> Astoria, OR
> "David Candy" > wrote in message
> ...
> You don't use 110. The server uses 110.
>=20
> Record a log file and see what is happening. Type log files in OE's =
help.
> --=20
> http://www.g2mil.com/Apr2003.htm
> http://www.sharpword.com/fascism.htm
> ---------------------------------------------------------------
> David Candy
> http://www.mvps.org/serenitymacros
> ---------------------------------------------------------------
> "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in =
message
> ...
> > I've been tracking this for a couple months, now.
> >
> > Every few days, on bootup, somehow my system fails to assign port =
110 to
> > pop3, so that when I try to download email, I get no response at the
> server.
> > Restarting eliminates the problem, and then everything works fine. =
This
> > occurred seven times in the last month -- and there is no pattern I =
can
> see
> > in the occurrences.
> >
> > I believe this may be a flaw in the operation or setup of PC-cillin'
> > firewall, or perhaps due to the presence of an illicit ftp program.
> > However, I can not detect any Trojan residues on scan by PC-cillin.
> >
> > This problem persisted after a clean reinstall of XP HE, although I =
used
> > FASTWiz to save my Files and Settings to CD, and re-loaded same =
after the
> > clean reinstall with a fresh, updated download of PC-cillin on board =
and
> > real time scan activated to detect viruses and Trojans.
> >
> > Any suggestions?
> >
> > --=20
> > Dave Kruger
> > Astoria, OR
> >
> >
>=20
>=20
JDavid \(reverse the d and k\)
December 26th 03, 08:44 PM
David,
1. I think my configuration is nonstandard because of the way PC-cillin
works its firewall. Below my sig are netsat and netstat -a outputs from the
command prompt for your analysis. I'd appreciate your input.
2. I set up log files for my Mail and News accounts as you suggested and
could not find a log file for either using Search -- nothing that had been
created or modified today looked like a log file for mail (smtp, pop3) or
news (nntp).
3. Any other suggestions?
Thanks.
--
Dave Kruger
Astoria, OR
--
C:\Documents and Settings\Dave>netstat
Active Connections
Proto Local Address Foreign Address State
TCP DAVID:1032 localhost:pop3 TIME_WAIT
TCP DAVID:1030 corp-radius.supernews.com:nntp ESTABLISHED
C:\Documents and Settings\Dave>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP DAVID:epmap DAVID:0 LISTENING
TCP DAVID:microsoft-ds DAVID:0 LISTENING
TCP DAVID:641 DAVID:0 LISTENING
TCP DAVID:1025 DAVID:0 LISTENING
TCP DAVID:1027 DAVID:0 LISTENING
TCP DAVID:pop3 DAVID:0 LISTENING
TCP DAVID:1028 DAVID:0 LISTENING
TCP DAVID:1051 localhost:pop3 TIME_WAIT
UDP DAVID:epmap *:*
UDP DAVID:microsoft-ds *:*
UDP DAVID:isakmp *:*
UDP DAVID:1026 *:*
UDP DAVID:1029 *:*
UDP DAVID:1035 *:*
UDP DAVID:1036 *:*
UDP DAVID:ntp *:*
UDP DAVID:ntp *:*
"David Candy" > wrote in message
...
No you connect to port 110 on the server. If netstat shows 110 then it means
people are picking up their mail off you. Netstat doesn't show 110 anyway it
shows pop3 for 110.
This is what netstat shows for mail
TCP mymachinename:4098 158.64.60.232:pop3 TIME_WAIT
My port is 4098 and mvps.org port is 110 (shown as pop3)
I told you how to find out how to create a log file.
<quote>
Type log files in OE's help
</quote>
--
http://www.g2mil.com/Apr2003.htm
http://www.sharpword.com/fascism.htm
---------------------------------------------------------------
David Candy
http://www.mvps.org/serenitymacros
---------------------------------------------------------------
"JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in message
...
> My system does not use port 110 to communicate with my mail server? News
to
> me. That's what netstat -a and netstat -an show from a Command Prompt.
>
> How do I record a log file?
>
> Thanks.
>
> --
> Dave Kruger
> Astoria, OR
> "David Candy" > wrote in message
> ...
> You don't use 110. The server uses 110.
>
> Record a log file and see what is happening. Type log files in OE's help.
> --
> http://www.g2mil.com/Apr2003.htm
> http://www.sharpword.com/fascism.htm
> ---------------------------------------------------------------
> David Candy
> http://www.mvps.org/serenitymacros
> ---------------------------------------------------------------
> "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in message
> ...
> > I've been tracking this for a couple months, now.
> >
> > Every few days, on bootup, somehow my system fails to assign port 110 to
> > pop3, so that when I try to download email, I get no response at the
> server.
> > Restarting eliminates the problem, and then everything works fine. This
> > occurred seven times in the last month -- and there is no pattern I can
> see
> > in the occurrences.
> >
> > I believe this may be a flaw in the operation or setup of PC-cillin'
> > firewall, or perhaps due to the presence of an illicit ftp program.
> > However, I can not detect any Trojan residues on scan by PC-cillin.
> >
> > This problem persisted after a clean reinstall of XP HE, although I used
> > FASTWiz to save my Files and Settings to CD, and re-loaded same after
the
> > clean reinstall with a fresh, updated download of PC-cillin on board and
> > real time scan activated to detect viruses and Trojans.
> >
> > Any suggestions?
> >
> > --
> > Dave Kruger
> > Astoria, OR
> >
> >
>
>
David Candy
December 26th 03, 08:44 PM
Well I don't understand your netstat. Disable PCCillian and see if that =
help. When NAV first released email checking it just hung machines. Your =
computer is listeming on 110 and connecting to itself on 110 (on the =
local machine address - 127.0.0.1 is always the local machine). Maybe =
it's listening to itself.
TCP DAVID:1051 localhost:pop3 TIME_WAIT
Is what appears to be your mail.=20
The log files are with the other OE files. In Tools - Options - =
Maintenance - Store Folder it will tell you where (randomly generated =
folder name). It's got pop in it's name, I don't want to turn it on =
(gets very big if one forget to turn it off).
Have you looked at PCCillian web site for hints.
Use netstat -a -o then look the PID column up in
tasklist (type it in the console).=20
Unless you are actually connected it will prob be 0 so hit send/recieve =
and do netstat before the S/R finishes. This is to confirm/deny =
PC-Cilian and see what is using YOUR POP3.
--=20
http://www.g2mil.com/Apr2003.htm
http://www.sharpword.com/fascism.htm
---------------------------------------------------------------
David Candy
http://www.mvps.org/serenitymacros
---------------------------------------------------------------
"JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in =
message ...
> David,
>=20
> 1. I think my configuration is nonstandard because of the way =
PC-cillin
> works its firewall. Below my sig are netsat and netstat -a outputs =
from the
> command prompt for your analysis. I'd appreciate your input.
>=20
> 2. I set up log files for my Mail and News accounts as you suggested =
and
> could not find a log file for either using Search -- nothing that had =
been
> created or modified today looked like a log file for mail (smtp, pop3) =
or
> news (nntp).
>=20
> 3. Any other suggestions?
>=20
> Thanks.
