Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: ermite67 on November 28, 2007, 02:40:13 PM

Title: concurrent connections limit in avast
Post by: ermite67 on November 28, 2007, 02:40:13 PM
Hi everybody,
I have often a message like that :
"421 concurrent connections limit in avast...".
How can we increase this number of connections ?

Thank you for your reply
Title: Re: concurrent connections limit in avast
Post by: DavidR on November 28, 2007, 03:01:15 PM
Can you post the full text content of the message as it usually details what is using the connections ?

The concurrent connections limit is I think 20 by default so if it is 421 someone has already increased it previously. It can be increased by editing the avast4.ini file [MailScanner] section, add the line MaxConnections=nn (where nn is the numeric value) or edit the existing value. Personally I believe you should look at what is generating these connections rather than simply increasing the value.

[MailScanner]
MaxConnections=20

Are you using a news reader or searcher like NewsLeacher ?

Title: Re: concurrent connections limit in avast
Post by: ermite67 on November 28, 2007, 03:57:07 PM
Hi DavidR,

I think 421 is an error code and not a number of connections. The max connection allowed is 20.
Her was nothing like "MaxConnection" in the avast4.ini then i have now write a new line with MaxConnections=40.
I think i must reboot computer for new configuration then i hope tomorow it's ok...

Thanks
Title: Re: concurrent connections limit in avast
Post by: DavidR on November 28, 2007, 04:36:31 PM
Before you make any changes it is essential to find out why the maxconnections limit is reached, 20 should be more than enough for normal use. That is why I asked for the full text content of the message, which won't be available if you correct the 'symptom' rather than find the disease.

Title: Re: concurrent connections limit in avast
Post by: ermite67 on November 28, 2007, 05:23:48 PM
Hi,

In attachments :
av02.jpg --> full text content message
av01.jpg --> print screen of process explorer, where i dont see 40 services...

MaxConnections is already to 40, without reboot.

Thank
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on November 28, 2007, 05:34:28 PM
can you post here rather a screenshot taken from tcpview?
Title: Re: concurrent connections limit in avast
Post by: Lisandro on November 28, 2007, 05:48:12 PM
Depending on which application is doing that, you can edit avast4.ini, find the section [MailScanner], add (or edit) the line IgnoreProcess.

[MailScanner]
IgnoreProcess=mybad.app,ccPxySvc.exe

This is a typical situation where the ignored process option is really useful.
Title: Re: concurrent connections limit in avast
Post by: DavidR on November 28, 2007, 06:22:39 PM
Hi,

In attachments :
av02.jpg --> full text content message
av01.jpg --> print screen of process explorer, where i dont see 40 services...

MaxConnections is already to 40, without reboot.

I think now you can see why we want to find out what is responsible for the connections. It is unusual I would say for services.exe to connect The TCPview suggested by Maxx should be better.

The possibility is that something is using services.exe rather than it being the guilty party, is there anything in the firewall(?) logs as there would be a parent controlling the child (services.exe) and that would usually require permission.
I suggest that you

@ Tech, I wouldn't suggest exclusion of services.exe (or any other application) until we confirm exactly what it is. The last thing we want is to exclude something which could be malicious.
Title: Re: concurrent connections limit in avast
Post by: Lisandro on November 28, 2007, 06:31:16 PM
@ Tech, I wouldn't suggest exclusion of services.exe (or any other application) until we confirm exactly what it is. The last thing we want is to exclude something which could be malicious.
The first word in my answer...
Depending...
Title: Re: concurrent connections limit in avast
Post by: ermite67 on November 28, 2007, 06:33:08 PM
Hi,

Here is à "print screen" from TCPVIEW:
[System Process]:0   TCP   chaintech:12025   localhost:2630   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2527   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2525   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2626   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2526   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2628   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2534   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2542   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2634   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2638   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2522   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2532   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2524   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2546   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2633   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2528   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2629   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2637   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2625   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2545   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2521   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2520   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2544   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2636   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2632   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2640   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2624   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2639   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2627   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2519   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2547   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2635   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2631   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2523   TIME_WAIT   
[System Process]:0   TCP   chaintech:12025   localhost:2543   TIME_WAIT   
alg.exe:2448   TCP   chaintech:1032   chaintech:0   LISTENING   
ashMaiSv.exe:1724   TCP   chaintech:12025   chaintech:0   LISTENING   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2607   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2623   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2598   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2602   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2601   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2596   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2622   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2610   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2594   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2517   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2518   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2515   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2516   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2512   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2600   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2615   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2603   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2529   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2591   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2511   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2599   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2606   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2609   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2597   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2604   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2614   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2593   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2592   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2621   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2619   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2617   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2616   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2618   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2611   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2595   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2612   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2620   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2608   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2613   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12025   localhost:2605   CLOSE_WAIT   
ashMaiSv.exe:1724   TCP   chaintech:12110   chaintech:0   LISTENING   
ashMaiSv.exe:1724   TCP   chaintech:12119   chaintech:0   LISTENING   
ashMaiSv.exe:1724   TCP   chaintech:12143   chaintech:0   LISTENING   
ashMaiSv.exe:1724   TCP   chaintech:2584   imedg1.ichotelsgroup.com:smtp   SYN_SENT   
ashMaiSv.exe:1724   TCP   chaintech:2585   0.mx.dhha.org:smtp   SYN_SENT   
ashMaiSv.exe:1724   TCP   chaintech:2586   localhost:smtp   SYN_SENT   
ashMaiSv.exe:1724   TCP   chaintech:2587   ph07.webhosthk.com:smtp   SYN_SENT   
ashMaiSv.exe:1724   TCP   chaintech:2588   mx100.012.net.il:smtp   SYN_SENT   
ashMaiSv.exe:1724   TCP   chaintech:2589   202-177-24-226.kdd.net.hk:smtp   SYN_SENT   
ashMaiSv.exe:1724   TCP   chaintech:2590   *.s6a1.psmtp.com:smtp   SYN_SENT   
ashMaiSv.exe:1724   TCP   chaintech:2652   213.168.74.65.static.heraklesdata.net:smtp   SYN_SENT   
ashMaiSv.exe:1724   TCP   chaintech:2653   server113.appriver.com:smtp   SYN_SENT   
ashMaiSv.exe:1724   TCP   chaintech:2654   smtp.zzr.com:smtp   SYN_SENT   
ashWebSv.exe:1660   TCP   chaintech:12080   chaintech:0   LISTENING   
iexplore.exe:15276   UDP   chaintech:4162   *:*      
lsass.exe:712   UDP   chaintech:4500   *:*      
lsass.exe:712   UDP   chaintech:isakmp   *:*      
services.exe:700   TCP   chaintech:2511   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2512   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2515   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2516   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2517   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2518   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2529   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2591   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2592   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2593   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2594   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2595   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2596   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2597   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2598   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2599   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2600   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2601   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2602   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2603   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2604   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2605   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2606   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2607   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2608   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2609   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2610   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2611   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2612   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2613   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2614   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2615   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2616   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2617   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2618   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2619   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2620   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2621   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2622   localhost:12025   FIN_WAIT2   
services.exe:700   TCP   chaintech:2623   localhost:12025   FIN_WAIT2   
svchost.exe:1008   UDP   chaintech:netbios-dgm   *:*      
svchost.exe:1008   UDP   chaintech:netbios-ns   *:*      
svchost.exe:1008   TCP   chaintech:netbios-ssn   chaintech:0   LISTENING   
svchost.exe:1008   UDP   chaintech:ntp   *:*      
svchost.exe:1008   UDP   chaintech:ntp   *:*      
svchost.exe:1008   UDP   chaintech:ntp   *:*      
svchost.exe:1076   UDP   chaintech:1049   *:*      
svchost.exe:1076   UDP   chaintech:1075   *:*      
svchost.exe:1076   UDP   chaintech:1076   *:*      
svchost.exe:1076   UDP   chaintech:1077   *:*      
svchost.exe:1076   UDP   chaintech:1078   *:*      
svchost.exe:1076   UDP   chaintech:1079   *:*      
svchost.exe:1076   UDP   chaintech:1080   *:*      
svchost.exe:1076   UDP   chaintech:1082   *:*      
svchost.exe:1076   UDP   chaintech:1083   *:*      
svchost.exe:1076   UDP   chaintech:1084   *:*      
svchost.exe:1140   UDP   chaintech:1900   *:*      
svchost.exe:1140   UDP   chaintech:1900   *:*      
svchost.exe:1140   UDP   chaintech:1900   *:*      
svchost.exe:932   TCP   chaintech:epmap   chaintech:0   LISTENING   
System:4   TCP   chaintech:microsoft-ds   chaintech:0   LISTENING   
System:4   UDP   chaintech:microsoft-ds   *:*      
System:4   UDP   chaintech:netbios-dgm   *:*      
System:4   UDP   chaintech:netbios-ns   *:*      
System:4   TCP   chaintech:netbios-ssn   chaintech:0   LISTENING   
Title: Re: concurrent connections limit in avast
Post by: DavidR on November 28, 2007, 06:40:45 PM
@ Tech, I wouldn't suggest exclusion of services.exe (or any other application) until we confirm exactly what it is. The last thing we want is to exclude something which could be malicious.
The first word in my answer...
Depending...

