Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Foxabilo on November 20, 2005, 10:53:27 PM
-
Why has my zone alarm got 170 attempts by avast.setup to open a connection to a bit torrent tracker ?
Description avast! antivirus Update was temporarily blocked from connecting to the Internet (83.140.65.142:DNS).
Rating High
Date / Time 2005/11/20 07:22:26-0:00 GMT
Type Program Access
Program avast.setup
Source IP
Destination IP 83.140.65.142:53
Direction Outgoing (connect)
Action Taken Blocked
Count 170
Source DNS
Destination DNS tracker.prq.to
WHOIS results for 83.140.65.142
Generated by www.DNSstuff.com
Location: Sweden
ARIN says that this IP belongs to RIPE; I'm looking it up there.
Using 0 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Information related to '83.140.65.0 - 83.140.65.255'
inetnum: 83.140.65.0 - 83.140.65.255
netname: TIAMO-NET
descr: ThePirateBay.ORG
descr: Customer of prq Inet, Box 1206, SE 114 79 Stockholm, SWEDEN
remarks: *******************************************************
remarks: * In case of abuse, send mail to *****@thepiratebay.org
remarks: * Abuse mail to any other address will be ignored!
remarks: *******************************************************
country: SE
tech-c: pIN7-RIPE
admin-c: pIN7-RIPE
mnt-by: MNT-PRQ
notify: *******************@prq.se
changed: *************@prq.se 20041219
source: RIPE
status: ASSIGNED PA
role: prq Inet NOC
address: prq Inet
Box 1206
SE 11479 Stockholm
Sweden
phone: +46 (0)73 9549748
e-mail: ***@prq.se
e-mail: *************@prq.se
remarks: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
remarks: !! Abuse reports should ONLY be sent to *****@prq.se !!
remarks: !! Do NOT call unless it's very urgent !!
remarks: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
admin-c: PW1115-RIPE
tech-c: PW1115-RIPE
nic-hdl: pIN7-RIPE
mnt-by: MNT-PRQ
changed: *************@prq.se 20040707
changed: *************@prq.se 20050802
source: RIPE
abuse-mailbox: *****@prq.se
% Information related to '83.140.64.0/19AS16150'
route: 83.140.64.0/19
descr: GBG, Port80, Sweden
remarks: ****************************************************
remarks: * In case of abuse, send mail to *****@port80.se
remarks: * Abuse mail to any other address will be ignored!
remarks: ****************************************************
origin: AS16150
mnt-by: PORT80-MNT
changed: ********@port80.se 20040921
source: RIPE
notify: *****************@port80.se
[The following lines added by www.dnsstuff.com per requirement by RIPE]
This service is subject to the terms and conditions stated in the RIPE NCC Database Copyright Notice.
Contact dnsstuff.com's 'info@' address to report problems regarding the functionality of the service.
[If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address].
WTF ???
-
avast.setup tries to connect to avast servers (not torrent) to check for and download updates.
Is there a location for avast.setup as this file isn't a permanent file, only being created from the setup.ovr at the time of update, check the servers.def file it should list the URL addresses that it would connect to.
What is your firewall?
So there is a possibility that this isn't avast.setup, can you do a search for avast.setup, it shouldn't exist outside of actual update and in that case would be in the 'C:\Program Files\Alwil Software\Avast4\Setup' folder, anywhere else and it is wrong.
-
Description avast! antivirus Update requested permission to access the internet.
