Hi all,

Today for some strange reason My firewall Zone Alarm pro alerted me to 'McVSEscn.exe located in program files' was attempting to connect out to 82.173.58.141 :110 > destination dns > ip141-58-173-82.dyndsl.versatel.nl. Being it was McAfee I though ok, but as soon as I thought about it I quickly blocked it. The reason being I’m not using POP3 and don’t download my emails. I have never seen this type of strange connection before. First I Googled to see if anyone has had similar things happen, and I found this only link>

http://www.experts-exchange.com/Security/Win_Security/Q_21731830.html

''82.173.58.141 = [ ip141-58-173-82.dyndsl.versatel.nl ]''

Then I searched for what both the IP address were and I came up with this, I’m confused because even if this was legit, I’m in the UK not the Netherlands, so why was McAfee trying to connect out to this address to receive mail? I was using p2p at the time so maybe this has something to do with it?

I would really Appreciate any advice,

Thanks in advance.









82.173.58.141
-------------------------------------------------------------------------

Information related to '82.173.56.0 - 82.173.63.255'

inetnum: 82.173.56.0 - 82.173.63.255
netname: VERSATEL-CONSUMER-2
descr: Versatel Consumer is one of the largest ISP\'s in the Netherlands
descr: Bras Alkmaar
country: NL
admin-c: ZA134-RIPE
tech-c: ZA134-RIPE
tech-c: VT1029-RIPE
remarks: ------------------------------------------
remarks: For abuse issues please contact
remarks: abuse@versatel.nl
remarks: ------------------------------------------
status: ASSIGNED PA
mnt-by: AS13127-MNT
source: RIPE # Filtered

role: ZONnet Administrator
address: Hullenbergweg 101
address: 1101 CL Amsterdam Zuidoost
address: the Netherlands
phone: +31 (0)20 7507772
fax-no: +31 (0)20 7507750
admin-c: AZ260-RIPE
tech-c: AZ260-RIPE
tech-c: VT1029-RIPE
nic-hdl: ZA134-RIPE
remarks: -------------------------------------------
remarks: For abuse issues please contact
remarks: abuse@zonnet.nl
remarks: ------------------------------------------
mnt-by: AS13127-MNT
source: RIPE # Filtered

role: VT HOSTMASTER
address: Hullenbergweg 101
address: 1101 CL Amsterdam ZuidOost
address: The Netherlands
remarks: trouble: For ZON related abuse issues please contact abuse@zonnet.nl
remarks: trouble: For all abuse issues please contact abuse@versatel.net
admin-c: RVDK1-RIPE
tech-c: RVDK1-RIPE
tech-c: ROBH1-RIPE
tech-c: RW487-RIPE
nic-hdl: VT1029-RIPE
remarks: This is the Versatel hostmaster role
remarks: Please direct all queries to this role and *not* to person objects
mnt-by: AS13127-MNT
source: RIPE # Filtered
abuse-mailbox: abuse@zonnet.nl
abuse-mailbox: abuse@zonnet.nl
abuse-mailbox: abuse@versatel.net

% Information related to '82.172.0.0/14AS13127'

route: 82.172.0.0/14
descr: Versatel customers
origin: AS13127
mnt-by: AS13127-MNT
source: RIPE # Filtered


141.58.173.82
---------------------------------------------------------------------

OrgName: Verizon Internet Services Inc.
OrgID: VRIS
Address: 1880 Campus Commons Dr
City: Reston
StateProv: VA
PostalCode: 20191
Country: US

NetRange: 141.149.0.0 - 141.158.255.255
CIDR: 141.149.0.0/16, 141.150.0.0/15, 141.152.0.0/14, 141.156.0.0/15, 141.158.0.0/16
NetName: VIS-141-149
NetHandle: NET-141-149-0-0-1
Parent: NET-141-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BELLATLANTIC.NET
NameServer: NS2.BELLATLANTIC.NET
NameServer: NS2.VERIZON.NET
NameServer: NS4.VERIZON.NET
Comment: Please send all abuse reports to abuse@verizon.net.
Comment: DO NOT send e-mail to DIA.ADMIN@verizon.com as it will not be answered.
RegDate:
Updated: 2005-04-21

RTechHandle: ZV20-ARIN
RTechName: Verizon Internet Services
RTechPhone: +1-703-295-4583
RTechEmail: IPNMC@gnilink.net