We can see the application that is causing the maxconnection issue, services.exe and that is not something I would expect to connect.

My comments were also for ermite67 as he was very quick off the mark to edit the maxconnection value, which could have stopped us from tracking the problem.

@ ermite67
What is chaintech ?
Title: Re: concurrent connections limit in avast
Post by: ermite67 on November 28, 2007, 08:05:14 PM
@DavidR,

chaintech is the name of my computer, and also the lan name.

ALSO, if you remember me, e-mail are continuing be send without my autorisation
( Forum title : Outpout mail scanning historic  -  link: http://forum.avast.com/index.php?topic=31537.0)

Help, i need somebody, help...

Title: Re: concurrent connections limit in avast
Post by: DavidR on November 28, 2007, 09:30:46 PM
The emails being sent may well account for the additional connections breaking the limit.

Hopefully Maxx can pick up on the TCPview data.

A bit went missing from my last post so I will post it here:
I suggest that you search your system for services.exe and report the location of any that are found ?
Upload any that are found to VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here.

In your other topic I asked if you had a firewall which effectively you didn't, did you every get around to installing one and if so what ?
A firewall with outbound checking may stop these unauthorised outbound connections.

If you did get a firewall as I asked in the last post reply #7 is there anything in the logs, etc. Also check the application/program control and see if there is an entry for services.exe, if so block it.

If you are still getting the sending emails I would say get back into the previous topic and active it again. Try to follow the suggested steps you previously did, etc.
Title: Re: concurrent connections limit in avast
Post by: Lisandro on November 28, 2007, 09:34:14 PM
It won't be bad it you test your computer with on-line scanning:
Kaspersky (http://www.kaspersky.com/virusscanner) (very good detection rates)
ESET NOD32 (http://www.eset.com/onlinescan/)
Trendmicro housecall (http://www.trendmicro.com/hc_intro/default.asp)
AVGas (http://www.ewido.net/en/onlinescan/) (does not necessary if you have AVG antispyware installed)
F-Secure (http://support.f-secure.com/enu/home/ols.shtml)
BitDefender (http://www.bitdefender.com/scan8/ie.html) (free removal of the malware)
HitmanPro (http://oms.hitmanpro.nl/) (multiply scanners)

If I can suggest, I bet on Kaspersky and BitDefender.
Title: Re: concurrent connections limit in avast
Post by: ermite67 on November 29, 2007, 09:25:58 AM
Hello DavidR , Tech,

Services.exe was found on :
c:\Windows\system32
c:\Windows\ServicePackFiles\i386
with same date/time/size (28/08/2004, 0:10, 106 Ko), and all is OK with virustotal.

My firewall is COMODO FIREWALL PRO, installed 2 week ago.

Application/program control : services.exe was full autorised. I have updated for comodo ask me before use of services.exe.

Now computer is already faster than yesterday :>) COOL

If it is services.exe, why Avast!, SuperAntispyware, Adaware SE and Spyboot found nothing ???

For the kaspersky online scanner, installation dont work... (see jpg attached).

THANKS FOR ALL

 
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on November 29, 2007, 09:44:46 AM
services.exe (and svchost.exe) are the generic service dispatchers... if there are so many open ports, you can expect some service to made this... you can download http://www.microsoft.com/downloads/details.aspx?FamilyID=C055060B-9553-4593-B937-C84881BCA6A5&displaylang=en and run it with the parameter -s to list all services related to services.exe...
Title: Re: concurrent connections limit in avast
Post by: ermite67 on November 29, 2007, 10:11:39 AM
Hi,
Tlist are C langage files (not exe file)

Kaspersky online scanner : I have uninstalled and reinstall ok. RESULT : nothing found (jpg attached).

Thanks
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on November 29, 2007, 11:09:25 AM
Hi,
Tlist are C langage files (not exe file)

aah, sorry.. i couldn't find the binary :-\... now it's tasklist.exe, you can find it in your win directory... so, run "tasklist /svc > tasks.txt" and put the content of tasks.txt here ;)
Title: Re: concurrent connections limit in avast
Post by: ermite67 on November 29, 2007, 02:18:54 PM
Hi Maxx_original,

Tasklist.exe : Here is no such program in Windows XP... but only in Windows XP PRO ...
Here can it be downloaded : http://www.computerhope.com/download/winxp.htm

Here is then result of the command Tasklist /svc :

Image Name                   PID Services                                     
========================= ====== =============================================
System Idle Process            0 N/A                                         
System                         4 N/A                                         
smss.exe                     564 N/A                                         
csrss.exe                    636 N/A                                         
winlogon.exe                 660 N/A                                         
services.exe                 704 Eventlog, PlugPlay                           
lsass.exe                    716 PolicyAgent, ProtectedStorage, SamSs         
svchost.exe                  872 DcomLaunch, TermService                     
svchost.exe                  920 RpcSs                                       
svchost.exe                  996 AudioSrv, Browser, CryptSvc, Dhcp, ERSvc,   
                                 EventSystem, FastUserSwitchingCompatibility,
                                 helpsvc, lanmanserver, lanmanworkstation,   
                                 Netman, Nla, RasMan, Schedule, seclogon,     
                                 SENS, SharedAccess, ShellHWDetection,       
                                 srservice, TapiSrv, Themes, TrkWks, W32Time,
                                 winmgmt, wscsvc, wuauserv, WZCSVC           
svchost.exe                 1068 Dnscache                                     
svchost.exe                 1164 LmHosts, SSDPSRV, upnphost, WebClient       
aswUpdSv.exe                1292 aswUpdSv                                     
ashServ.exe                 1340 avast! Antivirus                             
spoolsv.exe                 1544 Spooler                                     
cmdagent.exe                1872 CmdAgent                                     
svchost.exe                 1972 stisvc                                       
explorer.exe                 232 N/A                                         
ashDisp.exe                  764 N/A                                         
mixer.exe                    720 N/A                                         
cpf.exe                     1044 N/A                                         
ctfmon.exe                  1064 N/A                                         
msmsgs.exe                  1092 N/A                                         
SUPERAntiSpyware.exe        1120 N/A                                         
wkcalrem.exe                1260 N/A                                         
ScannerFinder.exe           1280 N/A                                         
ashMaiSv.exe                 760 avast! Mail Scanner                         
ashWebSv.exe                 512 avast! Web Scanner                           
soffice.exe                 1660 N/A                                         
soffice.bin                 1584 N/A                                         
alg.exe                     2328 ALG                                         
IncMail.exe                 3052 N/A                                         
ImApp.exe                   2908 N/A                                         
iexplore.exe                2424 N/A                                         
cmd.exe                     2372 N/A                                         
ntvdm.exe                   3812 N/A                                         
notepad.exe                 5952 N/A                                         
iexplore.exe                7212 N/A                                         
tasklist.exe                1956 N/A                                         
wmiprvse.exe                7520 N/A                                         