Rating High
Date / Time 2005/11/20 05:47:58-0:00 GMT
Type Repeat Program
Program C:\Program Files\Alwil Software\Avast4\Setup\avast.setup
Source IP
Destination IP 83.140.65.134:53
Direction Outgoing (connect)
Action Taken Blocked (once)
Count 1
Source DNS
Destination DNS tracker.prq.to
The firewallis Zone Alarm Pro this is a different entry but connecting to the same IP, the other entrys do not include the path (somthing to do with the way zone alarm logs repeats apparently) avast.setup does not exist on any of my drives, this is my servers.def
[servers]
count=32
[server0]
name=Secondary ASW server
url=http://www.iavs.cz/iavs4x
stats=http://download8.avast.com/cgi-bin/iavs4stats.cgi
products=av_pro,av_srv,av_ker,av_oem,av_pda_palm,av_net,av_mgm,exav,netpurum,av_u3
[server1]
name=Download1 AVAST server
url=http://download1.avast.com/iavs4x
stats=http://download1.avast.com/cgi-bin/iavs4stats.cgi
[server2]
name=Download2 AVAST server
url=http://download2.avast.com/iavs4x
stats=http://download2.avast.com/cgi-bin/iavs4stats.cgi
[server3]
name=Download3 AVAST server
url=http://download3.avast.com/iavs4x
stats=http://download3.avast.com/cgi-bin/iavs4stats.cgi
[server4]
name=Download4 AVAST server
url=http://download4.avast.com/iavs4x
stats=http://download4.avast.com/cgi-bin/iavs4stats.cgi
[server5]
name=Download5 AVAST server
url=http://download5.avast.com/iavs4x
stats=http://download5.avast.com/cgi-bin/iavs4stats.cgi
[server6]
name=Download6 AVAST server
url=http://download6.avast.com/iavs4x
stats=http://download6.avast.com/cgi-bin/iavs4stats.cgi
[server7]
name=Download7 AVAST server
url=http://download7.avast.com/iavs4x
stats=http://download7.avast.com/cgi-bin/iavs4stats.cgi
[server8]
name=Download8 AVAST server
url=http://download8.avast.com/iavs4x
stats=http://download8.avast.com/cgi-bin/iavs4stats.cgi
[server9]
name=Download9 AVAST server
url=http://download9.avast.com/iavs4x
stats=http://download9.avast.com/cgi-bin/iavs4stats.cgi
[server10]
name=Download10 AVAST server
url=http://download10.avast.com/iavs4x
stats=http://download10.avast.com/cgi-bin/iavs4stats.cgi
[server11]
name=Download11 AVAST server
url=http://download11.avast.com/iavs4x
stats=http://download11.avast.com/cgi-bin/iavs4stats.cgi
[server12]
name=Download12 AVAST server
url=http://download12.avast.com/iavs4x
stats=http://download12.avast.com/cgi-bin/iavs4stats.cgi
[server13]
name=Download13 AVAST server
url=http://download13.avast.com/iavs4x
stats=http://download13.avast.com/cgi-bin/iavs4stats.cgi
[server14]
name=Download14 AVAST server
url=http://download14.avast.com/iavs4x
stats=http://download14.avast.com/cgi-bin/iavs4stats.cgi
[server15]
name=Download15 AVAST server
url=http://download15.avast.com/iavs4x
stats=http://download15.avast.com/cgi-bin/iavs4stats.cgi
[server16]
name=Download16 AVAST server
url=http://download16.avast.com/iavs4x
stats=http://download16.avast.com/cgi-bin/iavs4stats.cgi
[server17]
name=Download17 AVAST server
url=http://download17.avast.com/iavs4x
stats=http://download17.avast.com/cgi-bin/iavs4stats.cgi
[server18]
name=Download18 AVAST server
url=http://download18.avast.com/iavs4x
stats=http://download18.avast.com/cgi-bin/iavs4stats.cgi
[server19]
name=Download19 AVAST server
url=http://download19.avast.com/iavs4x
stats=http://download19.avast.com/cgi-bin/iavs4stats.cgi
[server20]
name=Download20 AVAST server
url=http://download20.avast.com/iavs4x
stats=http://download20.avast.com/cgi-bin/iavs4stats.cgi
[server21]
name=Download21 AVAST server
url=http://download21.avast.com/iavs4x
stats=http://download21.avast.com/cgi-bin/iavs4stats.cgi
[server22]
name=Download22 AVAST server
url=http://download22.avast.com/iavs4x
stats=http://download22.avast.com/cgi-bin/iavs4stats.cgi
[server23]
name=Download23 AVAST server
url=http://download23.avast.com/iavs4x
stats=http://download23.avast.com/cgi-bin/iavs4stats.cgi
[server24]
name=Download24 AVAST server
url=http://download24.avast.com/iavs4x
stats=http://download24.avast.com/cgi-bin/iavs4stats.cgi
[server25]
name=Download25 AVAST server
url=http://download25.avast.com/iavs4x
stats=http://download25.avast.com/cgi-bin/iavs4stats.cgi
[server26]
