Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Tuck on October 17, 2005, 09:34:31 AM
-
Hi
I have just installed Avast and noticed that I have many more open ports that usual. As I write, just this page open, there are 20 open ports. More to the point, I noticed that my computer was connected to a know problem server (reverse the planet), thought to be a bot colletting email address and more (there is a suggestion of on line banking fraud on some forums). What I need to know is wether this is normal when Avast AV is installed and if so is it necessary.
Thanks Tuck
-
No, that's certainly not normal.
Maybe an undetected malware is running on background... I'd suggest to check what application has actually opened these ports (e.g. using TcpView (http://www.sysinternals.com/Utilities/TcpView.html)).
-
Hi Tuck,
When removing malware, one anti-virus program never catches everything. I suggest you take these steps:
1. Ensure avast! and your anti-spyware programs are up to date.
2. Download Ewido anti-Trojan Program, install and update.
3. Download Trend Micro Sysclean and the latest definitions file.
4. Download a free firewall if you don't have one.
5. Go off line.
6. Run an avast! boot time scan. (If your OS doesn't allow this, run a normal scan.) When this is done, reboot into safe mode and run Sysclean and Ewido.
7. Install the firewall. If you have a firewall, check which application has opened the connection if it's still active -as Igor said- and block it.
8. Run Process Explorer and check for suspicious processes: bots sometimes have an evil icon in ProcessExplorer. (Nice!)
9. Post a HijackThis log so we can check you're clean.
Ewido anti-Trojan:
http://www.ewido.net/en/
Trend Micro Sysclean:
For the TSC package to be effective, you must download and use the latest pattern file. Place the pattern file in the same folder as the Trend Micro System Cleaner Package.
http://uk.trendmicro-europe.com/enterprise/support/tsc.php
Select the one which says: If you are not a Trend Micro customer...
Sysclean definitions (pattern file):
http://uk.trendmicro-europe.com/enterprise/support/pattern.php
Instructions and link for HijackThis!
http://www.bleepingcomputer.com/forums/tutorial42.html
Process Explorer:
http://www.sysinternals.com/Utilities/ProcessExplorer.html
-
::)
Hi
Thanks for the help. I have run everything suggested - found nothing! - phew!
Does Avast run any servers? Just a thought. The connection from reverse the planet was momentary. However there was a connection. I gathered some more info - it may not be that usefull, but it may illustrate whats happening:
(THIS IS POLLING CONTINUOUSLY,IS IT PART OF AVAST)
explorer.exe:300 824E4D00 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX (THIS IS POLLING CONTINUOUSLY,IS IT PART OF AVAST)
(IS THIS AVAST POLLING THROUGH LOCALHOST)
3472 82489EF8 TDI_SEND TCP:127.0.0.1:1372 127.0.0.1:1373 SUCCESS Length:1
1501 48.54470163 firefox.exe:3472 8246BB38 TDI_EVENT_RECEIVE TCP:0.0.0.0:1373 127.0.0.1:1372 MORE_PROCESSING_REQUIRED Length:0 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
1502 48.54471387 firefox.exe:3472 826A2F00 TDI_RECEIVE TCP:0.0.0.0:1373 127.0.0.1:1372 SUCCESS
(FIREWALL CLOSED, NO BROWSER OPEN)
ashWebSv.exe:1696 TCP sonscomputer:1359 67.15.193.147:http ESTABLISHED
(FIREWALL UP, BROWSER OPEN WITH BLANK PAGE)
ashWebSv.exe:1696 TCP sonscomputer:1359 ev1s-67-15-193-147.ev1servers.net:http FIN_WAIT1
Ev1Servers.net
390 Benmar Drive
Suite 200
Houston, TX 77060
US
Domain name: EV1SERVERS.NET
Administrative Contact:
Manager, Domain domainmanager@ev1.net
390 Benmar Drive
Suite 200
Houston, TX 77060
US
+1.7133337873 Fax: +1.7139429332
Technical Contact:
Manager, Domain domainmanager@ev1.net
390 Benmar Drive
Suite 200
Houston, TX 77060
US
+1.7133337873 Fax: +1.7139429332
Registration Service Provider:
EV1Servers.net / Everyones Internet, domainmanager@ev1.net
+1.713.333.7873
Registrar of Record: TUCOWS, INC.