Title: Re: concurrent connections limit in avast
Post by: Maxx_original on November 29, 2007, 02:41:17 PM
i really don't like your ERSvc http://www.liutilities.com/products/wintaskspro/processlibrary/ersvc/ it's probably the reason of your troubles... can you locate the file ersvc.exe somewhere and send it to www.virustotal.com analysis?
Title: Re: concurrent connections limit in avast
Post by: ermite67 on November 29, 2007, 03:46:39 PM
Hi,

I have no ersvc.exe, only DLL files :
c:\windows\system\ersvc.dll
c:\windows\ServicePackFiles\i386\ersvc.dll
with same size / date / time : 23 Ko 20/08/2004 0:09

Result from VIRUSTOTAL website :
-------------------------------
Fichier ersvc.dll reçu le 2007.11.29 15:36:12 (CET)

Antivirus   Version   Dernière mise à jour   Résultat
AhnLab-V3   2007.11.29.0   2007.11.29   -
AntiVir   7.6.0.34   2007.11.29   -
Authentium   4.93.8   2007.11.29   -
Avast   4.7.1074.0   2007.11.28   -
AVG   7.5.0.503   2007.11.29   -
BitDefender   7.2   2007.11.29   -
CAT-QuickHeal   9.00   2007.11.28   -
ClamAV   0.91.2   2007.11.29   -
DrWeb   4.44.0.09170   2007.11.29   -
eSafe   7.0.15.0   2007.11.29   -
eTrust-Vet   31.3.5335   2007.11.29   -
Ewido   4.0   2007.11.29   -
FileAdvisor   1   2007.11.29   -
Fortinet   3.14.0.0   2007.11.29   -
F-Prot   4.4.2.54   2007.11.28   -
F-Secure   6.70.13030.0   2007.11.29   -
Ikarus   T3.1.1.12   2007.11.29   -
Kaspersky   7.0.0.125   2007.11.29   -
McAfee   5173   2007.11.28   -
Microsoft   1.3007   2007.11.29   -
NOD32v2   2693   2007.11.29   -
Norman   5.80.02   2007.11.28   -
Panda   9.0.0.4   2007.11.28   -
Prevx1   V2   2007.11.29   -
Rising   20.20.22.00   2007.11.29   -
Sophos   4.23.0   2007.11.29   -
Sunbelt   2.2.907.0   2007.11.27   -
Symantec   10   2007.11.29   -
TheHacker   6.2.9.144   2007.11.28   -
VBA32   3.12.2.5   2007.11.28   -
VirusBuster   4.3.26:9   2007.11.28   -
Webwasher-Gateway   6.6.2   2007.11.29   -

Information additionnelle
File size: 23040 bytes
MD5: a4661552caeaf05a7cae43431987910c
SHA1: 2c711d9f201e303791bf5b79c878ac4f9a542211

Fichier ersvc.dll reçu le 2007.11.29 15:36:12 (CET)Antivirus Version Dernière mise à jour Résultat
AhnLab-V3 2007.11.29.0 2007.11.29 -
AntiVir 7.6.0.34 2007.11.29 -
Authentium 4.93.8 2007.11.29 -
Avast 4.7.1074.0 2007.11.28 -
AVG 7.5.0.503 2007.11.29 -
BitDefender 7.2 2007.11.29 -
CAT-QuickHeal 9.00 2007.11.28 -
ClamAV 0.91.2 2007.11.29 -
DrWeb 4.44.0.09170 2007.11.29 -
eSafe 7.0.15.0 2007.11.29 -
eTrust-Vet 31.3.5335 2007.11.29 -
Ewido 4.0 2007.11.29 -
FileAdvisor 1 2007.11.29 -
Fortinet 3.14.0.0 2007.11.29 -
F-Prot 4.4.2.54 2007.11.28 -
F-Secure 6.70.13030.0 2007.11.29 -
Ikarus T3.1.1.12 2007.11.29 -
Kaspersky 7.0.0.125 2007.11.29 -
McAfee 5173 2007.11.28 -
Microsoft 1.3007 2007.11.29 -
NOD32v2 2693 2007.11.29 -
Norman 5.80.02 2007.11.28 -
Panda 9.0.0.4 2007.11.28 -
Prevx1 V2 2007.11.29 -
Rising 20.20.22.00 2007.11.29 -
Sophos 4.23.0 2007.11.29 -
Sunbelt 2.2.907.0 2007.11.27 -
Symantec 10 2007.11.29 -
TheHacker 6.2.9.144 2007.11.28 -
VBA32 3.12.2.5 2007.11.28 -
VirusBuster 4.3.26:9 2007.11.28 -
Webwasher-Gateway 6.6.2 2007.11.29 -
 
Information additionnelle
File size: 23040 bytes
MD5: a4661552caeaf05a7cae43431987910c
SHA1: 2c711d9f201e303791bf5b79c878ac4f9a542211
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on November 29, 2007, 04:09:28 PM
ook.. then it is the valid ersvc and not the ersvc described under the link... ersvc.dll is microsoft error reporting service, but ersvc.exe is a malware, i guess.. because you don't have it, we can assume, that this is not the point of your problem (i mean the strange count of currently open ports by services.exe)..
Title: Re: concurrent connections limit in avast
Post by: ermite67 on November 29, 2007, 04:57:46 PM
COMODO FIREWALL block access every 10 secondes ...
For example :

Date/Heure :2007-11-29 16:24:13
Sévérité :Moyen
Report :Gestion des applications
Description: L'accès de l'application a été refusé (services.exe:208.72.168.97: :http(80))
Application: C:\WINDOWS\system32\services.exe
Origine: C:\WINDOWS\system32\winlogon.exe
Protocole: TCP sortant
Destination: 208.72.168.97::http(80)

Date/Heure :2007-11-29 16:24:03
Sévérité :Moyen
Report :Gestion des applications
Description: L'accès de l'application a été refusé (services.exe:208.72.168.151: :http(80))
Application: C:\WINDOWS\system32\services.exe
Origine: C:\WINDOWS\system32\winlogon.exe
Protocole: TCP sortantDestination: 208.72.168.151::http(80)

Date/Heure :2007-11-29 16:23:53
Sévérité :Moyen
Report :Gestion des applications
Description: L'accès de l'application a été refusé (services.exe:208.72.168.151: :http(80))
Application: C:\WINDOWS\system32\services.exe
Origine: C:\WINDOWS\system32\winlogon.exe
Protocole: TCP sortant
Destination: 208.72.168.151::http(80)

Date/Heure :2007-11-29 16:23:43
Sévérité :Moyen
Report :Gestion des applications
Description: L'accès de l'application a été refusé (services.exe:208.72.168.151: :http(80))
Application: C:\WINDOWS\system32\services.exe
Origine: C:\WINDOWS\system32\winlogon.exe
Protocole: TCP sortant
Destination: 208.72.168.151::http(80)

Date/Heure :2007-11-29 16:23:33
Sévérité :Moyen
Report :Gestion des applications
Description: L'accès de l'application a été refusé (services.exe:208.72.168.151: :http(80))
Application: C:\WINDOWS\system32\services.exe
Origine: C:\WINDOWS\system32\winlogon.exe
Protocole: TCP sortant
Destination: 208.72.168.151::http(80)

Etc, etc, etc...

winlogon.exe is OK with virustotal and all antivirus i have tested...
Title: Re: concurrent connections limit in avast
Post by: DavidR on November 29, 2007, 05:40:12 PM
Well there is something strange going on as I see no reason why the winlogon.exe would want or require internet access and if so why use services.exe to do it.

Also the IP 208.72.168.151 belongs to McColo Corporation (so nothing to do with windows either) as is 208.72.168.97, this has also cropped up before co a forum search for McColo might help.

http://www.google.com/search?q=McColo+Corporation (http://www.google.com/search?q=McColo+Corporation)
http://www.webmasterworld.com/forum11/3269.htm (http://www.webmasterworld.com/forum11/3269.htm)

I believe there may well be a riitkit hiding a spambot on your system.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm (http://www.antirootkit.com/software/index.htm). Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip (http://research.pandasoftware.com/blogs/images/AntiRootkit.zip).
- AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5 (http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5).
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight (http://www.f-secure.com/blacklight)
Title: Re: concurrent connections limit in avast
Post by: martosurf on November 29, 2007, 06:51:51 PM
I often open Opera, SeaMonkey and FF2 with several tabs, have Soulseek, uTorrent and eMule running on background, Outlook sitting in the taskbar and Klipfolio 4 with lot of "klips" running; I also run cFosSpeed 4.