name=Download26 AVAST server
url=http://download26.avast.com/iavs4x
stats=http://download26.avast.com/cgi-bin/iavs4stats.cgi
[server27]
name=Download27 AVAST server
url=http://download27.avast.com/iavs4x
stats=http://download27.avast.com/cgi-bin/iavs4stats.cgi
[server28]
name=Download28 AVAST server
url=http://download28.avast.com/iavs4x
stats=http://download28.avast.com/cgi-bin/iavs4stats.cgi
[server29]
name=Download29 AVAST server
url=http://download29.avast.com/iavs4x
stats=http://download29.avast.com/cgi-bin/iavs4stats.cgi
[server30]
name=Download30 AVAST server
url=http://download30.avast.com/iavs4x
stats=http://download30.avast.com/cgi-bin/iavs4stats.cgi
[server31]
name=Download31 AVAST server
url=http://download31.avast.com/iavs4x
stats=http://download31.avast.com/cgi-bin/iavs4stats.cgi
ASWSignA444F9B739A8212AEB5992EF7B357C955E76AA0E396710304A9D26D77A83575B052D9A2892733ADA0ASWSignA
and its still trying to connect to this torrent tracker, I can only think that maybe the address is being re-used or somthing ? but what I dont get is that avast is allowed and does update fine through the firewall but these keep showing up as being stopped, somhow the firewall knows these are not geniune IP's to connect to :|
Not at all sure why this should be happening, does make me think bad things tho when my AV is trying to connect to what seems to be a torrent tracking place for ripped of games and things.
-
Since the servers.def file only contains the urls of avast servers (not the IP address) then one would have to wonder how the questionable IP address might have been used by avast setup.
There is just a possibility that a nasty piece of software has invaded your system and set up a redirect for one or more of those avast urls to send it to the questionable IP address. You should scan your hosts file and make sure that no such redirections have been set up. On an XP system you can find the hosts file in the C:\Windows\System32\DRIVERS\etc folder.
-
Does make me think bad things tho when my AV is trying to connect to what seems to be a torrent tracking place for ripped of games and things.
Why are you thinking your antivirus is trying to connect anything related to torrent or games or anything else?
The list of update servers could be found in servers.def file in setup subdirectory under avast4 folder. There are the names, not IPs but you can check for the IPs yourself.
The problem is that this list could change (and actually is changed) quite frequently (servers are mostly added).
http://www.avast.com/eng/updates2.html#idt_1366
-
It makes me think that because when I do the DNS lookup of the IP avast is connecting to it belongs to ThePirateBay.org
% Information related to '83.140.65.0 - 83.140.65.255'
inetnum: 83.140.65.0 - 83.140.65.255
netname: TIAMO-NET
descr: ThePirateBay.ORG
descr: Customer of prq Inet, Box 1206, SE 114 79 Stockholm, SWEDEN
I will check my hosts to see if anything is in there
-
avast.setup does not exist on any of my drives
It's a temporary file that appears by the transformation of C:\Program Files\Alwil Software\Avast4\Setup\setup.ovr
It makes me think that because when I do the DNS lookup of the IP avast is connecting to it belongs to ThePirateBay.org
Something strange as the avast servers are not related to the ThePirateBay.ORG
Can you check the contents of your HOSTS file?
-
I don't have the slightest clue why would setup connect to such a site.
Could you please inspect setup.log in setup directory if it also mentions the ip you've mentioned?
-
# Copyright (c) 1993-2004 Microsoft Corp.
#
# AutoGenerated by Microsoft (R) Windows (R) Malicious Software Removal Tool.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
yea this really is an odd one nothing in there thats not working, now I did a test and told zone alarm to ask me what to do the next time avast.setup runs, it just did and it wanted to connect on port 53 to the torrent tracker again, I said no to the request and a few moments later avast spopped up with the red box an error has occurd while attempting to update, if I do not stop it connecting to that torrent address it seems to update fine :\ wierd huh ?