>=20
> --=20
> Dave Kruger
> Astoria, OR
> --
>=20
> C:\Documents and Settings\Dave>netstat
>=20
> Active Connections
>=20
> Proto Local Address Foreign Address State
> TCP DAVID:1032 localhost:pop3 TIME_WAIT
> TCP DAVID:1030 corp-radius.supernews.com:nntp =
ESTABLISHED
>=20
> C:\Documents and Settings\Dave>netstat -a
>=20
> Active Connections
>=20
> Proto Local Address Foreign Address State
> TCP DAVID:epmap DAVID:0 LISTENING
> TCP DAVID:microsoft-ds DAVID:0 LISTENING
> TCP DAVID:641 DAVID:0 LISTENING
> TCP DAVID:1025 DAVID:0 LISTENING
> TCP DAVID:1027 DAVID:0 LISTENING
> TCP DAVID:pop3 DAVID:0 LISTENING
> TCP DAVID:1028 DAVID:0 LISTENING
> TCP DAVID:1051 localhost:pop3 TIME_WAIT
> UDP DAVID:epmap *:*
> UDP DAVID:microsoft-ds *:*
> UDP DAVID:isakmp *:*
> UDP DAVID:1026 *:*
> UDP DAVID:1029 *:*
> UDP DAVID:1035 *:*
> UDP DAVID:1036 *:*
> UDP DAVID:ntp *:*
> UDP DAVID:ntp *:*
>=20
>=20
> "David Candy" > wrote in message
> ...
> No you connect to port 110 on the server. If netstat shows 110 then it =
means
> people are picking up their mail off you. Netstat doesn't show 110 =
anyway it
> shows pop3 for 110.
>=20
> This is what netstat shows for mail
> TCP mymachinename:4098 158.64.60.232:pop3 TIME_WAIT
>=20
> My port is 4098 and mvps.org port is 110 (shown as pop3)
>=20
> I told you how to find out how to create a log file.
> <quote>
> Type log files in OE's help
> </quote>
> --=20
> http://www.g2mil.com/Apr2003.htm
> http://www.sharpword.com/fascism.htm
> ---------------------------------------------------------------
> David Candy
> http://www.mvps.org/serenitymacros
> ---------------------------------------------------------------
> "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in =
message
> ...
> > My system does not use port 110 to communicate with my mail server? =
News
> to
> > me. That's what netstat -a and netstat -an show from a Command =
Prompt.
> >
> > How do I record a log file?
> >
> > Thanks.
> >
> > --=20
> > Dave Kruger
> > Astoria, OR
> > "David Candy" > wrote in message
> > ...
> > You don't use 110. The server uses 110.
> >
> > Record a log file and see what is happening. Type log files in OE's =
help.
> > --=20
> > http://www.g2mil.com/Apr2003.htm
> > http://www.sharpword.com/fascism.htm
> > ---------------------------------------------------------------
> > David Candy
> > http://www.mvps.org/serenitymacros
> > ---------------------------------------------------------------
> > "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in =
message
> > ...
> > > I've been tracking this for a couple months, now.
> > >
> > > Every few days, on bootup, somehow my system fails to assign port =
110 to
> > > pop3, so that when I try to download email, I get no response at =
the
> > server.
> > > Restarting eliminates the problem, and then everything works fine. =
This
> > > occurred seven times in the last month -- and there is no pattern =
I can
> > see
> > > in the occurrences.
> > >
> > > I believe this may be a flaw in the operation or setup of =
PC-cillin'
> > > firewall, or perhaps due to the presence of an illicit ftp =
program.
> > > However, I can not detect any Trojan residues on scan by =
PC-cillin.
> > >
> > > This problem persisted after a clean reinstall of XP HE, although =
I used
> > > FASTWiz to save my Files and Settings to CD, and re-loaded same =
after
> the
> > > clean reinstall with a fresh, updated download of PC-cillin on =
board and
> > > real time scan activated to detect viruses and Trojans.
> > >
> > > Any suggestions?
> > >
> > > --=20
> > > Dave Kruger
> > > Astoria, OR
> > >
> > >
> >
> >
>=20
>=20
David Candy
December 26th 03, 08:44 PM
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=3D13831
http://kb.trendmicro.com/solutions/Pagingreport.asp?cmbProduct=3D17&cmbCa=
tegory=3D23&txtKeyword=3Dpop3&cmbResults=3D100&radMatch=3Dor&radSearchAga=
inst=3Df&radDisplay=3D1&radKey=3DScore&radOrder=3DDESC&SubmitAgain=3DY
--=20
http://www.g2mil.com/Apr2003.htm
http://www.sharpword.com/fascism.htm
---------------------------------------------------------------
David Candy
http://www.mvps.org/serenitymacros
---------------------------------------------------------------
"David Candy" > wrote in message =
...
Well I don't understand your netstat. Disable PCCillian and see if that =
help. When NAV first released email checking it just hung machines. Your =
computer is listeming on 110 and connecting to itself on 110 (on the =
local machine address - 127.0.0.1 is always the local machine). Maybe =
it's listening to itself.
TCP DAVID:1051 localhost:pop3 TIME_WAIT
Is what appears to be your mail.=20
The log files are with the other OE files. In Tools - Options - =
Maintenance - Store Folder it will tell you where (randomly generated =
folder name). It's got pop in it's name, I don't want to turn it on =
(gets very big if one forget to turn it off).
Have you looked at PCCillian web site for hints.
Use netstat -a -o then look the PID column up in
tasklist (type it in the console).=20
Unless you are actually connected it will prob be 0 so hit send/recieve =
and do netstat before the S/R finishes. This is to confirm/deny =
PC-Cilian and see what is using YOUR POP3.
--=20
http://www.g2mil.com/Apr2003.htm
http://www.sharpword.com/fascism.htm
---------------------------------------------------------------
David Candy
http://www.mvps.org/serenitymacros
---------------------------------------------------------------
"JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in =
message ...
> David,
>=20
> 1. I think my configuration is nonstandard because of the way =
PC-cillin
> works its firewall. Below my sig are netsat and netstat -a outputs =
from the
> command prompt for your analysis. I'd appreciate your input.
>=20
> 2. I set up log files for my Mail and News accounts as you suggested =
and
> could not find a log file for either using Search -- nothing that had =
been
> created or modified today looked like a log file for mail (smtp, pop3) =
or
> news (nntp).
>=20
> 3. Any other suggestions?
>=20
> Thanks.
>=20
> --=20
> Dave Kruger
> Astoria, OR
> --
>=20
> C:\Documents and Settings\Dave>netstat
>=20
> Active Connections
>=20
> Proto Local Address Foreign Address State
> TCP DAVID:1032 localhost:pop3 TIME_WAIT
> TCP DAVID:1030 corp-radius.supernews.com:nntp =
ESTABLISHED
>=20
> C:\Documents and Settings\Dave>netstat -a
>=20
> Active Connections
>=20
> Proto Local Address Foreign Address State
> TCP DAVID:epmap DAVID:0 LISTENING
> TCP DAVID:microsoft-ds DAVID:0 LISTENING
> TCP DAVID:641 DAVID:0 LISTENING
> TCP DAVID:1025 DAVID:0 LISTENING
> TCP DAVID:1027 DAVID:0 LISTENING
> TCP DAVID:pop3 DAVID:0 LISTENING
> TCP DAVID:1028 DAVID:0 LISTENING
> TCP DAVID:1051 localhost:pop3 TIME_WAIT
> UDP DAVID:epmap *:*
> UDP DAVID:microsoft-ds *:*
> UDP DAVID:isakmp *:*
> UDP DAVID:1026 *:*
> UDP DAVID:1029 *:*
> UDP DAVID:1035 *:*
> UDP DAVID:1036 *:*
> UDP DAVID:ntp *:*
> UDP DAVID:ntp *:*
>=20
>=20
> "David Candy" > wrote in message
> ...