What do you say? Do I need to increase the MaxOpenConnections limit?

I already patched the half open connections...

Regards
Title: Re: concurrent connections limit in avast
Post by: Dwarden on November 29, 2007, 07:16:18 PM
uploading that file to VirusTotal and Jotti shows nothing ?
Title: Re: concurrent connections limit in avast
Post by: martosurf on November 29, 2007, 07:27:59 PM
Hi Dwarden

both files were "old-friends" of virustotal -the site stores MD5 hash verification- and they are reported as Trojan / Worm by several vendors.
Title: Re: concurrent connections limit in avast
Post by: DavidR on November 29, 2007, 07:41:09 PM
I often open Opera, SeaMonkey and FF2 with several tabs, have Soulseek, uTorrent and eMule running on background, Outlook sitting in the taskbar and Klipfolio 4 with lot of "klips" running; I also run cFosSpeed 4.

What do you say? Do I need to increase the MaxOpenConnections limit?

I would say no if you aren't experiencing any problems, or 'if it isn't broken don't fix it.'

Also the 'MaxConnections' we are talking about here relate to the MailScanner and not all of your applications would be using those.
Title: Re: concurrent connections limit in avast
Post by: DavidR on November 29, 2007, 07:44:51 PM
Hi Dwarden

both files were "old-friends" of virustotal -the site stores MD5 hash verification- and they are reported as Trojan / Worm by several vendors.

The file name might well be associated with trojan, but a file name is no indication of infection and these file names also have legitimate associations, so you can't make a decision based solely on file names.

Both of the files were uploaded by ermite67 Reply #20 to VT and found not to be infected.
Title: Re: concurrent connections limit in avast
Post by: Dwarden on November 30, 2007, 03:54:43 AM
well let say if he is infected with unknown mail spamming tool (trojan/rootkit w/e) badware

then it give sense what this message says as it may create too many concurent connections to some relay

or something in this sense ...
Title: Re: concurrent connections limit in avast
Post by: alanrf on November 30, 2007, 06:46:01 AM
There is a long history here of winlogon or services appearing to be the process sending spam mail without itself being infected on file. 

I do not have a simple answer but these links point seem to indicate that the basics of activity reported here is not uncommon:

http://vil.nai.com/vil/content/v_137439.htm

http://vil.nai.com/vil/content/v_139593.htm

That is connecting via port 80 to a site to get instructions and mailing list and then generating the resulting spam out via its own built in SMTP engine.

It suggests possibly something running at startup that is able to compromise the winlogon and/or services space without compromising those processes on file (so you can send them to VT until the crack of doom and they will never register anything). 

A hijack this report might shed some clues.



 
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on November 30, 2007, 09:26:17 AM
alanrf: you're right.. i think that there's some kind of hooker (maybe rootkit), which modifies winlogon after its loading and the physical file is untouched...
Title: Re: concurrent connections limit in avast
Post by: ermite67 on November 30, 2007, 09:37:02 AM
Hi,

Panda Anti-rootkit have found a Rootkit (c:\windows\system32:xpdt.sys), have cleaned it, but then result is than my computer is infected again : see panda_rootkit.jpg in attach.

Title: Re: concurrent connections limit in avast
Post by: Maxx_original on November 30, 2007, 09:39:04 AM
try to run www.gmer.net instead of panda ;)
Title: Re: concurrent connections limit in avast
Post by: alanrf on November 30, 2007, 10:00:56 AM
In doing a scan I cannot find anything reported about xpdt.sys other than "this a very nasty piece of software".

I have to ask then:

Has the original poster not performed an avast scan?

-or-

Has avast failed the original poster (and the community at large) in not detecting this apparent malware (if Panda can report it - should not avast too)?



Title: Re: concurrent connections limit in avast
Post by: ermite67 on November 30, 2007, 10:48:56 AM
Hi,

@Maxx_original,

Gmer 1.0.13 crash my computer that reboot. I have re-run it and  re-crash...
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on November 30, 2007, 10:58:47 AM
aaargh >:(... it's some kind of protection against gmer i guess..
Title: Re: concurrent connections limit in avast
Post by: ermite67 on November 30, 2007, 11:01:51 AM
I have dowloaded and not is runing Microsoft® Windows® Malicious Software Removal Tool (KB890830).
Wait and see...
Title: Re: concurrent connections limit in avast
Post by: alanrf on November 30, 2007, 11:23:02 AM
Quote
aaargh ... it's some kind of protection against gmer i guess..

Quite possible ... it runs just fine on my system ... but then I do not have xpdt.sys
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on November 30, 2007, 11:30:58 AM
btw: Przemek from GMER already reported xpdt to us and we're detecting it as Costrat... i don't know which variant of xpdt is present on your system, but you should schedule a boot time scan and look for any Costrat references..
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on November 30, 2007, 11:37:10 AM
btw: if you are able to locate the xpdt.sys someway (through cmdline e.g.) we'd be glad to see it... we can report it also to Przemek form GMER to make him able to fix the crash/reboot problem..
Title: Re: concurrent connections limit in avast
Post by: igor on November 30, 2007, 11:38:09 AM
Btw, for avast! to be able to detect and remove the rootkit file (c:\windows\system32:xpdt.sys), the latest betaversion is certainly needed.
(I'm not saying it would detect it if the rootkit is active (don't know), but older versions of avast! certainly wouldn't, even if not active.)
Title: Re: concurrent connections limit in avast
Post by: ermite67 on November 30, 2007, 11:56:29 AM
Result of Rustbfix.exe :
================

AVENGER.TXT :
==================================================================================
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mkjrtfkj

*******************

Script file located at: \??\C:\Program Files\hvtts^wx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver xpdt unloaded successfully.
Program D:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished!  Terminate.


PELOG.TXT :
==================================================================================

Rustock.b-ADS attached to the System32-folder:
Attempting to remove ADS...

Looking for Rustock.b-files in the System32-folder:
Commande ECHO d‚sactiv‚e.


******************* Post-run Status of system *******************

Rustock.b-driver on the system:
YOU NEED TO CONSULT MORE ADVANCED TOOLS!!
The Gmer-rootkitscanner may be a good place to start.
Gmer rootkit-scanner may be found here: http://www.gmer.net

Rustock.b-ADS attached to the System32-folder:
Commande ECHO d‚sactiv‚e.
You should either run the tool again or consult more advanced tools
The Gmer-rootkitscanner may be a good place to start.
Gmer rootkit-scanner may be found here: http://www.gmer.net

Looking for Rustock.b-files in the System32-folder:
Commande ECHO d‚sactiv‚e.
You should either run the tool again or consult more advanced tools
Swandog46's Avenger or Gmer's-rootkitscanner may be a good place to start.
Swandog46's Avenger may be found here: http://swandog46.geekstogo.com/avengernotes.htm
Gmer rootkit-scanner may be found here: http://www.gmer.net


******************************* End of Logfile ********************************

Title: Re: concurrent connections limit in avast
Post by: ermite67 on November 30, 2007, 07:29:09 PM
Hi,

Result of BitDefender Online Scanner : No virus found

Title: Re: concurrent connections limit in avast
Post by: Lisandro on November 30, 2007, 07:41:08 PM
After installing Comodo v3 firewall, I've starting to get the same problem with the following configuration:
Stunnel & avast & Windows Mail & Vista
Until yesterday, I can download and send email (both scanned by avast) without problems.
Now, I get concurrent connections limit exceeded.
Any suggestions?

Computer seems clean.
On XP, same configuration (Stunnel & avast & Outlook Express) works.
By the way, MS Outlook and Thunderbird fail with the same error (127.0.0.1 connection time exceeded).
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on November 30, 2007, 08:44:00 PM
Tech: just a quick test - are you able to run GMER properly?
Title: Re: concurrent connections limit in avast
Post by: DavidR on November 30, 2007, 09:38:46 PM
After installing Comodo v3 firewall, I've starting to get the same problem with the following configuration:
Stunnel & avast & Windows Mail & Vista
Until yesterday, I can download and send email (both scanned by avast) without problems.
Now, I get concurrent connections limit exceeded.
Any suggestions?