-
Very weird, you could as a temporary measure create a rule in ZA to block avast.setup access using port 53 or any other port other than port 80 (UDP/TCP protocols), which I think is used for updates. Perhaps Kubecj could confirm this.
Something very strange is going on, I certainly haven't seen anything like this since joining the forums and it would be nice to get to the bottom of it.
How would avast.setup be made to use port 53 to connect, when I think it uses port 80.
Just tried a manual update and port 80 is used.
Server: download11.avast.com (67.15.38.62:80)
Downloaded files: 3 (0.03 KB)
Download time: 4 s
-
This is the top bit of my setup.log but it wont let me post of 10,000 chars so i c ant show you the full most recent entry but I cannot see anything about that strange ip, mind you I don' know what I am looking for in this log
14:55:05 min/gen Started: 14.06.2005, 14:55:05
14:55:05 min/gen Running setup_av_pro-299 (665)
14:55:05 nrm/sys Operating system: WindowsXP ver 5.1, build 2600, sp 2.0 [Service Pack 2]
14:55:05 vrb/sys Computer WinName: ISK-SERVER
14:55:05 min/sys Windows Net User: ISK-SERVER\ISK
14:55:05 min/gen Cmdline: /sfx /sfxstorage "C:\DOCUME~1\ISK\LOCALS~1\Temp\_av_sfx.tm~a03108" /srcpath "C:\DOCUMENTS AND SETTINGS\ISK\DESKTOP"
14:55:05 vrb/gen DldSrc set to sfx
14:55:05 min/gen Old version: ffffffff (-1)
14:55:05 vrb/gen Install check: SetupVersion does NOT exist
14:55:05 nrm/gen SGW32P::CheckIfInstalled set m_bAlreadyInstalled to 0
14:55:05 vrb/reg Get registry: Software\Microsoft\Internet Explorer\Version=6.0.2900.2180
14:55:05 vrb/gen Operation set to INST_OP_INSTALL
14:55:05 min/gen GUID: 4474dc69-5d1b-4793-a8df-aecc36568970
14:55:05 nrm/gen SelectCurrent: selected server 'tmp sfx storage' from 'sfx'
14:55:13 min/pkg Load C:\DOCUME~1\ISK\LOCALS~1\Temp\_av_sfx.tm~a03108\prod-av_pro.vpu
14:55:13 vrb/pkg LatestPartInfo: news = news-42
14:55:13 vrb/pkg LatestPartInfo: program = prg_av_pro-299
14:55:13 vrb/pkg LatestPartInfo: setup = setup_av_pro-299
14:55:13 vrb/pkg LatestPartInfo: vps = vps-52102
14:55:13 vrb/pkg Part prg_av_pro-299 was set to be installed
14:55:13 vrb/pkg Part vps-52102 was set to be installed
14:55:13 vrb/pkg Part news-42 was set to be installed
14:55:13 vrb/pkg Part setup_av_pro-299 was set to be installed
14:55:13 vrb/pkg FilterOutExistingFiles: 135 & 0 = 135
14:55:13 vrb/pkg IsFullOkay: setif_av_pro-299.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: setif_av_pro-299.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: setup_av_pro-299.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: setup_av_pro-299.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_core-260.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_core-260.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_dll409-11e.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_dll409-11e.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_hlp409-1db.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_hlp409-1db.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_skins-12.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_skins-12.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: avscan-1bb.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: avscan-1bb.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: winsys-1.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: winsys-1.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: winsysgui-1.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: winsysgui-1.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: vps-52100.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: vps-52100.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: vpsm-52102.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: vpsm-52102.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: news409-2d.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: news409-2d.vpu - not okay
14:55:13 vrb/pkg FilterOutExistingFiles: 135 & 0 = 135
14:55:13 vrb/pkg FilterOutExistingFiles: 133 & 0 = 133
14:55:13 vrb/pkg IsFullOkay: setif_av_pro-299.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: setif_av_pro-299.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: setup_av_pro-299.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: setup_av_pro-299.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_core-260.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_core-260.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_dll409-11e.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_dll409-11e.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_hlp409-1db.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_hlp409-1db.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_skins-12.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_skins-12.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: avscan-1bb.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: avscan-1bb.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: winsys-1.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: winsys-1.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: winsysgui-1.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: winsysgui-1.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: vps-52100.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: vps-52100.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: vpsm-52102.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: vpsm-52102.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: news409-2d.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: news409-2d.vpu - not okay
14:55:13 vrb/pkg FilterOutExistingFiles: 133 & 0 = 133
14:55:13 vrb/pkg FilterOutExistingFiles: 135 & 0 = 135
14:55:13 vrb/pkg IsFullOkay: setif_av_pro-299.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: setif_av_pro-299.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: setup_av_pro-299.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: setup_av_pro-299.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_core-260.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_core-260.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_dll409-11e.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_dll409-11e.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_hlp409-1db.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_hlp409-1db.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_skins-12.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: av_pro_skins-12.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: avscan-1bb.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: avscan-1bb.vpu - not okay
14:55:13 vrb/pkg IsFullOkay: winsys-1.vpu - not okay
-
This is the top bit of my setup.log
Maybe the bottom of it will be better...