> No you connect to port 110 on the server. If netstat shows 110 then it =
means
> people are picking up their mail off you. Netstat doesn't show 110 =
anyway it
> shows pop3 for 110.
>=20
> This is what netstat shows for mail
> TCP mymachinename:4098 158.64.60.232:pop3 TIME_WAIT
>=20
> My port is 4098 and mvps.org port is 110 (shown as pop3)
>=20
> I told you how to find out how to create a log file.
> <quote>
> Type log files in OE's help
> </quote>
> --=20
> http://www.g2mil.com/Apr2003.htm
> http://www.sharpword.com/fascism.htm
> ---------------------------------------------------------------
> David Candy
> http://www.mvps.org/serenitymacros
> ---------------------------------------------------------------
> "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in =
message
> ...
> > My system does not use port 110 to communicate with my mail server? =
News
> to
> > me. That's what netstat -a and netstat -an show from a Command =
Prompt.
> >
> > How do I record a log file?
> >
> > Thanks.
> >
> > --=20
> > Dave Kruger
> > Astoria, OR
> > "David Candy" > wrote in message
> > ...
> > You don't use 110. The server uses 110.
> >
> > Record a log file and see what is happening. Type log files in OE's =
help.
> > --=20
> > http://www.g2mil.com/Apr2003.htm
> > http://www.sharpword.com/fascism.htm
> > ---------------------------------------------------------------
> > David Candy
> > http://www.mvps.org/serenitymacros
> > ---------------------------------------------------------------
> > "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in =
message
> > ...
> > > I've been tracking this for a couple months, now.
> > >
> > > Every few days, on bootup, somehow my system fails to assign port =
110 to
> > > pop3, so that when I try to download email, I get no response at =
the
> > server.
> > > Restarting eliminates the problem, and then everything works fine. =
This
> > > occurred seven times in the last month -- and there is no pattern =
I can
> > see
> > > in the occurrences.
> > >
> > > I believe this may be a flaw in the operation or setup of =
PC-cillin'
> > > firewall, or perhaps due to the presence of an illicit ftp =
program.
> > > However, I can not detect any Trojan residues on scan by =
PC-cillin.
> > >
> > > This problem persisted after a clean reinstall of XP HE, although =
I used
> > > FASTWiz to save my Files and Settings to CD, and re-loaded same =
after
> the
> > > clean reinstall with a fresh, updated download of PC-cillin on =
board and
> > > real time scan activated to detect viruses and Trojans.
> > >
> > > Any suggestions?
> > >
> > > --=20
> > > Dave Kruger
> > > Astoria, OR
> > >
> > >
> >
> >
>=20
>=20
JDavid \(reverse the d and k\)
December 26th 03, 08:45 PM
David,
I think I have may have some malware on board.
When I tried to chase down the message store for those pop3 log files, your
suggestion was to hit OE>Tools>Options>Maintenance>Store Folder. That gives
this path:
C:\Documents and Settings\Dave\Local Settings\Application
Data\Identities\{36613448-F916-4877-A30E-E864A1107824}\Microsoft\Outlook
Express
There is no "Local Settings" folder shown under C:\Documents and
Settings\Dave
User Dave has a limited account, so I checked the other accounts. Here's
what I found:
My Administrator account (I am administrator) __also__ did not show a "Local
Settings" folder.
Accounts for limited users who, in contrast to Dave and Administrator, have
made no attempt to set up their accounts for internet use __do__ have a
"Local Settings" folder to access.
In other words. looks like somehow my access to those folders has been
restricted, or they have been turned into hidden folders. AFAIK, I have not
configured the View of My Computer to hide anything.
Any clues? This has certainly got me scratching my head!
--
Dave Kruger
Astoria, OR
"David Candy" > wrote in message
...
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=13831
http://kb.trendmicro.com/solutions/Pagingreport.asp?cmbProduct=17&cmbCategory=23&txtKeyword=pop3&cmbResults=100&radMatch=or&radSearchAgainst=f&radDisplay=1&radKey=Score&radOrder=DESC&SubmitAgain=Y
--
http://www.g2mil.com/Apr2003.htm
http://www.sharpword.com/fascism.htm
---------------------------------------------------------------
David Candy
http://www.mvps.org/serenitymacros
---------------------------------------------------------------
"David Candy" > wrote in message
...
Well I don't understand your netstat. Disable PCCillian and see if that
help. When NAV first released email checking it just hung machines. Your
computer is listeming on 110 and connecting to itself on 110 (on the local
machine address - 127.0.0.1 is always the local machine). Maybe it's
listening to itself.
TCP DAVID:1051 localhost:pop3 TIME_WAIT
Is what appears to be your mail.
The log files are with the other OE files. In Tools - Options -
Maintenance - Store Folder it will tell you where (randomly generated folder
name). It's got pop in it's name, I don't want to turn it on (gets very big
if one forget to turn it off).
Have you looked at PCCillian web site for hints.
Use netstat -a -o then look the PID column up in
tasklist (type it in the console).
Unless you are actually connected it will prob be 0 so hit send/recieve and
do netstat before the S/R finishes. This is to confirm/deny PC-Cilian and
see what is using YOUR POP3.
--
http://www.g2mil.com/Apr2003.htm
http://www.sharpword.com/fascism.htm
---------------------------------------------------------------
David Candy
http://www.mvps.org/serenitymacros
---------------------------------------------------------------
"JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in message
...
> David,
>
> 1. I think my configuration is nonstandard because of the way PC-cillin
> works its firewall. Below my sig are netsat and netstat -a outputs from
the
> command prompt for your analysis. I'd appreciate your input.
>
> 2. I set up log files for my Mail and News accounts as you suggested and
> could not find a log file for either using Search -- nothing that had been
> created or modified today looked like a log file for mail (smtp, pop3) or
> news (nntp).
>
> 3. Any other suggestions?
>
> Thanks.
>
> --
> Dave Kruger
> Astoria, OR
> --
>
> C:\Documents and Settings\Dave>netstat
>
> Active Connections
>
> Proto Local Address Foreign Address State
> TCP DAVID:1032 localhost:pop3 TIME_WAIT
> TCP DAVID:1030 corp-radius.supernews.com:nntp
ESTABLISHED
>
> C:\Documents and Settings\Dave>netstat -a
>
> Active Connections
>
> Proto Local Address Foreign Address State
> TCP DAVID:epmap DAVID:0 LISTENING
> TCP DAVID:microsoft-ds DAVID:0 LISTENING
> TCP DAVID:641 DAVID:0 LISTENING
> TCP DAVID:1025 DAVID:0 LISTENING
> TCP DAVID:1027 DAVID:0 LISTENING
> TCP DAVID:pop3 DAVID:0 LISTENING
> TCP DAVID:1028 DAVID:0 LISTENING
> TCP DAVID:1051 localhost:pop3 TIME_WAIT
> UDP DAVID:epmap *:*
> UDP DAVID:microsoft-ds *:*
> UDP DAVID:isakmp *:*
> UDP DAVID:1026 *:*
> UDP DAVID:1029 *:*
> UDP DAVID:1035 *:*
> UDP DAVID:1036 *:*
> UDP DAVID:ntp *:*
> UDP DAVID:ntp *:*
>
>
> "David Candy" > wrote in message
> ...