Yes post full text content of the message as it usually details what is using the connections as we asked ermite67 to do se we can find out what is hogging the connections.

Is there anything in comodo 3 that monitors the email traffic, if so that could also contribute.
Title: Re: concurrent connections limit in avast
Post by: Lisandro on November 30, 2007, 10:25:01 PM
Tech: just a quick test - are you able to run GMER properly?
I think so. I'm running it now. But I'm completely n00by about it... Please, advice.
I'll send it by email as soon the scanning finishes...

Yes post full text content of the message as it usually details what is using the connections as we asked ermite67 to do se we can find out what is hogging the connections.
Here:
Code: [Select]
Conta: 'XXXX@gmail.com', Servidor: '127.0.0.1', Protocolo: POP3, Resposta do servidor: '-ERR concurrent connections limit in avast exceeded(pass:1000, processes:?PID4[1000]), there is a collision with another program', Porta: 11110, Segura (SSL): Não, Erro do servidor: 0x800CCC90, Nº do erro: 0x800CCC90
Is there anything in comodo 3 that monitors the email traffic, if so that could also contribute.
I don't think so. Just normal firewall. By the way, I have Defender+ (HIPS) of Comodo disabled.
Title: Re: concurrent connections limit in avast
Post by: martosurf on December 01, 2007, 03:04:12 AM
I often open Opera, SeaMonkey and FF2 with several tabs, have Soulseek, uTorrent and eMule running on background, Outlook sitting in the taskbar and Klipfolio 4 with lot of "klips" running; I also run cFosSpeed 4.

What do you say? Do I need to increase the MaxOpenConnections limit?

I would say no if you aren't experiencing any problems, or 'if it isn't broken don't fix it.'

Also the 'MaxConnections' we are talking about here relate to the MailScanner and not all of your applications would be using those.

Thanks for your reply - didn't saw it 8)
Title: Re: concurrent connections limit in avast
Post by: DavidR on December 01, 2007, 03:39:14 AM
Your welcome.
Title: Re: concurrent connections limit in avast
Post by: alanrf on December 01, 2007, 07:09:02 AM
Igor/Maxx,

OK ... expose my lack of knowledge before the world.

If there is a file existing on a system that is called xpdt.sys and is it a known piece of **** (or widely suspected of being so) cannot avast recognize the fact of its existence and warn of it whether it is active or not?

Probably I have misunderstood something about how it would be initiated at startup and yet hidden from the ability of avast to detect its presence on disk ... please help me be more aware.   
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 01, 2007, 11:03:48 AM
we're able to detect xpdt.sys, but theres a trick to hide it... the file is located under the NTFS stream bound to a directory, it's not a ordinary technique... the latest beta version is able to "defeat" this trick, so i guess the boot time scan should work for it..
Title: Re: concurrent connections limit in avast
Post by: alanrf on December 01, 2007, 11:10:32 AM
Maxx

many thanks - so much still to learn for this old head.

But ... this old head also wonders ... were you telling us that GMER might find this in a normal scan and avast will not?
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 01, 2007, 11:25:46 AM
there's a difference between scanning algos and level... GMER detects hooks (system-wide, user mode), hidden processes etc. via ring-0 code in driver... avast engine is running in user mode by default and since some files/processes could be hidden for user mode apps it can't see them... that's the reason, why the rootkits were developed, to hide something.. when running a boot time scan, avast executes the scanner from ring-0 with sufficient access rights etc. and that's a stronger weapon :)
Title: Re: concurrent connections limit in avast
Post by: igor on December 01, 2007, 03:54:23 PM
when running a boot time scan, avast executes the scanner from ring-0 with sufficient access rights etc. and that's a stronger weapon :)

Not true, I'm afraid. The boot-time scanner is an "ordinary" application, running under Local System account. The advantage here is that it's running sooner than the usual applications are started - but my guess is that the rootkit (being a driver) gets loaded even earlier, and it would be hidden from the boot-time scanner as well.
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 01, 2007, 05:12:14 PM
Hey, what about my problem with concurrent connections limit in avast ?
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 01, 2007, 05:58:36 PM
hah.. Igor is right, the benefit is something else... thx for correcting me

Tech: i'm worknig on it... i couldn't do anything more yesterday, cause it was about 1:00 AM, when i got your mail and i needed to get some sleep :).. anyway, i'm in the phase of google searching for system process ID 0 related things..
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 01, 2007, 06:38:20 PM
Tech: i'm worknig on it... i couldn't do anything more yesterday, cause it was about 1:00 AM, when i got your mail and i needed to get some sleep :).. anyway, i'm in the phase of google searching for system process ID 0 related things.
Look, I've configurated Outlook plugin and it's scanning and working with GMail, i.e., I have my emails scanned into MS Outlook, but not at Internet Mail provider using Stunnel. If this helps...
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 01, 2007, 06:59:05 PM
Tech: the strange thing is, that the open ports are not initiated by an mail client imho... they are under [System Process]:0 :-\
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 01, 2007, 08:10:27 PM
Tech: the strange thing is, that the open ports are not initiated by an mail client imho... they are under [System Process]:0 :-\
But are they related to the concurrent connections limit in avast or not?
I mean, am I infected or it's a problem on sending emails or what?
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 01, 2007, 08:42:17 PM
i think that the 270 open ports under your [System Process]:0 is the reason of concurrent connections warning... but i can't say where this strange thing got its beginning... i searched through google, but i got no reliable answers yet... so, if anybody knows something, what could cause this, pls post it here..
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 01, 2007, 11:02:05 PM
I've terminated the Internet Mail provider, closed all email programs, stop Stunnel service.
When TCPView start, it still query for high number ports.
The log is attached.
I'm surprised and curious... what is that?
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 02, 2007, 11:01:18 AM
this is even stranger... <non-existent> process opening tons of ports ???

it looks like some rootkit is there, but the GMER log reported nothing so bad to me :-\
Title: Re: concurrent connections limit in avast
Post by: alanrf on December 02, 2007, 12:34:24 PM
I have been concerned about the post from Tech. 

I think that Tech may have managed to get a nasty little something in his system.  It looks to me like something at startup (or very close to it) and it appears to be (possibly - perhaps thankfully) broken and looping.  The fact that TCPView reports the process name as "<non-existent>" is also of considerable concern - it appears it wants to remain hidden.   

Tech mentioned that this issue appeared close to the implementation of Comodo 3. I am not a Vista user but I have tested earlier today on my XP system loading Comodo 3 to see if I could replicate the problem.  Try as I did I could not create the excessive localhost port 110 connections that appear in Tech's TCPView post.

I do not want to go overboard and I hope there is a much more innocent explanation but a rootkit does seem a possibility.

Perhaps other tools like Panda anti-rootkit and AVG andti-rootkit might be worth trying.  I confess that after reviewing Tech's post today I have downloaded and run both (even after GMER gave me a clean report).     

I hope that Tech is a believer in regular system backups.
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 02, 2007, 12:46:19 PM
I'll try rootkit scanning with AVG, TrendMicro and F-Secure. Panda is not Vista compatible.
I'll try GMER again and avast at boot time.
I don't know what more can I do. No strange behavior of the computer.
It could be Comodo related but, a lot of time ago, Stunnel & avast have trouble from time to time. Booting and seeing if Google Inc. was blocked by PeerGuardian usually solves the problem.
Title: Re: concurrent connections limit in avast
Post by: alanrf on December 02, 2007, 12:51:43 PM
Silly point perhaps but Tech's avatar is becoming more and more overcome by black dots (flashing about a couple of times a second) as time goes on ... I just rebooted my system thinking it was just me but after a restart even more of the avatar is overtaken by black dots. 

Anyone else seeing the same thing?

This is what I'm seeing
Title: Re: concurrent connections limit in avast
Post by: alanrf on December 02, 2007, 01:34:09 PM
Sorry for the interruption on the avatars ... it was only on Firefox, not on my (rarely used) IE7. 