Foxabilo, are you using Home version or the Trial one?
-
Home to the best of my knowlage been a LOOOOOOOOOOOOOOOOONG time user of avast I registered it etc etc,
15:11:12 min/int tried 30 servers to get file 'servers.def', but failed (0x20000004)
15:11:12 min/fil GetNewerStampedFile:GetFileWithRetry failed: C:\WINDOWS\TEMP\_av_proI.tm~a01140\onefile, servers.def, error: 0x20000004
15:11:12 min/pkg Tried to download servers.def but failed with error 0x20000004.
15:11:12 min/gen Err:Cannot connect to download4.avast.com (unknown:80).
15:11:12 nrm/pkg Transferred files: 0
15:11:12 nrm/pkg Transferred bytes: 0
15:11:12 nrm/pkg Transfer time: 0 ms
15:11:12 vrb/fil NeedReboot=false
15:11:12 min/gen Return code: 0x20000004 [Cannot connect to download4.avast.com (unknown:80).]
15:11:12 min/gen Stopped: 16.11.2005, 15:11:12
19:19:12 min/gen Started: 16.11.2005, 19:19:12
19:19:12 min/gen Running setup_av_pro-2db (731)
19:19:12 nrm/sys Operating system: WindowsXP ver 5.1, build 2600, sp 2.0 [Service Pack 2]
19:19:12 vrb/sys Computer WinName: ISK-SERVER
19:19:12 min/sys Windows Net User: SYSTEM
19:19:14 min/gen Cmdline: /downloadpkgs /noreboot /updatenews /verysilent /nolog
19:19:14 vrb/gen DldSrc set to inet
19:19:14 vrb/gen Operation set to INST_OP_UPDATE_GET_PACKAGES
19:19:14 min/gen Old version: 2db (731)
19:19:17 nrm/gen SGW32P::CheckIfInstalled set m_bAlreadyInstalled to 1
19:19:21 vrb/sys Computer DnsName: isk-server
19:19:21 vrb/sys Computer Ip Addr: 192.168.0.1
19:19:26 nrm/int SYNCER: Type: use IE settings
19:19:26 nrm/int SYNCER: Auth: another authentication, use WinInet
19:19:26 vrb/pkg Part prg_av_pro-2db is installed
19:19:26 vrb/pkg Part vps-54602 is installed
19:19:26 vrb/pkg Part news-44 is installed
19:19:26 vrb/pkg Part setup_av_pro-2db is installed
19:19:26 min/gen Old version: 2db (731)
19:19:51 vrb/fil SetExistingFilesBitmap: 728->136->136
19:19:51 min/gen GUID: 4474dc69-5d1b-4793-a8df-aecc36568970
19:19:52 nrm/gen Server definition(s) loaded for 'main': 30 (maintenance:0)
19:19:52 nrm/gen SelectCurrent: selected server 'Download5 AVAST server' from 'main'
19:19:56 dbg/gen Entered SetupProcessPro::Do( INST_OP_UPDATE_GET_PACKAGES )
19:19:56 dbg/gen Entered SetupProcessWin32Avast::Do( INST_OP_UPDATE_GET_PACKAGES )
19:19:56 dbg/gen Entered SetupProcessWin32::Do( INST_OP_UPDATE_GET_PACKAGES )
19:19:56 dbg/gen Entered SetupProcess::Do( INST_OP_UPDATE_GET_PACKAGES )
19:20:27 min/pkg ERROR:HttpGetWininet, catch returned 0x00002EE7
19:20:45 min/pkg ERROR:HttpGetWininet, catch returned 0x00002EE7
19:20:45 nrm/gen InvalidateCurrent: invalidated server 'Download5 AVAST server' from 'main'
19:20:45 nrm/gen SelectCurrent: selected server 'Download12 AVAST server' from 'main'
19:20:45 dbg/int while trying to get file 'servers.def', error 0x20000004 has occured, try 1
19:21:02 min/pkg ERROR:HttpGetWininet, catch returned 0x00002EE7
19:21:02 nrm/gen InvalidateCurrent: invalidated server 'Download12 AVAST server' from 'main'
19:21:02 nrm/gen SelectCurrent: selected server 'Download15 AVAST server' from 'main'