OrgAbuseHandle: VISAB-ARIN
OrgAbuseName: VIS Abuse
OrgAbusePhone: +1-214-513-6711
OrgAbuseEmail: abuse@verizon.net

OrgTechHandle: ZV20-ARIN
OrgTechName: Verizon Internet Services
OrgTechPhone: +1-703-295-4583
OrgTechEmail: IPNMC@gnilink.net

# ARIN WHOIS database, last updated 2006-02-19 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Hey,

This is strange I have found another link about this IP address >

http://forum.grisoft.cz/freeforum/read.php?8,59680,backpage=8,sv=

One thing I forgot to mention was that certain programs in task manager had rather long PIDS, more than i have ever seen. Maybe be unrelated, but I would sure like to know what was goin on!

-{ Quote: "Today for some strange reason My firewall Zone Alarm pro alerted me to 'McVSEscn.exe located in program files' was attempting to connect out to 82.173.58.141 :110 > destination dns > ip141-58-173-82.dyndsl.versatel.nl." }-
Do your logs show what other connections were occurring around the same time?
-{ Quote: "One thing I forgot to mention was that certain programs in task manager had rather long PIDS, more than i have ever seen." }-
Have you checked them to make sure they are legitimate processes?

Regards,

CrazyM

Have you re-checked the email accounts on your computer to make sure they are still disabled?

Just guessing but maybe the McAfee process got fooled into checking something that wasn't a valid email. Perhaps this could be caused by accessing a web page where the address 82.173.58.141 :110 was embedded in the code or as a link you clicked on...then McAfee intercepted it thinking it was an email. Do you remember what you were doing at the time?

Some sites use lower ports such as pop3 or even dns to get around restrictions set by the either the ISP or administrator of their network at school as an example.-{ Quote: "1880 Campus Commons Dr" }- They disguise the P2P traffic by using reserved service ports. Mcafee and AVG run as proxies so any communication on the "email" ports causes them to try to handshake. Set your rules for the P2P application to block anything under 1025.

-{ Quote: "Do your logs show what other connections were occurring around the same time?" }-

Hi, CrazyM,

At that time I was getting the usual blocked incoming connections that were either dropped or failed bit torrent connections. Type medium. The only other strange thing occurring at that time was Vsmon.exe started to go a bit made making and dropping connections, as i was watching it in TCPVIEW.
Zone Alarm log>

PE,2006/02/20,03:18:26 +0:00 GMT,McAfee VirusScan E-mail Scan Module,82.173.58.141:110,N/A
ACCESS,2006/02/20,03:18:32 +0:00 GMT,McAfee VirusScan E-mail Scan Module was temporarily blocked from connecting to the Internet (82.173.58.141: POP3).,N/A,N/A
'PE,2006/02/20,03:16:04 +0:00 GMT,McAfee VirusScan E-mail Scan Module,82.173.58.141:110,N/A


-{ Quote: "Have you checked them to make sure they are legitimate processes?
" }-
I think the ones with the long PIDS, were from I think a bad start up, as they were legit programs such as taskmanager and mcmnhdlr.exe. I have scanned my system with KAS online, McAfee, Ewido and A-Squared, and they show no trojan or any type of malware! I also used a program called 'program checker' that checks the MD5 checksum of running programs/EXE's and they were legit.

-{ Quote: "Have you re-checked the email accounts on your computer to make sure they are still disabled?

Just guessing but maybe the McAfee process got fooled into checking something that wasn't a valid email. Perhaps this could be caused by accessing a web page where the address 82.173.58.141 :110 was embedded in the code or as a link you clicked on...then McAfee intercepted it thinking it was an email. Do you remember what you were doing at the time?" }-

Hi, Noway,

Outlook has always been blocked from access to the internet and to be honest I just dont use it, I did check to see if there was any accounts >None.

Do you have any e-mail clients configured that would use outbound POP3?

Regards,

CrazyM

Hey,

I just wanted to thank you guys for your help/advice. FirePost, you were right for some reason I still dont get McAfee was mistaking the traffic from this >ip141-58-173-82.dyndsl.versatel.nl:pop3, due to the fact that they were using a lower port. I stopped McAfee e-mail module connecting and my bittorrent program then established the connection with out any probelms.

-{ Quote: "... for some reason I still dont get McAfee was mistaking the traffic... ip141-58-173-82.dyndsl.versatel.nl:pop3..." }-Don't be too hard on Mcafee. Traffic on port 110 is supposed to be email ;)