I brought up another system and there was no problem there.  I noticed that every time I restarted Firefox then the masking of Tech's avatar changed.  I also noticed that some other animated avatars in the forum changed today ... rejzor has got the (non-animated) Christmas spirit, avatar2005's animated avatar has disappeared. 

So, I cleared my cache on Firefox and now Tech is dripping his leaves as pristine as ever (I'm glad to say - nice one Tech!).
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 02, 2007, 07:25:15 PM
alanrf, any clue about my real problem?
AVG, TrendMicro and F-Secure antirootkits came back clean...
Panda is not Vista compatible...
Running TCPView without being connected, few lines appear, not the long listed of strange connections.
I'm lost. I can't be sure this is Comodo related as I never tested TCPView on Vista before.
I hate mysteries...
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 02, 2007, 07:38:45 PM
I've downloaded emails by MS Outlook. TCPView stripped.
The TCPView stay clean until I've opened the Windows Mail.
Then tons of [SystemProcess]:0 appeared, most of them from port 12110 to localhost:high ports.

I set Stunnel for 11110 and not 121110.
I've closed Windows Mail. Open TCPView again, clean.

It's Windows Mail + Internet Mail provider, for sure.
If I ignore local communication of the Internet Mail provider, i.e., do not scan, open Windows Mail, I can receive email and TCPView is clean.

Something is different with Internet Mail provider & Comodo & Stunell & Vista.
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 02, 2007, 07:42:24 PM
Tech: can you discuss this with your local MS tech support? it looks really strange that Windows mail causes the huge port usage from [SystemProcess]:0 ???
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 02, 2007, 07:46:43 PM
Tech: can you discuss this with your local MS tech support? it looks really strange that Windows mail causes the huge port usage from [SystemProcess]:0 ???
You know they won't tell me anything... They won't debug, it's just loose of time...
MS Support will say it's my computer, my configuration, will say that I need to restore to manufacturer configurations and so on...

I'm quite sure it's Windows Mail... but the problem only occur when I uncheck ignore local communication in avast Internet Mail provider. They will say the problem is with you...

Using only Windows Mail, no problem...
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 02, 2007, 07:52:45 PM
Just to say that MS support is slightly better than Symantec... but not that much...
I won't have patience even to explain... they will start saying me to boot the computer ;D
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 02, 2007, 07:57:47 PM
ook, thanks God, you're (probably) not infected with the strangest rootkit ever :P... anyway, there still remains the question what's the point of this strange behavior.. is it some conflict between Windows mail and Comodo? or is it a headache by MS? ;D
Title: Re: concurrent connections limit in avast
Post by: Dwarden on December 02, 2007, 08:05:22 PM
little suggestion ... can you try run some packet sniffer ?

e.g. Wireshark http://www.wireshark.org

or SmartSniff http://www.nirsoft.net/utils/smsniff.html

and take look on the traffic ? :)
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 02, 2007, 09:25:23 PM
little suggestion ... can you try run some packet sniffer ?
How do they work? What should I do?

ook, thanks God, you're (probably) not infected with the strangest rootkit ever :P... anyway, there still remains the question what's the point of this strange behavior.. is it some conflict between Windows mail and Comodo? or is it a headache by MS? ;D
Maxx, do not laugh... it could be Internet Mail provider and the problem is on avast and not on Comodo...
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 02, 2007, 09:58:04 PM
Is there a way to dump Internet Mail provider?
Title: Re: concurrent connections limit in avast
Post by: alanrf on December 02, 2007, 10:20:18 PM
As for testing with Wireshark ... I use Wireshark and it may be I do not configure the options correctly but I never see localhost traffic captured by it - perhaps Igor has fuller advice.

Tech, I based my comments on you saying that you had terminated the Internet Mail provider and you still got the ports opening. When I was testing with Comodo I was particularly looking for some conflict between it and avast in the handling of the port 110 intercepts and I did not find any. 

Do the ports still show in TCPView if you permanently terminate the Internet Mail provider and restart?

Have you considered (temporarily) uninstalling avast completely and seeing if the multiple ports continue to open?
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 02, 2007, 10:29:04 PM
Tech, I based my comments on you saying that you had terminated the Internet Mail provider and you still got the ports opening.
No, if I said this, I was wrong.
Terminating the Internet Mail provider (so avast won't scan), the Windows Mail download the emails without they have been scanned AND the ports AREN'T being opened.

Do the ports still show in TCPView if you permanently terminate the Internet Mail provider and restart?
Not even necessary to do this. Just terminating the provider, opening Windows Mail and the ports aren't being opened.

Have you considered (temporarily) uninstalling avast completely and seeing if the multiple ports continue to open?
I think it's not necessary. Just terminating the provider I have the same results.
Title: Re: concurrent connections limit in avast
Post by: alanrf on December 02, 2007, 10:50:49 PM
Let's see ... running out of ideas ...

you said the problem appeared close to installing Comodo 3.  Have you tried completely removing it just to exclude it from the problem?

Did you make any changes to the Windows Mail or STunnel configuraton? 
Is the k9filter involved in the proxy chaining for your Windows Mail?
Which ports do you have the Internet Mail provider set up to intercept?

The last set of questions are just because I was wondering if you might have accidentally set avast scanning into a loop.
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 02, 2007, 10:59:03 PM
you said the problem appeared close to installing Comodo 3.  Have you tried completely removing it just to exclude it from the problem?
It happened before. But generally it was due to Gmail ips being blocked by PeerGuardian.
Some boots and things get back to normal.
After installing Comodo, I got it work once I suppose... nothing more.
I'm afraid to uninstall Comodo as it gave me a lot of work to get it working...

Did you make any changes to the Windows Mail or STunnel configuraton? 
No.

Is the k9filter involved in the proxy chaining for your Windows Mail?
It shouldn't. Only on http traffic. It was working all the time, both on Vista and XP.

Which ports do you have the Internet Mail provider set up to intercept?
110,11110,120
The spamihilator at 120 is disabled and not being used.

The last set of questions are just because I was wondering if you might have accidentally set avast scanning into a loop.
Ask as much as you need to help me. Thanks.
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 03, 2007, 07:43:50 PM
Bump...
Alwil team... don't let me alone...
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 03, 2007, 10:20:49 PM
Tech: you can try to run TDIMon (Sysinternals ->MS) to watch the network activity... it can show us more maybe (about the ports usage - it fhey are open for listening only or accepting some traffic)..
Title: Re: concurrent connections limit in avast
Post by: alanrf on December 04, 2007, 12:16:43 AM
Maxx,

TDIMon might, I guess, work better with avast in Vista than it does in XP.  Other users and I reported problems using avast and TDIMon together in the past (including blue screens) and there never seemed to be any resolution.

http://forum.avast.com/index.php?topic=18875.0
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 04, 2007, 01:23:03 AM
Tech: you can try to run TDIMon (Sysinternals ->MS) to watch the network activity... it can show us more maybe (about the ports usage - it fhey are open for listening only or accepting some traffic)..
Now I'm at XP. I'll do it tomorrow afternoon, probably...
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 06, 2007, 10:19:21 AM
Tech: any news here? we guessed, that's some conflict with Commodo (not necessarily between Commodo and Avast!), but we're not sure... you can contact lukor (he's a net guru 8)) and ask him for some useful tips, if you want..
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 06, 2007, 12:59:00 PM
Maxx,

TDIMon might, I guess, work better with avast in Vista than it does in XP.  Other users and I reported problems using avast and TDIMon together in the past (including blue screens) and there never seemed to be any resolution.

http://forum.avast.com/index.php?topic=18875.0
I'm not finding it for download.
On Microsoft/Sysinternals site I get:
Quote
We're sorry, but the page you requested could not be found. You might want to try another entry or use the links on this page.