19:21:02 dbg/int while trying to get file 'servers.def', error 0x20000004 has occured, try 2
19:21:21 min/pkg ERROR:HttpGetWininet, catch returned 0x00002EE7
19:21:21 nrm/gen InvalidateCurrent: invalidated server 'Download15 AVAST server' from 'main'
19:21:21 nrm/gen SelectCurrent: selected server 'Download24 AVAST server' from 'main'
19:21:21 dbg/int while trying to get file 'servers.def', error 0x20000004 has occured, try 3
-
Heh, it seems that setup is trying normal servers on port 80, as seen in the log.
To me it looks like wrong ZA report? (but how can one trust his firewall if it's not able to display the correct ip??)
-
It occurs to me in reading the thread again that the access to this strange IP address was reported as a DNS lookup on port 53 (standard DNS lookup port).
So Foxabilo, can I suggest that, at a command prompt, you type ipconfig /all and make sure that the questionable IP address does not appear in your list of DNS servers.
-
C:\Documents and Settings\ISK>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : isk-server
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection 21:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139/810X Family PCI Fast
Ethernet NIC #4
Physical Address. . . . . . . . . : 00-02-44-2E-FC-2B
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
PPP adapter BT Voyager 100 ADSL Modem Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 86.132.134.199
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 86.132.134.199
DNS Servers . . . . . . . . . . . : 62.6.40.178
194.72.0.98
NetBIOS over Tcpip. . . . . . . . : Disabled
C:\Documents and Settings\ISK>
all the DNS servers check out as my offical ISP's ones
-
C:\Documents and Settings\ISK>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : isk-server
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection 21:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139/810X Family PCI Fast
Ethernet NIC #4
Physical Address. . . . . . . . . : 00-02-44-2E-FC-2B
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
PPP adapter BT Voyager 100 ADSL Modem Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 86.132.134.199
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 86.132.134.199
DNS Servers . . . . . . . . . . . : 62.6.40.178
194.72.0.98
NetBIOS over Tcpip. . . . . . . . : Disabled
C:\Documents and Settings\ISK>
Both DNS addresses check out as official British telecom DNS's
-
Well, I'll admit I'm stumped on this one.
I just did an IP trace of the update function on my system (using Ethereal) and everything being done by avast is completely "proper".
-
it gets stranger !
this is a screeny of the ZA program log with the addresses it thinks Avast is connecting too look at the random list thats there googlemail all sorts :S
(http://img291.imageshack.us/img291/4856/log11bs.jpg)
-
Foxabilo,
I just use the free ZA firewall (current version) so I am not familiar with this ZA antispyware screen.
However, I notice with concern that it has blocked perfectly normal DNS lookups to your stated BT DNS servers, 62.6.40.178 & 194.72.0.98 (port 53).