Record last updated on 03-May-2005.
Record expires on 31-Jul-2006.
Record created on 31-Jul-2003.
Domain servers in listed order:
NS1.EV1SERVERS.NET 207.218.245.135
NS2.EV1SERVERS.NET 207.218.247.135
Connects to microsoft, but why is is it connecting to mvps.org wich appears to be an association of microsoft experts?. This address is also associated with dns, but not my isp's dns?
[System Process]:0 TCP SonsComputer:12080 localhost:1104 TIME_WAIT
[System Process]:0 TCP SonsComputer:12080 localhost:1106 TIME_WAIT
[System Process]:0 TCP SonsComputer:12080 localhost:1091 TIME_WAIT
[System Process]:0 TCP SonsComputer:12080 localhost:1094 TIME_WAIT
[System Process]:0 TCP SonsComputer:12080 localhost:1100 TIME_WAIT
[System Process]:0 TCP sonscomputer:1082 mvps.org:http TIME_WAIT
[System Process]:0 TCP sonscomputer:1088 207.46.19.30:http TIME_WAIT
[System Process]:0 TCP sonscomputer:1090 65.54.194.118:http TIME_WAIT
[System Process]:0 TCP sonscomputer:1097 207.46.19.30:http TIME_WAIT
firefox.exe:3700 TCP SonsComputer:1098 localhost:1099 ESTABLISHED
firefox.exe:3700 TCP SonsComputer:1099 localhost:1098 ESTABLISHED
lsass.exe:832 UDP SonsComputer:isakmp *:*
lsass.exe:832 UDP SonsComputer:4500 *:*
svchost.exe:1252 UDP SonsComputer:1093 *:*
svchost.exe:1252 UDP SonsComputer:1025 *:*
svchost.exe:1252 UDP SonsComputer:1054 *:*
System:4 TCP SonsComputer:microsoft-ds SonsComputer:0 LISTENING
System:4 TCP sonscomputer:netbios-ssn SonsComputer:0 LISTENING
System:4 UDP SonsComputer:microsoft-ds *:*
System:4 UDP sonscomputer:netbios-dgm *:*
System:4 UDP sonscomputer:netbios-ns *:*
And Here's the Highjackthis Log:
Logfile of HijackThis v1.99.1
Scan saved at 11:59:33, on 17/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\ZYBAN\Desktop\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:4001
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I notice that AVG did not uninstall cleanly. I will now re-install the whole lot again - did some one mention Linux.
Thanks
Tuck
-
Tuck,
the list of opened ports can be easily viewed in TcpView (from Sysinternals.com, as Igor has already suggested). Please run that tool and show your results. It is more usefull than dumping TDI commands unless you are in the middle of TDI filter driver debugging.
I don't know why you should be concerned about IOCTL_TCP_QUERY_INFORMATION_EX - or is anything you don't like about this IOCTL call? :P
If you don't like TcpView, the same info can be obtained from the following command:
netstat -a -o
combine with the output from:
tasklist
-
:) Your HijackThis log indicates you have Spybot; have their scan(s) shown
any problems ? Their net-integration.net forums have many HijackThis
Experts willing to help their Users.
-
Hey all,
the ports are "normal"
You'll notice they are for the mail protection and are listening for incoming. If you go to on access control and more detail you can see which programs are running.
I used add\remove in windows9X and Changed settings, removing internet mail and the bat etc.
I have IM protection and Standard Shield since I have ZAP I don't need much else.
Now I still have 2 ports open and it looks like its protection for windows messenger but I don't have XP (thank God)
I'd like to see them closed too.
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
-
Cartel,
1025 is opened only on localhost - as such it is not NETWORK port, only local communicatio channel inside your PC. Without the application name it a little tricky to guess, but I thinkg it is the internal communication port for ZoneAlarm firewall (it is choosen randomly on startup).
135 is used for Windows Networking. If your computer is not connected to LAN, you might uninstall or better disable Windows Networking for your network adapter.
-
Whatever it is, the ports are open AFTER installing avast so it must be part of it.
When I had the internet mail on I had even more ports open and when it shutdown avast the ports are gone too.
-
As Lukor said - yes, avast! opens some ports, but for local access only. You cannot connect to them from outside.