> No you connect to port 110 on the server. If netstat shows 110 then it
means
> people are picking up their mail off you. Netstat doesn't show 110 anyway
it
> shows pop3 for 110.
>
> This is what netstat shows for mail
> TCP mymachinename:4098 158.64.60.232:pop3 TIME_WAIT
>
> My port is 4098 and mvps.org port is 110 (shown as pop3)
>
> I told you how to find out how to create a log file.
> <quote>
> Type log files in OE's help
> </quote>
> --
> http://www.g2mil.com/Apr2003.htm
> http://www.sharpword.com/fascism.htm
> ---------------------------------------------------------------
> David Candy
> http://www.mvps.org/serenitymacros
> ---------------------------------------------------------------
> "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in message
> ...
> > My system does not use port 110 to communicate with my mail server?
News
> to
> > me. That's what netstat -a and netstat -an show from a Command Prompt.
> >
> > How do I record a log file?
> >
> > Thanks.
> >
> > --
> > Dave Kruger
> > Astoria, OR
> > "David Candy" > wrote in message
> > ...
> > You don't use 110. The server uses 110.
> >
> > Record a log file and see what is happening. Type log files in OE's
help.
> > --
> > http://www.g2mil.com/Apr2003.htm
> > http://www.sharpword.com/fascism.htm
> > ---------------------------------------------------------------
> > David Candy
> > http://www.mvps.org/serenitymacros
> > ---------------------------------------------------------------
> > "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in
message
> > ...
> > > I've been tracking this for a couple months, now.
> > >
> > > Every few days, on bootup, somehow my system fails to assign port 110
to
> > > pop3, so that when I try to download email, I get no response at the
> > server.
> > > Restarting eliminates the problem, and then everything works fine.
This
> > > occurred seven times in the last month -- and there is no pattern I
can
> > see
> > > in the occurrences.
> > >
> > > I believe this may be a flaw in the operation or setup of PC-cillin'
> > > firewall, or perhaps due to the presence of an illicit ftp program.
> > > However, I can not detect any Trojan residues on scan by PC-cillin.
> > >
> > > This problem persisted after a clean reinstall of XP HE, although I
used
> > > FASTWiz to save my Files and Settings to CD, and re-loaded same after
> the
> > > clean reinstall with a fresh, updated download of PC-cillin on board
and
> > > real time scan activated to detect viruses and Trojans.
> > >
> > > Any suggestions?
> > >
> > > --
> > > Dave Kruger
> > > Astoria, OR
> > >
> > >
> >
> >
>
>
David Candy
December 26th 03, 08:45 PM
It's a hidden folder. Either turn on show hidden in folder options or =
paste that string into start - run - it will just open the folder (I =
just assume everyone does that - I use Start Run for starting most =
programs - easier than the start menu.).
Did you read those links? Several seem to describe your problem..
--=20
http://www.g2mil.com/Apr2003.htm
http://www.sharpword.com/fascism.htm
---------------------------------------------------------------
David Candy
http://www.mvps.org/serenitymacros
---------------------------------------------------------------
"JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in =
message ...
> David,
>=20
> I think I have may have some malware on board.
>=20
> When I tried to chase down the message store for those pop3 log files, =
your
> suggestion was to hit OE>Tools>Options>Maintenance>Store Folder. That =
gives
> this path:
> C:\Documents and Settings\Dave\Local Settings\Application
> =
Data\Identities\{36613448-F916-4877-A30E-E864A1107824}\Microsoft\Outlook
> Express
>=20
> There is no "Local Settings" folder shown under C:\Documents and
> Settings\Dave
>=20
> User Dave has a limited account, so I checked the other accounts. =
Here's
> what I found:
>=20
> My Administrator account (I am administrator) __also__ did not show a =
"Local
> Settings" folder.
>=20
> Accounts for limited users who, in contrast to Dave and Administrator, =
have
> made no attempt to set up their accounts for internet use __do__ have =
a
> "Local Settings" folder to access.
>=20
>=20
> In other words. looks like somehow my access to those folders has been
> restricted, or they have been turned into hidden folders. AFAIK, I =
have not
> configured the View of My Computer to hide anything.
>=20
> Any clues? This has certainly got me scratching my head!
>=20
> --=20
> Dave Kruger
> Astoria, OR
> "David Candy" > wrote in message
> ...
> =
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=3D13831
> =
http://kb.trendmicro.com/solutions/Pagingreport.asp?cmbProduct=3D17&cmbCa=
tegory=3D23&txtKeyword=3Dpop3&cmbResults=3D100&radMatch=3Dor&radSearchAga=
inst=3Df&radDisplay=3D1&radKey=3DScore&radOrder=3DDESC&SubmitAgain=3DY
> --=20
> http://www.g2mil.com/Apr2003.htm
> http://www.sharpword.com/fascism.htm
> ---------------------------------------------------------------
> David Candy
> http://www.mvps.org/serenitymacros
> ---------------------------------------------------------------
> "David Candy" > wrote in message
> ...
> Well I don't understand your netstat. Disable PCCillian and see if =
that
> help. When NAV first released email checking it just hung machines. =
Your
> computer is listeming on 110 and connecting to itself on 110 (on the =
local
> machine address - 127.0.0.1 is always the local machine). Maybe it's
> listening to itself.
>=20
> TCP DAVID:1051 localhost:pop3 TIME_WAIT
> Is what appears to be your mail.
>=20
> The log files are with the other OE files. In Tools - Options -
> Maintenance - Store Folder it will tell you where (randomly generated =
folder
> name). It's got pop in it's name, I don't want to turn it on (gets =
very big
> if one forget to turn it off).
>=20
> Have you looked at PCCillian web site for hints.
>=20
> Use netstat -a -o then look the PID column up in
>=20
> tasklist (type it in the console).
>=20
> Unless you are actually connected it will prob be 0 so hit =
send/recieve and
> do netstat before the S/R finishes. This is to confirm/deny PC-Cilian =
and
> see what is using YOUR POP3.
>=20
> --=20
> http://www.g2mil.com/Apr2003.htm
> http://www.sharpword.com/fascism.htm
> ---------------------------------------------------------------
> David Candy
> http://www.mvps.org/serenitymacros
> ---------------------------------------------------------------
> "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in =
message
> ...
> > David,
> >
> > 1. I think my configuration is nonstandard because of the way =
PC-cillin
> > works its firewall. Below my sig are netsat and netstat -a outputs =
from
> the
> > command prompt for your analysis. I'd appreciate your input.
> >
> > 2. I set up log files for my Mail and News accounts as you suggested =
and
> > could not find a log file for either using Search -- nothing that =
had been
> > created or modified today looked like a log file for mail (smtp, =
pop3) or
> > news (nntp).