I cannot account for the other entries, but in the above cases ZA has simply prevented avast from doing what it is supposed to do.
Were this my system I would have to question the effectiveness and value of the ZA antispyware offering currently installed.
While I certainly would not wish to advise anyone to take risks with their system I again point to the fact that I have run an IP trace against avast update on my system and only seen it perform perfectly safe activity. There are a few free such trace tools if you care to check (as I mentioned previously I use Ethereal).
-
From what I see from the log, it seems that ZA blocks even the DNS query for avast servers and (IMO) reports wrongly the last successful DNS query instead.
As a author of the setup thingy I'm quite sure that the setup just loads server urls from servers.def and then tries to connect to them on the standard 80 HTTP port. It has no builtin list of other servers. You should decide if you trust me (or us, the company).
I strongly believe that now all setup/update errors are
a) misconfigured firewall
b) problem with user's rights
c) misconfigured proxy settings (adds with b), when using NTLM authenticated proxies)
The updater is quite mature part of Avast and most of its real problems were solved many months ago...
-
Well ... I have to say ... there's someone who is willing to take a stand!
I just decided to try out this ZA combined firewall and antispyware (free 15 day trial - I'm not parting with money for this) to see if I can recreate the problem seen by Foxabilo.
So I downloaded it and selected the "clean install" (ie it uninstalled my current version of ZA free firewall).
It requested a restart of my system which I allowed.
During restart it asked for permission for avast update to have outbound access, which I allowed. avast automatic update check at restart completed normally. I performed a manual update check of avast ... it performed normally. I removed avast update from ZA programs table. I tried the update again, it worked (no request by ZA ... avast update appeared in the program table again). I removed it again ... tried avast update again, it appeared in the table again, I deleted it again ... you get the picture. Eventually it stayed deleted (but my typing fingers are an inch shorter) and avast said it could not update, but I never was able to produce the screen that Foxabilo posted.
However, with this ZA combined firewall/antispyware product installed there was just no way I could get my browser to connect to the internet (I have no proxy configuration).
I may be an avast evangelist but the best product I ever paid money for is Goback (even though it is now owned by the dreaded Symantec - reaching for crucifixes and garlic). So trusty Goback has restored me within moments back to the point before my adventure with ZA antispyware began. Big sigh of relief ... that product shall not have disk space on my system anytime soon.
I return my thoughts to the comments by kubecj.
While none of us involved in the beta testing reported problems with the update function (and I am one of quite a few users I know of who have upgraded without problems) I am, to say the least, a little surprised that you feel able to dismiss the reports of those who have:
1) simply applied the update to 731
2) find that they cannot successfully update
3) revert to 691 and find their ability to update completely restored
The only way it seems to me that your logic works is if there is some fault or oversight in the process used by avast for installing the update to 731 that has not preserved the user's previous configuration. I hope I am proved wrong.
Just one more thought. Given my experience with trying out the ZA firewall/antispyware combination - you just might want to give that product a little more space in your avast regression testing.
-
Well thankyou very much for all your assistance gentlmen, I have decided to allow avast.setup unrestricted access to the internet. I have used Avast since it came out and only recently (last 8 months) used ZoneAlarm Anti Spyware So I am plumping for it being Zone Alarm going wrong some zero based index of blocked ip's being accessed by a +1 array as often happens I find with c++ arrays int myarray[10]; for {i=1;i<10;i++} blah blah you get the picture.
Anyway It all updates fine if I just choose to ignore the odd ip addresses reported by Zone Alarm
-
Just a final note to add, if I use autoupdate release 691 no strange IP address's get logged :| if thats any help, anyways back to coding :) cheers and thanks for all the fish
-
Thanks Foxabilo for your confidence in avast team.
About the autoupdate of version 4.6.691, maybe the interaction with ZA driver has changed... just guessing.
-
Just a heads up chaps,
Not compleatly sure if its relivent, but...