-
As Lukor said - yes, avast! opens some ports, but for local access only. You cannot connect to them from outside.
True and I add and repeat: avast! does not open neither port 1025 nor 135.
But if you are SO concerned about opened ports, I don't understand, why don't you run TcpView and show us which process has the port opened!!!???
-
I know I'm rehashing an old thread but I now have
the reverse the planet email bug, or whatever it is.
It seems to be imbedded in my email, I'm using Thunderbird.
When I click get mail the little thundbird logo pops up in the sytem tray
with the ip address reverse.the.planet.com and some ip number.
Now I have ran Ewido, syclean and Avast at boot time and reformatted
my harddrive and the bloody thing is still there.
It must be in my email somewhere, I'm not sure if this is doing anything to my
machine or using my email address for spam or what its doing.
Seaching Google only comes up with a couple of entries, not
much help.
This is my TCPview log.
ashMaiSv.exe:1284 TCP java-devil:12025 java-devil:0 LISTENING
ashMaiSv.exe:1284 TCP java-devil:12110 java-devil:0 LISTENING
ashMaiSv.exe:1284 TCP java-devil:12119 java-devil:0 LISTENING
ashMaiSv.exe:1284 TCP java-devil:12143 java-devil:0 LISTENING
ashWebSv.exe:1436 TCP java-devil:1788 java-devil:0 LISTENING
ashWebSv.exe:1436 TCP java-devil:1789 java-devil:0 LISTENING
ashWebSv.exe:1436 TCP java-devil:12080 java-devil:0 LISTENING
ashWebSv.exe:1436 TCP java-devil:12080 localhost:1666 ESTABLISHED
ashWebSv.exe:1436 TCP java-devil:12080 localhost:1751 ESTABLISHED
ashWebSv.exe:1436 TCP java-devil:1789 216.239.57.18:http ESTABLISHED
firefox.exe:3708 TCP java-devil:1060 java-devil:0 LISTENING
firefox.exe:3708 TCP java-devil:1666 java-devil:0 LISTENING
firefox.exe:3708 TCP java-devil:1751 java-devil:0 LISTENING
firefox.exe:3708 TCP java-devil:1059 java-devil:0 LISTENING
firefox.exe:3708 TCP java-devil:1059 localhost:1060 ESTABLISHED
firefox.exe:3708 TCP java-devil:1060 localhost:1059 ESTABLISHED
firefox.exe:3708 TCP java-devil:1666 localhost:12080 ESTABLISHED
firefox.exe:3708 TCP java-devil:1751 localhost:12080 ESTABLISHED
lsass.exe:844 UDP java-devil:isakmp *:*
msmsgs.exe:1080 UDP java-devil:1033 *:*
msmsgs.exe:1080 UDP java-devil:7267 *:*
msmsgs.exe:1080 UDP java-devil:62131 *:*
svchost.exe:1028 TCP java-devil:epmap java-devil:0 LISTENING
svchost.exe:1028 UDP java-devil:epmap *:*
svchost.exe:1108 TCP java-devil:1025 java-devil:0 LISTENING
svchost.exe:1108 UDP java-devil:1028 *:*
svchost.exe:1108 UDP java-devil:ntp *:*
svchost.exe:1108 UDP java-devil:ntp *:*
svchost.exe:1252 UDP java-devil:1029 *:*
svchost.exe:1252 UDP java-devil:1065 *:*
svchost.exe:1252 UDP java-devil:1067 *:*
svchost.exe:1252 UDP java-devil:1069 *:*
svchost.exe:1252 UDP java-devil:1071 *:*
svchost.exe:1252 UDP java-devil:1072 *:*
svchost.exe:1252 UDP java-devil:1073 *:*
svchost.exe:1252 UDP java-devil:1074 *:*
svchost.exe:1320 TCP java-devil:5000 java-devil:0 LISTENING
svchost.exe:1320 UDP java-devil:1900 *:*
svchost.exe:1320 UDP java-devil:1900 *:*
System:4 TCP java-devil:microsoft-ds java-devil:0 LISTENING
System:4 TCP java-devil:netbios-ssn java-devil:0 LISTENING
System:4 UDP java-devil:microsoft-ds *:*
System:4 UDP java-devil:netbios-ns *:*
System:4 UDP java-devil:netbios-dgm *:*
THUNDE~1.EXE:3456 TCP java-devil:1054 java-devil:0 LISTENING
THUNDE~1.EXE:3456 TCP java-devil:1053 java-devil:0 LISTENING
THUNDE~1.EXE:3456 TCP java-devil:1053 localhost:1054 ESTABLISHED
THUNDE~1.EXE:3456 TCP java-devil:1054 localhost:1053 ESTABLISHED
-
Bullseye, are you, for any reason, using Azureus (P2P)?