> >
> > 3. Any other suggestions?
> >
> > Thanks.
> >
> > --=20
> > Dave Kruger
> > Astoria, OR
> > --
> >
> > C:\Documents and Settings\Dave>netstat
> >
> > Active Connections
> >
> > Proto Local Address Foreign Address State
> > TCP DAVID:1032 localhost:pop3 TIME_WAIT
> > TCP DAVID:1030 corp-radius.supernews.com:nntp
> ESTABLISHED
> >
> > C:\Documents and Settings\Dave>netstat -a
> >
> > Active Connections
> >
> > Proto Local Address Foreign Address State
> > TCP DAVID:epmap DAVID:0 LISTENING
> > TCP DAVID:microsoft-ds DAVID:0 LISTENING
> > TCP DAVID:641 DAVID:0 LISTENING
> > TCP DAVID:1025 DAVID:0 LISTENING
> > TCP DAVID:1027 DAVID:0 LISTENING
> > TCP DAVID:pop3 DAVID:0 LISTENING
> > TCP DAVID:1028 DAVID:0 LISTENING
> > TCP DAVID:1051 localhost:pop3 TIME_WAIT
> > UDP DAVID:epmap *:*
> > UDP DAVID:microsoft-ds *:*
> > UDP DAVID:isakmp *:*
> > UDP DAVID:1026 *:*
> > UDP DAVID:1029 *:*
> > UDP DAVID:1035 *:*
> > UDP DAVID:1036 *:*
> > UDP DAVID:ntp *:*
> > UDP DAVID:ntp *:*
> >
> >
> > "David Candy" > wrote in message
> > ...
> > No you connect to port 110 on the server. If netstat shows 110 then =
it
> means
> > people are picking up their mail off you. Netstat doesn't show 110 =
anyway
> it
> > shows pop3 for 110.
> >
> > This is what netstat shows for mail
> > TCP mymachinename:4098 158.64.60.232:pop3 =
TIME_WAIT
> >
> > My port is 4098 and mvps.org port is 110 (shown as pop3)
> >
> > I told you how to find out how to create a log file.
> > <quote>
> > Type log files in OE's help
> > </quote>
> > --=20
> > http://www.g2mil.com/Apr2003.htm
> > http://www.sharpword.com/fascism.htm
> > ---------------------------------------------------------------
> > David Candy
> > http://www.mvps.org/serenitymacros
> > ---------------------------------------------------------------
> > "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in =
message
> > ...
> > > My system does not use port 110 to communicate with my mail =
server?
> News
> > to
> > > me. That's what netstat -a and netstat -an show from a Command =
Prompt.
> > >
> > > How do I record a log file?
> > >
> > > Thanks.
> > >
> > > --=20
> > > Dave Kruger
> > > Astoria, OR
> > > "David Candy" > wrote in message
> > > ...
> > > You don't use 110. The server uses 110.
> > >
> > > Record a log file and see what is happening. Type log files in =
OE's
> help.
> > > --=20
> > > http://www.g2mil.com/Apr2003.htm
> > > http://www.sharpword.com/fascism.htm
> > > ---------------------------------------------------------------
> > > David Candy
> > > http://www.mvps.org/serenitymacros
> > > ---------------------------------------------------------------
> > > "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in
> message
> > > ...
> > > > I've been tracking this for a couple months, now.
> > > >
> > > > Every few days, on bootup, somehow my system fails to assign =
port 110
> to
> > > > pop3, so that when I try to download email, I get no response at =
the
> > > server.
> > > > Restarting eliminates the problem, and then everything works =
fine.
> This
> > > > occurred seven times in the last month -- and there is no =
pattern I
> can
> > > see
> > > > in the occurrences.
> > > >
> > > > I believe this may be a flaw in the operation or setup of =
PC-cillin'
> > > > firewall, or perhaps due to the presence of an illicit ftp =
program.
> > > > However, I can not detect any Trojan residues on scan by =
PC-cillin.
> > > >
> > > > This problem persisted after a clean reinstall of XP HE, =
although I
> used
> > > > FASTWiz to save my Files and Settings to CD, and re-loaded same =
after
> > the
> > > > clean reinstall with a fresh, updated download of PC-cillin on =
board
> and
> > > > real time scan activated to detect viruses and Trojans.
> > > >
> > > > Any suggestions?
> > > >
> > > > --=20
> > > > Dave Kruger
> > > > Astoria, OR
> > > >
> > > >
> > >
> > >
> >
> >
>=20
>=20
>=20
JDavid \(reverse the d and k\)
December 26th 03, 08:45 PM
David,
Again, many thanks for your patient help.
Oh man. Doh. I knew I had made hidden folders unavailable for some of my
users, but had forgotten I did it for the Administrator. Found the mail log
and below my sig is a typical entry. This looks OK to me, but I can not
parse it all out. (I have "cobbled" my email address to avoid posting it to
the NG.) The smtp log looks completely vanilla, as does the nntp log.
On the links to TrendMicro: Yes, I scanned those. This one seems the most
pertinent:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=13831
I'll set up a debug log and see what develops. Frankly, TrendMicro's
Support folks are very willing, but seem not to have the horses to do the
job. I've laid this problem in their laps in the past, and it often takes
two or three repetitions of a statement before they "get" it. I bet you can
guess why. In the end, I never did get an answer from them -- not even the
suggestion (per the URL above), to set up a debug log. Well, enough
whining. I'll report back on what I find.
--
Dave Kruger
Astoria, OR
--
Outlook Express 6.00.2800.1158
POP3 Log started at 05/19/2003 09:04:57
POP3: 09:04:57 [rx] +OK POP3 server ready
POP3: 09:04:57 [tx] USER
POP3: 09:05:01 [rx] +OK Password required.
POP3: 09:05:01 [tx] PASS ******
POP3: 09:05:01 [rx] +OK logged in from 216.239.177.30.
POP3: 09:05:01 [tx] STAT
POP3: 09:05:01 [rx] +OK 0 0
POP3: 09:05:01 [tx] QUIT
POP3: 09:05:02 [rx] +OK GRATZ!
POP3: 09:07:10 [rx] +OK POP3 server ready
POP3: 09:07:10 [tx] USER
POP3: 09:07:11 [rx] +OK Password required.
POP3: 09:07:11 [tx] PASS ******
POP3: 09:07:12 [rx] +OK logged in from 216.239.177.30.
POP3: 09:07:12 [tx] STAT
POP3: 09:07:12 [rx] +OK 0 0
POP3: 09:07:12 [tx] QUIT
POP3: 09:07:12 [rx] +OK GRATZ!
POP3: 09:09:46 [rx] +OK POP3 server ready
POP3: 09:09:46 [tx] USER
POP3: 09:09:48 [rx] +OK Password required.
POP3: 09:09:48 [tx] PASS ******
POP3: 09:09:49 [rx] +OK logged in from 216.239.177.30.
POP3: 09:09:49 [tx] STAT
POP3: 09:09:49 [rx] +OK 1 811
POP3: 09:09:49 [tx] LIST
POP3: 09:09:49 [rx] +OK POP3 clients that break here violate STD53.