For instance: http://forum.sysinternals.com/forum_posts.asp?TID=11879
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 06, 2007, 01:10:00 PM
am i right, when i assume, that all the troubles came up after Commodo upgrade? have you tried some experiments with turning it off (completely, with its driver) and check your mails? you can look then to TCPView, if there are still the strange ports open..
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 06, 2007, 07:36:33 PM
am i right, when i assume, that all the troubles came up after Commodo upgrade?
Not completely.
I have 'concurrent connections limit in avast' some other times before. Some of them are due to PeerGuardian blocking the Google Inc. ip's. Other times, it wasn't the problem. Maybe Internet Mail provider or Spamihilator?
Now, I'm not using Spamihilator in Vista anymore.
Also, it wasn't a Comodo upgrade but the first installation of version 3 that worked in my computer.
But could be the Comodo network driver whom is messing everything, it could...

have you tried some experiments with turning it off (completely, with its driver) and check your mails?
What do you mean by turning off the driver? Use Autoruns for instance and disabling them (and booting)?

can look then to TCPView, if there are still the strange ports open.
I'll try it...
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 06, 2007, 08:31:57 PM
Maxx, could it be related to loopback?
http://forum.avast.com/index.php?topic=23287.msg192307#msg192307
Title: Re: concurrent connections limit in avast
Post by: alanrf on December 06, 2007, 09:54:32 PM
When, as part of investigating this issue, I installed Comodo 3 (on XP however) in training mode it recognized loopback use and I had no problems with the Internet Mail provider. 

Tech - are you still working on Vista (where you already told us you would be very reluctant to uninstall Comodo becaus of the effort to get it working) or are you now back on XP?
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 06, 2007, 10:51:28 PM
Tech: it's a question for lukor, i think... and about the Commodo experiments - i meant the stopping of its service (it should unload all related drivers until next service start hopefully)...
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 07, 2007, 01:27:03 PM
Tech: it's a question for lukor, i think... and about the Commodo experiments - i meant the stopping of its service (it should unload all related drivers until next service start hopefully)...
I can't stop it's service. It's not allowed. Maybe a security point...
Disabling the firewall, I get:
Code: [Select]
Conta: 'xxxx@gmail.com', Servidor: '127.0.0.1', Protocolo: POP3, Resposta do servidor: '-ERR concurrent connections limit in avast exceeded(pass:50, processes:?PID4[50]), there is a collision with another program', Porta: 11110, Segura (SSL): Não, Erro do servidor: 0x800CCC90, Nº do erro: 0x800CCC90
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 07, 2007, 01:35:24 PM
Conta: 'xxxx@gmail.com', Servidor: '127.0.0.1', Protocolo: POP3

something is wrong with your settings, i guess... localhost isn't a POP3 server of gmail ???
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 07, 2007, 01:41:23 PM
Conta: 'xxxx@gmail.com', Servidor: '127.0.0.1', Protocolo: POP3

something is wrong with your settings, i guess... localhost isn't a POP3 server of gmail ???
Hey, the account name was edited. The correct is on my Windows Mail.
To use GMail and avast, due to an avast Internet Mail provider limitation on scanning SSL connections (which does not occur with Outlook provider), I need to use Stunnel/OpenSSL with localhost.
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 07, 2007, 01:54:22 PM
ooh, i can see it now ;)... so the problem is maybe caused by the collision between Stunnel and OSS (other security software)... let's imagine a situation: STunnel opens a port on localhost for redirected SMTP/POP3 traffic... OSS notifies it and sets own hooks etc on it... Stunnel then tries to close the port, but it fails because of the port usage by OSS... within next attempt to connect somewhere Stunnel opens new port, cause the last one used wasn't closed properly... and this happens until avast detects too many ports open.. what do you think about it?
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 07, 2007, 06:18:23 PM
ooh, i can see it now ;)... so the problem is maybe caused by the collision between Stunnel and OSS (other security software)... let's imagine a situation: STunnel opens a port on localhost for redirected SMTP/POP3 traffic... OSS notifies it and sets own hooks etc on it... Stunnel then tries to close the port, but it fails because of the port usage by OSS... within next attempt to connect somewhere Stunnel opens new port, cause the last one used wasn't closed properly... and this happens until avast detects too many ports open.. what do you think about it?
Perfect, just that in my case, OSS means: avast or Comodo.
Title: Re: concurrent connections limit in avast
Post by: alanrf on December 07, 2007, 10:26:37 PM
Maxx,

Tech's set up is very simple ...

Email client  make a POP call using localhost port 11110 <---> Stunnel listening @ 11110 <---> GMail @ port 995 (SSL)

avast is told in the IM provider to intercept localhost port 11110 so that the mail may be scanned.

Common setup used by many here.

Tech,

Just as test how about leaving the IM provider running but remove 11110 from the avast redirected ports?

If there is no problem with receiving the mail with port 11110 removed from redirection and there is with it added to redirection then I think the avast team will have some more explaining to do.

Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 07, 2007, 11:26:26 PM
Maxx, Tech's set up is very simple ... Email client  make a POP call using localhost port 11110 <---> Stunnel listening @ 11110 <---> GMail @ port 995 (SSL) avast is told in the IM provider to intercept localhost port 11110 so that the mail may be scanned. Common setup used by many here.
Thanks Alanrf for putting it in simple words... I wouldn't be able to make it better.

Tech, Just as test how about leaving the IM provider running but remove 11110 from the avast redirected ports?
Wow... This is very *new* for me... I'm not following. I'll try when I turn on my Vista.
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 08, 2007, 12:17:06 PM
Testing:

1. Disabling Comodo service, removing startup items (and so, receiving a warning that the firewall is not active for Windows Security Center), Windows Mail get the same error.

2. Disabling IM provider, with Comodo disabled also, same error.

Lukas could be my hero if he could help me...
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 08, 2007, 03:17:51 PM
Uninstalling Comodo does not help...  :'(
I've restored my system to a secure point.
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 09, 2007, 12:32:22 PM
Tech: i'll try to ask someone with Vista to replicate your problem... you can confirm (i guess), that it's hard to solve problems which we can't "touch"..
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 09, 2007, 12:57:50 PM
Tech: i'll try to ask someone with Vista to replicate your problem... you can confirm (i guess), that it's hard to solve problems which we can't "touch"..
Right now, I'm empty... maybe logging Internet Mail provider... I'll do that until Lukas or Vojtech could help me.
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 09, 2007, 01:39:04 PM
This is my [MailScanner] section of avast4.ini file. I've added stunnel.exe to the exclusion list of scanned processes but it does not help.

PopRedirectPort=110,11110,120
SmtpRedirectPort=25,11025
ImapRedirectPort=143
NntpRedirectPort=119
IgnoreAddress=
IgnoreLocalhost=0
AutoRedirect=1
StartPop=1
StartSmtp=1
StartImap=1
StartNntp=1
ShowTrayIcon=1
DefaultPopServer=pop.gmail.com
DefaultSmtpServer=smtp.gmail.com
DefaultImapServer=
DefaultNntpServer=
UseDefaultSmtp=0
ShowTrayIcon=0
Log=20
MaxConnections=50
PassThrough=0
Trust=127.0.0.1
UseAlternateRtfSyncing=1
StartSmtp=1
StartPop=1
StartImap=1
StartNntp=1
AutoSetProtection=0
TranslateAddress=0
OptinProcess=
IgnoreProcess=mailwasher.exe,ashChest.exe,spamihilator.exe,javaw.exe,utorrent.exe,magic.exe,stunnel.exe
SendInBlockingMode=1

Same error:
Code: [Select]
Conta: 'xxxx@gmail.com', Servidor: '127.0.0.1', Protocolo: POP3, Resposta do servidor: '-ERR concurrent connections limit in avast exceeded(pass:50, processes:?PID4[50]), there is a collision with another program', Porta: 11110, Segura (SSL): Não, Erro do servidor: 0x800CCC90, Nº do erro: 0x800CCC90
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 09, 2007, 01:50:17 PM
The log is enormous...