-
Tech,
I rather think that it is just that this user has chosen to use as a system name "java-devil"
-
Bullseye,
what is this "Thunderbird logo" that pops up in the system tray? There is no Thunderbird icon that appears in the system tray to my knowledge.
Do you mean the "blue light" icon that is placed in the system tray by avast when it is intercepting e-mail?
Probably worth checking your email accounts in Thunderbird to make sure nothing unexpected is there.
Also worth checking your hosts file (in Win XP C:\Windows\System32\DRIVERS\etc folder) to make sure that no overrides have been placed in there.
-
Bullseye, in this case I would definitely run lspfix and/or hijackthis. I see several unknown open ports inside the WebShield process. WebShield does not open these ports, the only way how they can be opened inside webshield process is a dll loaded into in (e.g. LSP dll or some other hooking dll). However the same technique is used by some firewalls (eg. ZoneAlarm) - so this mere fact does not necessary mean it is something unwanted running on your pc. It might be interresting to know whose ports are these.
Lukas.
-
Thanks guys,
I'll try lspfix and/or hijackthis and post my reports.
Alanrf: I don't think its any host file, I've just reformated the drive,
so unless when I start thunderbird up its dropping a host file in the system32
directory. but I'll check it out.
-
Okay, heres my Hijackthis log,
I don't see any unfamiliar exe's running.
I did a google for Ispfix and couldn't find it,
have you got any links for it ?
cheers
Logfile of HijackThis v1.99.1
Scan saved at 10:42:49 AM, on 24/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\foobar2000\foobar2000.exe
\Wyndorf\Duncs\software\anti virus software\hijackthis\New\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
-
Okay, heres my Hijackthis log,
I don't see any unfamiliar exe's running.
Nor do I. Lspfix can be downloaded here:
http://www.cexx.org/lspfix.htm
-
It seems that we have come no closer to determining the cause of Bullseye's unfortunate encounter with reverse.the.planet during the Thunderbird session.
-
Well I uninstall Avast and installed NOD32 Antivirus software
,scanned my drive and now its gone :)
No more reverse.the.plant.com.
I didn't quantine the bug, I deleted it so I don't know
what it was.
-
It seems that we have come no closer to determining the cause of Bullseye's unfortunate encounter with reverse.the.planet during the Thunderbird session.
true.
If just re-read the thread, if the small icon is avast's Mail Scanner's icon, we can determine who is connecting to it from the log.
Enable logging for Mail Scanner and post it here.
(to enable logging, edit the avast4.ini file, add the line "Log=20" (without quotes) to the section "[MailScanner]")
Eg.
[MailScanner]
Log=20
The log will then be created in the c:\program files\alwil software\avast4\data\log\ashmaisv.log
-
Well I uninstall Avast and installed NOD32 Antivirus software
,scanned my drive and now its gone :)
No more reverse.the.plant.com.
I didn't quantine the bug, I deleted it so I don't know
what it was.
If it really was the icon from avast's mail scanner you have solved nothing - altought I must admit that the avast's Mail Scanner Icon is not obviously shown in NOD32. Anyway there are other ways how to HIDE THE ICON ;-)
-
Well I uninstall Avast and installed NOD32 Antivirus software
Just a curiosity, how much is NOD32 license right now?
-
We're not here to criticize NOD32, it certainly has a good reputation.
However, I hope that Bullseye might reconsider, come back and see if there is a way that we can help resolve this issue - and the logging proposed by Lukas is a great step (that I wish I had thought to propose earlier).
That way Bullseye might clear up a problem and provide some help to others who could encounter the same issue.
-
Is this the log your after ?
You guys were right, I didn't realise it was avast email scanner bringing the icon
up in the system tray. So I reinstalled avast and its still there.