I put a problem submition into Zone Alarm anti spyware people and tho they have not contacted me back, a day or so ago I recived a Zone Alarm Auto Update after which no more wierd avast ip's are listed and infact all of the program item in my program log are now gone... Hmm me thinks ZA dropped a ball someplace, never mind tho as its all running fine :)
-
I put a problem submition into Zone Alarm anti spyware people and tho they have not contacted me back
It used to be. A good program with a very poor support from the company. ZA is good, ZoneLabs... :-\
Hmm me thinks ZA dropped a ball someplace, never mind tho as its all running fine :)
Thanks for posting and making clear what happened ;)
-
I have found this forum after a search about 88.80.5.21 site
I had traced it back to
role prq Inet NOC
person Per Warg
person Andreas Carsbring
I believe it to be a Trojan that has infiltrated my system. I think it is in many files and has done a back up of the original file so everything runs as normal, except that 88.80.5.21 comes up in my history.
I had no firewall set up (behind a router and thought that was good enough)
I ran McAfee virus scan - did not find it (it was in my history every day) (I pay McAfee for their service)
I also ran spybot S&D and Lavasoft Adaware - and nothing
Symantec (free Internet check) found the list of many files infected - called it Trojan: Zonebac
I will be reformatting my drive(s) unless I luck out and hear from someone on a fix.
After repeated attempts to contact McAfee they have ignored me.
Tim
-
I may purchase Zone Alarm - do you think that would also solve my problem?
-
I may purchase Zone Alarm - do you think that would also solve my problem?
No, I don't think so.
You can buy ZA but I don't think that because of the free version you should have any problems using avast.
A lot of users have ZA (free) and avast (free).
-
FWIW, will share similar experience recently, but with Comodo Firewall. Got similar untoward multiple connections of avast.setup, and other avast files, but also iexplore.exe, ybrowser.exe, servicehost.exe and virtually any programs that had outbound clearance in my firewall! What I had wasn't picky how it got out. :) The correct connections were made, but then additional connections using the same files were also made concurrently! I struggled with noting IP's & searches on ARIN WHOIS for days trying to figure it all out. My pc ended up in a pc repair shop. PC is two trojans lighter and I lost 5-7 lbs. stressing over this! Rough way to lose weight, though.
But pc repairshop cleaning them off using Sunbelt CounterSpy & doing Dell PC restore didn't resolve! Spurious connections persisted per Comodo. All but two IP's in Amsterdam & France were IP's of well-known U.S. ISP's & telecom data providers. I found that rather curious. Like original poster, if I blocked them, I couldn't get onto the net. If I allowed them, I could, and then immediately killed the connections in Comodo after on-line! Boy, did THAT ever get to be a nuisance, because new connections popped up (3-7) with every change of web page. Interesting thing is that Ewido, Avast, Trojan Hunter, A-squared, Adaware, SuperAntispy run in safe mode saw NO INFECTION!
The repairshop did a second Dell PC Restore (no charge), this time not reinstalling SBC DSL browser software (which he suspected was source of my problems) but that didn't resolve either. Connections "wherever" (Ripe.net in Amsterdam was one) piggybacking out on "whatever" (Avast or system files) continued.
What HAS finally resolved the problem is to get rid of a piece of Dell preinstalled redirecting software call MyWay Search Assistant! They swear it is not spyware & have denied allegations it tracks web usage for ages. Since a complete wipe of my HDD was my next step, what did I have to lose? I went down the registry hive by hive, key by key, line by line and deleted any & all entries for MyWay. Had long since disabled the Add-on. I had done Dell Forum's published instructions for manual removal of this pest:
http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=42328
Yet there were still countless entries scattered all over the registry for MyWay! Once all registry entries for MyWay were deleted, I rebooted and those connections seem to have stopped. Now things are connecting to the ip's that are appropriate. I did have two trojans (if the pc repair shop isn't dishonest), but Dell's pre-installed software (with no remove button in Add/Remove Programs, by the way) didn't make life any easier during the crisis. Interesting read here on the subject of MyWay removal I'll share for Dell pc owners:
http://www.pcsympathy.com/article1041.html
I only share this in case the user has a Dell pc, he may want to delve deeper. Not sure they are putting this "crapware" on newer machines, they have had so many complaints from customers about it. But they were when mine was manufactured/shipped Dec. 2004.