POP3: 09:09:49 [rx] 1 811
POP3: 09:09:49 [rx] .
POP3: 09:09:49 [tx] RETR 1
POP3: 09:09:50 [rx] +OK at least 811 octets follow.
POP3: 09:09:50 [tx] DELE 1
POP3: 09:09:50 [rx] +OK Deleted.
POP3: 09:09:50 [tx] QUIT
"David Candy" > wrote in message
...
It's a hidden folder. Either turn on show hidden in folder options or paste
that string into start - run - it will just open the folder (I just assume
everyone does that - I use Start Run for starting most programs - easier
than the start menu.).
Did you read those links? Several seem to describe your problem..
--
http://www.g2mil.com/Apr2003.htm
http://www.sharpword.com/fascism.htm
---------------------------------------------------------------
David Candy
http://www.mvps.org/serenitymacros
---------------------------------------------------------------
"JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in message
...
> David,
>
> I think I have may have some malware on board.
>
> When I tried to chase down the message store for those pop3 log files,
your
> suggestion was to hit OE>Tools>Options>Maintenance>Store Folder. That
gives
> this path:
> C:\Documents and Settings\Dave\Local Settings\Application
> Data\Identities\{36613448-F916-4877-A30E-E864A1107824}\Microsoft\Outlook
> Express
>
> There is no "Local Settings" folder shown under C:\Documents and
> Settings\Dave
>
> User Dave has a limited account, so I checked the other accounts. Here's
> what I found:
>
> My Administrator account (I am administrator) __also__ did not show a
"Local
> Settings" folder.
>
> Accounts for limited users who, in contrast to Dave and Administrator,
have
> made no attempt to set up their accounts for internet use __do__ have a
> "Local Settings" folder to access.
>
>
> In other words. looks like somehow my access to those folders has been
> restricted, or they have been turned into hidden folders. AFAIK, I have
not
> configured the View of My Computer to hide anything.
>
> Any clues? This has certainly got me scratching my head!
>
> --
> Dave Kruger
> Astoria, OR
> "David Candy" > wrote in message
> ...
> http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=13831
>
http://kb.trendmicro.com/solutions/Pagingreport.asp?cmbProduct=17&cmbCategory=23&txtKeyword=pop3&cmbResults=100&radMatch=or&radSearchAgainst=f&radDisplay=1&radKey=Score&radOrder=DESC&SubmitAgain=Y
> --
> http://www.g2mil.com/Apr2003.htm
> http://www.sharpword.com/fascism.htm
> ---------------------------------------------------------------
> David Candy
> http://www.mvps.org/serenitymacros
> ---------------------------------------------------------------
> "David Candy" > wrote in message
> ...
> Well I don't understand your netstat. Disable PCCillian and see if that
> help. When NAV first released email checking it just hung machines. Your
> computer is listeming on 110 and connecting to itself on 110 (on the local
> machine address - 127.0.0.1 is always the local machine). Maybe it's
> listening to itself.
>
> TCP DAVID:1051 localhost:pop3 TIME_WAIT
> Is what appears to be your mail.
>
> The log files are with the other OE files. In Tools - Options -
> Maintenance - Store Folder it will tell you where (randomly generated
folder
> name). It's got pop in it's name, I don't want to turn it on (gets very
big
> if one forget to turn it off).
>
> Have you looked at PCCillian web site for hints.
>
> Use netstat -a -o then look the PID column up in
>
> tasklist (type it in the console).
>
> Unless you are actually connected it will prob be 0 so hit send/recieve
and
> do netstat before the S/R finishes. This is to confirm/deny PC-Cilian and
> see what is using YOUR POP3.
>
> --
> http://www.g2mil.com/Apr2003.htm
> http://www.sharpword.com/fascism.htm
> ---------------------------------------------------------------
> David Candy
> http://www.mvps.org/serenitymacros
> ---------------------------------------------------------------
> "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in message
> ...
> > David,
> >
> > 1. I think my configuration is nonstandard because of the way PC-cillin
> > works its firewall. Below my sig are netsat and netstat -a outputs from
> the
> > command prompt for your analysis. I'd appreciate your input.
> >
> > 2. I set up log files for my Mail and News accounts as you suggested and
> > could not find a log file for either using Search -- nothing that had
been
> > created or modified today looked like a log file for mail (smtp, pop3)
or
> > news (nntp).
> >
> > 3. Any other suggestions?
> >
> > Thanks.
> >
> > --
> > Dave Kruger
> > Astoria, OR
> > --
> >
> > C:\Documents and Settings\Dave>netstat
> >
> > Active Connections
> >
> > Proto Local Address Foreign Address State
> > TCP DAVID:1032 localhost:pop3 TIME_WAIT
> > TCP DAVID:1030 corp-radius.supernews.com:nntp
> ESTABLISHED
> >
> > C:\Documents and Settings\Dave>netstat -a
> >
> > Active Connections
> >
> > Proto Local Address Foreign Address State
> > TCP DAVID:epmap DAVID:0 LISTENING
> > TCP DAVID:microsoft-ds DAVID:0 LISTENING
> > TCP DAVID:641 DAVID:0 LISTENING
> > TCP DAVID:1025 DAVID:0 LISTENING
> > TCP DAVID:1027 DAVID:0 LISTENING
> > TCP DAVID:pop3 DAVID:0 LISTENING
> > TCP DAVID:1028 DAVID:0 LISTENING
> > TCP DAVID:1051 localhost:pop3 TIME_WAIT
> > UDP DAVID:epmap *:*
> > UDP DAVID:microsoft-ds *:*
> > UDP DAVID:isakmp *:*
> > UDP DAVID:1026 *:*
> > UDP DAVID:1029 *:*
> > UDP DAVID:1035 *:*
> > UDP DAVID:1036 *:*
> > UDP DAVID:ntp *:*
> > UDP DAVID:ntp *:*
> >
> >
> > "David Candy" > wrote in message
> > ...
> > No you connect to port 110 on the server. If netstat shows 110 then it
> means
> > people are picking up their mail off you. Netstat doesn't show 110
anyway
> it
> > shows pop3 for 110.
> >
> > This is what netstat shows for mail
> > TCP mymachinename:4098 158.64.60.232:pop3 TIME_WAIT
> >
> > My port is 4098 and mvps.org port is 110 (shown as pop3)
> >
> > I told you how to find out how to create a log file.
> > <quote>
> > Type log files in OE's help
> > </quote>
> > --
> > http://www.g2mil.com/Apr2003.htm
> > http://www.sharpword.com/fascism.htm
> > ---------------------------------------------------------------
> > David Candy
> > http://www.mvps.org/serenitymacros
> > ---------------------------------------------------------------
> > "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in
message
> > ...
> > > My system does not use port 110 to communicate with my mail server?
> News
> > to
> > > me. That's what netstat -a and netstat -an show from a Command
Prompt.
> > >
> > > How do I record a log file?
> > >
> > > Thanks.
> > >
> > > --
> > > Dave Kruger
> > > Astoria, OR
> > > "David Candy" > wrote in message
> > > ...
> > > You don't use 110. The server uses 110.
> > >
> > > Record a log file and see what is happening. Type log files in OE's
> help.