But when NOD32 did a complete disk scan it found some virus in my email.
I thought that it had got it.
11/25/05 09:43:14 0000068C: Started as service, Log = 1(0x00000001)
11/25/05 09:43:14 0000068C: Build 4.6.731
11/25/05 09:43:14 0000068C: Windows XP Workstation (Service Pack 2)
11/25/05 09:43:14 0000068C: Using WinSock 2.0
11/25/05 09:43:15 0000068C: AutoRedirect settings changed 1(0x00000001)
11/25/05 09:43:15 0000068C: IgnoreLocalhost settings changed 1(0x00000001)
11/25/05 09:43:15 0000068C: POP Start settings changed: 1
11/25/05 09:43:15 0000068C: POP Listen settings changed: 127.0.0.1 12110
11/25/05 09:43:15 0000068C: POP RedirectPort: 110
11/25/05 09:43:15 0000068C: SMTP Start settings changed: 1
11/25/05 09:43:15 0000068C: SMTP Listen settings changed: 127.0.0.1 12025
11/25/05 09:43:15 0000068C: SMTP RedirectPort: 25
11/25/05 09:43:15 0000068C: IMAP Start settings changed: 1
11/25/05 09:43:15 0000068C: IMAP Listen settings changed: 127.0.0.1 12143
11/25/05 09:43:15 0000068C: IMAP RedirectPort: 143
11/25/05 09:43:15 0000068C: NNTP Start settings changed: 1
11/25/05 09:43:15 0000068C: NNTP Listen settings changed: 127.0.0.1 12119
11/25/05 09:43:15 0000068C: NNTP RedirectPort: 119
-
Is this the log your after ?
Did you add the line?
Log=20
into avast4.ini file?
it seems a poor log, without enough information.
-
Aaaah nup, I'll do that.
I wasn't sure were to do it.
I thought I was a check box.
edit:
I just looked at my ini file and it has logmaxsize=20.
Is that it ?
-
Okay just checked out the avast4.ini thread and realised I had add it in the mail section
of the ini file.
Here's my new aswMaiSv log file. Hope this is it :)
11/25/05 09:43:14 0000068C: Started as service, Log = 1(0x00000001)
11/25/05 09:43:14 0000068C: Build 4.6.731
11/25/05 09:43:14 0000068C: Windows XP Workstation (Service Pack 2)
11/25/05 09:43:14 0000068C: Using WinSock 2.0
11/25/05 09:43:15 0000068C: AutoRedirect settings changed 1(0x00000001)
11/25/05 09:43:15 0000068C: IgnoreLocalhost settings changed 1(0x00000001)
11/25/05 09:43:15 0000068C: POP Start settings changed: 1
11/25/05 09:43:15 0000068C: POP Listen settings changed: 127.0.0.1 12110
11/25/05 09:43:15 0000068C: POP RedirectPort: 110
11/25/05 09:43:15 0000068C: SMTP Start settings changed: 1
11/25/05 09:43:15 0000068C: SMTP Listen settings changed: 127.0.0.1 12025
11/25/05 09:43:15 0000068C: SMTP RedirectPort: 25
11/25/05 09:43:15 0000068C: IMAP Start settings changed: 1
11/25/05 09:43:15 0000068C: IMAP Listen settings changed: 127.0.0.1 12143
11/25/05 09:43:15 0000068C: IMAP RedirectPort: 143
11/25/05 09:43:15 0000068C: NNTP Start settings changed: 1
11/25/05 09:43:15 0000068C: NNTP Listen settings changed: 127.0.0.1 12119
11/25/05 09:43:15 0000068C: NNTP RedirectPort: 119
11/25/05 11:52:07 0000068C: Log settings changed 20(0x00000014)
11/25/05 11:52:21 00000884: POP accept connection from: 127.0.0.1
11/25/05 11:52:21 00000884: Connection handler: 0x00000A0C
11/25/05 11:52:21 00000A0C: Ignored PIDs: 1588 1840
11/25/05 11:52:21 00000A0C: Ignored Addresses: 192.168.1.3:119 127.0.0.1:119 192.168.1.3:143 127.0.0.1:143 192.168.1.3:25 127.0.0.1:25 192.168.1.3:110 127.0.0.1:110 72.3.135.203:80 193.243.128.78:80 193.243.128.76:80 62.132.1.234:80 198.200.173.74:80 198.200.173.139:80 127.0.0.1:80
11/25/05 11:52:21 00000A0C: Ignored Processes: avgemc.exe forx.exe FXMadeEasy.exe aoltpspd.exe waol.exe ypager.exe V3P3AT.EXE bitcomet.exe mpftray.exe ABC.EXE CZDCPlusPlus.ex CRAXY.EXE NETMONSV.EXE SYMPROXYSVC.EXE NAVAPW32.EXE WEBPROXY.EXE EMULE.EXE TMPROXY.EXE isafe.exe SMPROXY.EXE ccLgView.exe ccSetMgr.exe ccPwdSvc.exe ccApp.exe ccProxy.exe ccPxySvc.exe ccEvtMgr.exe winroute.exe avast.setup
11/25/05 11:52:21 00000A0C: --POP command REDIRECT 70.86.95.34:110 3200
11/25/05 11:52:21 00000A0C: PATH: \Device\HarddiskVolume1\PROGRA~1\MOZILL~2\THUNDE~1.EXE
11/25/05 11:52:22 00000A0C: Connected to POP server 70.86.95.34 110
11/25/05 11:52:22 00000A0C: received 45(0x0000002D)
11/25/05 11:52:22 00000A0C: <-POP +OK POP3 devo [cppop 20.0] at [70.86.95.34]
11/25/05 11:52:22 00000A0C: sent 45(0x0000002D)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: ->POP AUTH
11/25/05 11:52:22 00000A0C: sent 6(0x00000006)
11/25/05 11:52:22 00000A0C: --POP Before ReadFromPop
11/25/05 11:52:22 00000A0C: received 30(0x0000001E)
11/25/05 11:52:22 00000A0C: --POP ReadFromPop ...
11/25/05 11:52:22 00000A0C: <-POP -ERR Command not implemented
11/25/05 11:52:22 00000A0C: sent 30(0x0000001E)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: received 1(0x00000001)
11/25/05 11:52:22 00000A0C: ->POP CAPA
11/25/05 11:52:22 00000A0C: sent 6(0x00000006)
11/25/05 11:52:22 00000A0C: --POP Before ReadFromPop
11/25/05 11:52:23 00000A0C: received 29(0x0000001D)
11/25/05 11:52:23 00000A0C: received 51(0x00000033)
11/25/05 11:52:23 00000A0C: --POP ReadFromPop ...
11/25/05 11:52:23 00000A0C: <-POP +OK Capability list follows
TOP
USER
UIDL
XSENDER
IMPLEMENTATION cppop
.
11/25/05 11:52:23 00000A0C: <-POP +OK Capability list follows
11/25/05 11:52:23 00000A0C: sent 29(0x0000001D)
11/25/05 11:52:23 00000A0C: <-POP TOP
11/25/05 11:52:23 00000A0C: sent 5(0x00000005)
11/25/05 11:52:23 00000A0C: <-POP USER
11/25/05 11:52:23 00000A0C: sent 6(0x00000006)
11/25/05 11:52:23 00000A0C: <-POP UIDL
11/25/05 11:52:23 00000A0C: sent 6(0x00000006)
11/25/05 11:52:23 00000A0C: <-POP XSENDER
11/25/05 11:52:23 00000A0C: sent 9(0x00000009)
11/25/05 11:52:23 00000A0C: <-POP IMPLEMENTATION cppop
11/25/05 11:52:23 00000A0C: sent 22(0x00000016)
11/25/05 11:52:23 00000A0C: <-POP .
11/25/05 11:52:23 00000A0C: sent 3(0x00000003)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: received 1(0x00000001)
11/25/05 11:52:23 00000A0C: ->POP USER ...
11/25/05 11:52:23 00000A0C: sent 35(0x00000023)
11/25/05 11:52:23 00000A0C: --POP Before ReadFromPop
11/25/05 11:52:24 00000A0C: received 21(0x00000015)
11/25/05 11:52:24 00000A0C: --POP ReadFromPop ...
11/25/05 11:52:24 00000A0C: <-POP +OK Need a password
11/25/05 11:52:24 00000A0C: sent 21(0x00000015)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: ->POP PASS ...