> > > --
> > > http://www.g2mil.com/Apr2003.htm
> > > http://www.sharpword.com/fascism.htm
> > > ---------------------------------------------------------------
> > > David Candy
> > > http://www.mvps.org/serenitymacros
> > > ---------------------------------------------------------------
> > > "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in
> message
> > > ...
> > > > I've been tracking this for a couple months, now.
> > > >
> > > > Every few days, on bootup, somehow my system fails to assign port
110
> to
> > > > pop3, so that when I try to download email, I get no response at the
> > > server.
> > > > Restarting eliminates the problem, and then everything works fine.
> This
> > > > occurred seven times in the last month -- and there is no pattern I
> can
> > > see
> > > > in the occurrences.
> > > >
> > > > I believe this may be a flaw in the operation or setup of PC-cillin'
> > > > firewall, or perhaps due to the presence of an illicit ftp program.
> > > > However, I can not detect any Trojan residues on scan by PC-cillin.
> > > >
> > > > This problem persisted after a clean reinstall of XP HE, although I
> used
> > > > FASTWiz to save my Files and Settings to CD, and re-loaded same
after
> > the
> > > > clean reinstall with a fresh, updated download of PC-cillin on board
> and
> > > > real time scan activated to detect viruses and Trojans.
> > > >
> > > > Any suggestions?
> > > >
> > > > --
> > > > Dave Kruger
> > > > Astoria, OR
> > > >
> > > >
> > >
> > >
> >
> >
>
>
>
David Candy
December 26th 03, 08:45 PM
That log shows two recieves where there were no messages and one where =
it got 1 mail. Why does your pop server speak italian (mafia?).
It's only of use of course when it has the problem, So just need to =
wait.
--=20
http://www.g2mil.com/Apr2003.htm
http://www.sharpword.com/fascism.htm
---------------------------------------------------------------
David Candy
http://www.mvps.org/serenitymacros
---------------------------------------------------------------
"JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in =
message ...
> David,
>=20
> Again, many thanks for your patient help.
>=20
> Oh man. Doh. I knew I had made hidden folders unavailable for some =
of my
> users, but had forgotten I did it for the Administrator. Found the =
mail log
> and below my sig is a typical entry. This looks OK to me, but I can =
not
> parse it all out. (I have "cobbled" my email address to avoid posting =
it to
> the NG.) The smtp log looks completely vanilla, as does the nntp log.
>=20
> On the links to TrendMicro: Yes, I scanned those. This one seems the =
most
> pertinent:
> =
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=3D13831
>=20
> I'll set up a debug log and see what develops. Frankly, TrendMicro's
> Support folks are very willing, but seem not to have the horses to do =
the
> job. I've laid this problem in their laps in the past, and it often =
takes
> two or three repetitions of a statement before they "get" it. I bet =
you can
> guess why. In the end, I never did get an answer from them -- not =
even the
> suggestion (per the URL above), to set up a debug log. Well, enough
> whining. I'll report back on what I find.
>=20
> --=20
> Dave Kruger
> Astoria, OR
> --
> Outlook Express 6.00.2800.1158
> POP3 Log started at 05/19/2003 09:04:57
> POP3: 09:04:57 [rx] +OK POP3 server ready
> POP3: 09:04:57 [tx] USER
> POP3: 09:05:01 [rx] +OK Password required.
> POP3: 09:05:01 [tx] PASS ******
> POP3: 09:05:01 [rx] +OK logged in from 216.239.177.30.
> POP3: 09:05:01 [tx] STAT
> POP3: 09:05:01 [rx] +OK 0 0
> POP3: 09:05:01 [tx] QUIT
> POP3: 09:05:02 [rx] +OK GRATZ!
> POP3: 09:07:10 [rx] +OK POP3 server ready
> POP3: 09:07:10 [tx] USER
> POP3: 09:07:11 [rx] +OK Password required.
> POP3: 09:07:11 [tx] PASS ******
> POP3: 09:07:12 [rx] +OK logged in from 216.239.177.30.
> POP3: 09:07:12 [tx] STAT
> POP3: 09:07:12 [rx] +OK 0 0
> POP3: 09:07:12 [tx] QUIT
> POP3: 09:07:12 [rx] +OK GRATZ!
> POP3: 09:09:46 [rx] +OK POP3 server ready
> POP3: 09:09:46 [tx] USER
> POP3: 09:09:48 [rx] +OK Password required.
> POP3: 09:09:48 [tx] PASS ******
> POP3: 09:09:49 [rx] +OK logged in from 216.239.177.30.
> POP3: 09:09:49 [tx] STAT
> POP3: 09:09:49 [rx] +OK 1 811
> POP3: 09:09:49 [tx] LIST
> POP3: 09:09:49 [rx] +OK POP3 clients that break here violate STD53.
> POP3: 09:09:49 [rx] 1 811
> POP3: 09:09:49 [rx] .
> POP3: 09:09:49 [tx] RETR 1
> POP3: 09:09:50 [rx] +OK at least 811 octets follow.
> POP3: 09:09:50 [tx] DELE 1
> POP3: 09:09:50 [rx] +OK Deleted.
> POP3: 09:09:50 [tx] QUIT
>=20
> "David Candy" > wrote in message
> ...
> It's a hidden folder. Either turn on show hidden in folder options or =
paste
> that string into start - run - it will just open the folder (I just =
assume
> everyone does that - I use Start Run for starting most programs - =
easier
> than the start menu.).
>=20
> Did you read those links? Several seem to describe your problem..
>=20
> --=20
> http://www.g2mil.com/Apr2003.htm
> http://www.sharpword.com/fascism.htm
> ---------------------------------------------------------------
> David Candy
> http://www.mvps.org/serenitymacros
> ---------------------------------------------------------------
> "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in =
message
> ...
> > David,
> >
> > I think I have may have some malware on board.
> >
> > When I tried to chase down the message store for those pop3 log =
files,
> your
> > suggestion was to hit OE>Tools>Options>Maintenance>Store Folder. =
That
> gives
> > this path:
> > C:\Documents and Settings\Dave\Local Settings\Application
> > =
Data\Identities\{36613448-F916-4877-A30E-E864A1107824}\Microsoft\Outlook
> > Express
> >
> > There is no "Local Settings" folder shown under C:\Documents and
> > Settings\Dave
> >
> > User Dave has a limited account, so I checked the other accounts. =
Here's
> > what I found:
> >
> > My Administrator account (I am administrator) __also__ did not show =
a
> "Local
> > Settings" folder.
> >
> > Accounts for limited users who, in contrast to Dave and =
Administrator,
> have
> > made no attempt to set up their accounts for internet use __do__ =
have a
> > "Local Settings" folder to access.
> >
> >
> > In other words. looks like somehow my access to those folders has =
been
> > restricted, or they have been turned into hidden folders. AFAIK, I =
have
> not
> > configured the View of My Computer to hide anything.
> >
> > Any clues? This has certainly got me scratching my head!
> >
> > --=20
> > Dave Kruger
> > Astoria, OR
> > "David Candy" > wrote in message
> > ...