11/25/05 11:52:24 00000A0C: sent 16(0x00000010)
11/25/05 11:52:24 00000A0C: --POP Before ReadFromPop
11/25/05 11:52:24 00000A0C: received 117(0x00000075)
11/25/05 11:52:24 00000A0C: --POP ReadFromPop ...
11/25/05 11:52:24 00000A0C: <-POP +OK You have 0 messages totaling 557 octets from /home/shazz450/mail/shazzamstudios.com/wonderboy/inbox (full load)
11/25/05 11:52:24 00000A0C: sent 117(0x00000075)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: received 1(0x00000001)
11/25/05 11:52:24 00000A0C: ->POP STAT
11/25/05 11:52:24 00000A0C: sent 6(0x00000006)
11/25/05 11:52:24 00000A0C: --POP Before ReadFromPop
11/25/05 11:52:24 00000A0C: received 9(0x00000009)
11/25/05 11:52:24 00000A0C: --POP ReadFromPop ...
11/25/05 11:52:24 00000A0C: <-POP +OK 0 0
11/25/05 11:52:24 00000A0C: sent 9(0x00000009)
11/25/05 11:52:25 00000A0C: received 1(0x00000001)
11/25/05 11:52:25 00000A0C: received 1(0x00000001)
11/25/05 11:52:25 00000A0C: received 1(0x00000001)
11/25/05 11:52:25 00000A0C: received 1(0x00000001)
11/25/05 11:52:25 00000A0C: received 1(0x00000001)
11/25/05 11:52:25 00000A0C: received 1(0x00000001)
11/25/05 11:52:25 00000A0C: ->POP QUIT
11/25/05 11:52:25 00000A0C: sent 6(0x00000006)
11/25/05 11:52:25 00000A0C: --POP Before ReadFromPop
11/25/05 11:52:25 00000A0C: received 10(0x0000000A)
11/25/05 11:52:25 00000A0C: --POP ReadFromPop ...
11/25/05 11:52:25 00000A0C: <-POP +OK Bye!
11/25/05 11:52:25 00000A0C: sent 10(0x0000000A)
11/25/05 11:52:25 00000A0C: connection closed 0(0x00000000)
11/25/05 11:52:25 00000A0C: --POP Finishing connection handler
-
It would appear from this log that you just had a rather normal connection to a POP3 mail server, you were logged on successfully and there were no messages in the mailbox.
There POP3 connection was to a mail server at IP address 70.86.95.34.
This IP addressed is owned by ThePlanet.com Internet Services, Inc.
The similarilty of service name of ThePlanet.com and your original report of reverse.the.planet seems just a bit more than coincidental.
Going back to your original post:
When I click get mail the little thundbird logo pops up in the sytem tray
with the ip address reverse.the.planet.com and some ip number.
As I mentioned earlier there is no Thunderbird icon in the task bar. The icon that does appear is the avast blue light and when you mouse over that icon you do not get an IP address you get the server name.
So right now - I do not think we have seen any evidence that you did connect to reverse.the.planet unless you can help us with some more details.
-
Thanks Alan,
How come my mail server is connecting to ThePlanet.com ?
My ISP is www.aanet.com.au, not the ThePlanet.com ?
This is getting weird :)
thanks for your help.
-
It is possible they have contracted out their mail service.
What is the server name (just the server name - do not mention userid) that you have set up for your mail in Thunderbird?
-
Bullseye,
I think that you have forgotten about the account you have set up in Thunderbird at shazzamstudios.com.
Their mail server mail.shazzamstudios.com has an IP address of 70.86.95.34 and is hosted at ThePlanet.com.
I think we might call this one closed.
-
My mail server is mail.aanet.com.au,
Is that what your after ?
cheers
edit:
Thanks Alan,
I've just email my webhosting company to find out
where/who my email server guys are.
cheers
-
Duncan, I don't need that information any longer, please read my previous post in this thread.
Thanks,
Alan
-
Yep i read your post,
I edited mine.
-
I think I understand.
Just so we are clear ... this has nothing to do with your ISP aanet.com.au
This is entirely in the province of shazzamstudios.com and the hosting of their mail service at ThePlanet.com.
-
Yep we are talking about the same thing.
My web hosting company that hosts Shazzam studios
is Onsmart. There the guys I emailed.
Thanks for all your help.