> > =
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=3D13831
> >
> =
http://kb.trendmicro.com/solutions/Pagingreport.asp?cmbProduct=3D17&cmbCa=
tegory=3D23&txtKeyword=3Dpop3&cmbResults=3D100&radMatch=3Dor&radSearchAga=
inst=3Df&radDisplay=3D1&radKey=3DScore&radOrder=3DDESC&SubmitAgain=3DY
> > --=20
> > http://www.g2mil.com/Apr2003.htm
> > http://www.sharpword.com/fascism.htm
> > ---------------------------------------------------------------
> > David Candy
> > http://www.mvps.org/serenitymacros
> > ---------------------------------------------------------------
> > "David Candy" > wrote in message
> > ...
> > Well I don't understand your netstat. Disable PCCillian and see if =
that
> > help. When NAV first released email checking it just hung machines. =
Your
> > computer is listeming on 110 and connecting to itself on 110 (on the =
local
> > machine address - 127.0.0.1 is always the local machine). Maybe it's
> > listening to itself.
> >
> > TCP DAVID:1051 localhost:pop3 TIME_WAIT
> > Is what appears to be your mail.
> >
> > The log files are with the other OE files. In Tools - Options -
> > Maintenance - Store Folder it will tell you where (randomly =
generated
> folder
> > name). It's got pop in it's name, I don't want to turn it on (gets =
very
> big
> > if one forget to turn it off).
> >
> > Have you looked at PCCillian web site for hints.
> >
> > Use netstat -a -o then look the PID column up in
> >
> > tasklist (type it in the console).
> >
> > Unless you are actually connected it will prob be 0 so hit =
send/recieve
> and
> > do netstat before the S/R finishes. This is to confirm/deny =
PC-Cilian and
> > see what is using YOUR POP3.
> >
> > --=20
> > http://www.g2mil.com/Apr2003.htm
> > http://www.sharpword.com/fascism.htm
> > ---------------------------------------------------------------
> > David Candy
> > http://www.mvps.org/serenitymacros
> > ---------------------------------------------------------------
> > "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in =
message
> > ...
> > > David,
> > >
> > > 1. I think my configuration is nonstandard because of the way =
PC-cillin
> > > works its firewall. Below my sig are netsat and netstat -a =
outputs from
> > the
> > > command prompt for your analysis. I'd appreciate your input.
> > >
> > > 2. I set up log files for my Mail and News accounts as you =
suggested and
> > > could not find a log file for either using Search -- nothing that =
had
> been
> > > created or modified today looked like a log file for mail (smtp, =
pop3)
> or
> > > news (nntp).
> > >
> > > 3. Any other suggestions?
> > >
> > > Thanks.
> > >
> > > --=20
> > > Dave Kruger
> > > Astoria, OR
> > > --
> > >
> > > C:\Documents and Settings\Dave>netstat
> > >
> > > Active Connections
> > >
> > > Proto Local Address Foreign Address State
> > > TCP DAVID:1032 localhost:pop3 TIME_WAIT
> > > TCP DAVID:1030 corp-radius.supernews.com:nntp
> > ESTABLISHED
> > >
> > > C:\Documents and Settings\Dave>netstat -a
> > >
> > > Active Connections
> > >
> > > Proto Local Address Foreign Address State
> > > TCP DAVID:epmap DAVID:0 LISTENING
> > > TCP DAVID:microsoft-ds DAVID:0 LISTENING
> > > TCP DAVID:641 DAVID:0 LISTENING
> > > TCP DAVID:1025 DAVID:0 LISTENING
> > > TCP DAVID:1027 DAVID:0 LISTENING
> > > TCP DAVID:pop3 DAVID:0 LISTENING
> > > TCP DAVID:1028 DAVID:0 LISTENING
> > > TCP DAVID:1051 localhost:pop3 TIME_WAIT
> > > UDP DAVID:epmap *:*
> > > UDP DAVID:microsoft-ds *:*
> > > UDP DAVID:isakmp *:*
> > > UDP DAVID:1026 *:*
> > > UDP DAVID:1029 *:*
> > > UDP DAVID:1035 *:*
> > > UDP DAVID:1036 *:*
> > > UDP DAVID:ntp *:*
> > > UDP DAVID:ntp *:*
> > >
> > >
> > > "David Candy" > wrote in message
> > > ...
> > > No you connect to port 110 on the server. If netstat shows 110 =
then it
> > means
> > > people are picking up their mail off you. Netstat doesn't show 110
> anyway
> > it
> > > shows pop3 for 110.
> > >
> > > This is what netstat shows for mail
> > > TCP mymachinename:4098 158.64.60.232:pop3 =
TIME_WAIT
> > >
> > > My port is 4098 and mvps.org port is 110 (shown as pop3)
> > >
> > > I told you how to find out how to create a log file.
> > > <quote>
> > > Type log files in OE's help
> > > </quote>
> > > --=20
> > > http://www.g2mil.com/Apr2003.htm
> > > http://www.sharpword.com/fascism.htm
> > > ---------------------------------------------------------------
> > > David Candy
> > > http://www.mvps.org/serenitymacros
> > > ---------------------------------------------------------------
> > > "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote in
> message
> > > ...
> > > > My system does not use port 110 to communicate with my mail =
server?
> > News
> > > to
> > > > me. That's what netstat -a and netstat -an show from a Command
> Prompt.
> > > >
> > > > How do I record a log file?
> > > >
> > > > Thanks.
> > > >
> > > > --=20
> > > > Dave Kruger
> > > > Astoria, OR
> > > > "David Candy" > wrote in message
> > > > ...
> > > > You don't use 110. The server uses 110.
> > > >
> > > > Record a log file and see what is happening. Type log files in =
OE's
> > help.
> > > > --=20
> > > > http://www.g2mil.com/Apr2003.htm
> > > > http://www.sharpword.com/fascism.htm
> > > > ---------------------------------------------------------------
> > > > David Candy
> > > > http://www.mvps.org/serenitymacros
> > > > ---------------------------------------------------------------
> > > > "JDavid (reverse the d and k)" <dkrugeratpacifierdotcom> wrote =
in
> > message
> > > > ...
> > > > > I've been tracking this for a couple months, now.
> > > > >
> > > > > Every few days, on bootup, somehow my system fails to assign =
port
> 110
> > to
> > > > > pop3, so that when I try to download email, I get no response =
at the
> > > > server.
> > > > > Restarting eliminates the problem, and then everything works =
fine.
> > This
> > > > > occurred seven times in the last month -- and there is no =
pattern I
> > can
> > > > see
> > > > > in the occurrences.
> > > > >
> > > > > I believe this may be a flaw in the operation or setup of =
PC-cillin'
> > > > > firewall, or perhaps due to the presence of an illicit ftp =
program.
> > > > > However, I can not detect any Trojan residues on scan by =
PC-cillin.
> > > > >
> > > > > This problem persisted after a clean reinstall of XP HE, =
although I
> > used
> > > > > FASTWiz to save my Files and Settings to CD, and re-loaded =
same
> after
> > > the
> > > > > clean reinstall with a fresh, updated download of PC-cillin on =
board
> > and
> > > > > real time scan activated to detect viruses and Trojans.
> > > > >
> > > > > Any suggestions?
> > > > >
> > > > > --=20
> > > > > Dave Kruger
> > > > > Astoria, OR
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
> >
>=20
>=20
vBulletin® v3.6.4, Copyright ©2000-2012, Jelsoft Enterprises Ltd.