12/09/07 10:29:20 000009BC:   POP accept connection from: 127.0.0.1
12/09/07 10:29:21 000009BC:   Connection handler: 00001B54 (584)
12/09/07 10:29:23 00001B54:   Ignored PIDs: 4088 4012
12/09/07 10:29:23 00001B54:   Ignored Addresses: 72.3.135.203:80 193.243.128.78:80 193.243.128.76:80 62.132.1.234:80 204.58.27.60:80 204.58.27.58:80 204.58.27.57:80 204.58.27.51:80 204.58.27.50:80 204.58.27.49:80 204.58.27.43:80 204.58.27.42:80 204.58.27.41:80 204.58.27.35:80 204.58.27.34:80 204.58.27.33:80 198.200.173.74:80 198.200.173.139:80 127.0.0.1:80 75.126.149.157:119 70.86.176.98:119 212.26.219.158:119
12/09/07 10:29:23 00001B54:   Ignored Processes: stunnel.exe magic.exe javaw.exe spamihilator.ex ashChest.exe mailwasher.exe avgemc.exe forx.exe FXMadeEasy.exe aoltpspd.exe waol.exe tor.exe wcescomm.exe utorrent.exe ypager.exe V3P3AT.EXE bitcomet.exe mpftray.exe ABC.EXE CZDCPlusPlus.ex CRAXY.EXE NETMONSV.EXE SYMPROXYSVC.EXE NAVAPW32.EXE WEBPROXY.EXE EMULE.EXE TMPROXY.EXE isafe.exe SMPROXY.EXE ccLgView.exe ccSetMgr.exe ccPwdSvc.exe ccApp.exe ccProxy.exe ccPxySvc.exe ccEvtMgr.exe winroute.exe avast.setup
12/09/07 10:29:23 00001B54:   --POP command REDIRECT 127.0.0.1:11110 4
12/09/07 10:29:23 00001B54:   OpenProcess error 5
12/09/07 10:29:23 00001B54:   RtlQueryProcessDebugInformation error -1073741790
12/09/07 10:29:23 00001B54:   Connected to POP server 127.0.0.1 11110 (652)

Then it repeats for...

12/09/07 10:29:23 000009BC:   Connection handler: 0000097C (592)
12/09/07 10:29:23 000009BC:   Connection handler: 000019B8 (616)
12/09/07 10:29:23 000009BC:   Connection handler: 00001FF0 (596)

and so on... logs change to a structure like this:

12/09/07 10:29:27 00000E6C:   <-POP -ERR concurrent connections limit in avast exceeded(pass:0, processes:?PID4[50])
12/09/07 10:29:27 00000E6C:   sent 82 (1568)
12/09/07 10:29:27 00000E6C:   connection closed 0 (1580)
12/09/07 10:29:27 00000E6C:   --POP Finishing connection handler
12/09/07 10:29:27 00001374:   received 82 (1560)

and repeat for thousand lines...

12/09/07 10:29:27 00001374:   <-POP -ERR concurrent connections limit in avast exceeded(pass:1, processes:?PID4[50])
12/09/07 10:29:27 00001374:   sent 82 (1548)
12/09/07 10:29:27 00001374:   connection closed 0 (1560)
12/09/07 10:29:27 00001374:   --POP Finishing connection handler
12/09/07 10:29:27 000018E4:   received 82 (1540)

changing just the port numbers...

I can send the full log by email if anybody from Alwil needs them.
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 10, 2007, 09:45:37 PM
Any help?  :'( :'(
Title: Re: concurrent connections limit in avast
Post by: lukor on December 10, 2007, 10:05:56 PM
Hi Tech,
what is happening on your computer is, that some software installed (be it Comodo or other security or network related software) is changing the process from which the connections are established.

We have seen such behavior in several firewalls, it usually occurs when the firewall is unable to decide if the connection is valid or not and postpones it until it has more information. Later (and that may be after a millisecond or hundreds of them) it resumes the connection request (but this time the OS might be already executing any other process in the system - or if the firewall is scheduling the connection in certain way the OS is running in it's own process -- the SYSTEM process with PID=4).

This is the whole reason why Ignored processes were "invented" in avast! :-)

Now it remains to identify who is responsible for this.

Since Tech sort of hijacked this thread (  :P sorry Tech ) I have lost track if the original poster was successful with removing his rootkit - but in that case it was fairly easy - the rootkit was the cause of the problems there.

Tech, do you have Comodo still installed or is it already uninstalled?
What about Hijackthis log? Does it show anything suspicious?

Any rootkit? Gmer does not show anything?

Run Process Explorer and show us the list of loaded DLL in the Internet Mail process. Anything not signed by Microsoft there ?

Lukas
Title: Re: concurrent connections limit in avast
Post by: lukor on December 10, 2007, 10:12:03 PM


2. Disabling IM provider, with Comodo disabled also, same error.


Tech, this is somewhat strange. Are you suggesting that the "Concurrent connections limit is exceeded" error, which is generated by the Internet Mail provider in avast! is returned even when the Internet Mail provider is terminated???
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 10, 2007, 10:26:16 PM
Tech, this is somewhat strange. Are you suggesting that the "Concurrent connections limit is exceeded" error, which is generated by the Internet Mail provider in avast! is returned even when the Internet Mail provider is terminated???
IM provider is not Internet Mail but Instant Messaging ;)
The suggestion was made by alanrf.

Since Tech sort of hijacked this thread
Sorry me...

Tech, do you have Comodo still installed or is it already uninstalled?
It is installed and running.

What about Hijackthis log? Does it show anything suspicious?
I'll do it later. But I'm quite sure I'm clean.

Any rootkit? Gmer does not show anything?
Maxx has already checked it. I'm clean for GMer.

Run Process Explorer and show us the list of loaded DLL in the Internet Mail process. Anything not signed by Microsoft there ?
I'll take a look later, maybe tonight... Thanks.
Title: Re: concurrent connections limit in avast
Post by: lukor on December 10, 2007, 10:29:45 PM
Tech,
I also believe your computer should be clean. However in this case, the most probable reason is the Comodo itself :( You are using the latest version (3.0) if I am not mistaken, aren't you. I'll try to search the comodo forum for similar errors.

L.
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 10, 2007, 10:38:26 PM
only some "legal" hooks from Commodo driver were there.
Title: Re: concurrent connections limit in avast
Post by: lukor on December 10, 2007, 10:39:58 PM
Tech,
can you send me the log file from Internet Mail provider ? (maybe zipped, if it is really that huge) I'll have a look at it - perhaps I might be able to spot the very first connection, if it has in any way different "signature".
Thanks.
Lukas

Title: Re: concurrent connections limit in avast
Post by: lukor on December 10, 2007, 10:43:53 PM
only some "legal" hooks from Commodo driver were there.

If it is Comodo who is scheduling the connection to the system process - it is, I must admit, legal to do so. Firewall can do that, and we may say that if it does that in every it's configuration it is simply not compatible with our redirect system -- simply because we have no means of identifying the connections that should and that should not be redirected....

On the other hand, if Comodo would do this on every installation we would have already heard about that problem before ... so it must be something special.
Title: Re: concurrent connections limit in avast
Post by: lukor on December 10, 2007, 10:48:42 PM
As for testing with Wireshark ... I use Wireshark and it may be I do not configure the options correctly but I never see localhost traffic captured by it - perhaps Igor has fuller advice.

Wireshark does not see localhost -- only real packets arriving on the network adapter. (but virtual adapters should work as well - e.g. vmware's)
Title: Re: concurrent connections limit in avast
Post by: Maxx_original on December 10, 2007, 11:02:46 PM
Tech: can you post a current GMER log as attachment (or to lukor's mail) to let him see, which functions are hooked (and how)? i'm home now and don't have the previous log here..
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 11, 2007, 11:33:15 AM
You are using the latest version (3.0)
Yes. On Vista Business 32bits.

can you send me the log file from Internet Mail provider ?
I'll do it.

Tech: can you post a current GMER log as attachment (or to lukor's mail) to let him see, which functions are hooked (and how)? i'm home now and don't have the previous log here..
I'll do it too.
Title: Re: concurrent connections limit in avast
Post by: lukor on December 12, 2007, 01:18:28 PM
Tech, please see your email. I was able to reproduce the problem here, and I have a short modification in the startup order of aswrdr.sys (via registry) that seems to help here. Can you please test it?

Cheers,
Lukas

regfile.reg:
-----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswRdr]
"Start"=dword:00000003
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 12, 2007, 01:34:11 PM
Tech, please see your email. I was able to reproduce the problem here, and I have a short modification in the startup order of aswrdr.sys (via registry) that seems to help here. Can you please test it?

Cheers,
Lukas

regfile.reg:
-----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswRdr]
"Start"=dword:00000003

I'm about to uninstall Comodo. Do I do this first (before)?
Title: Re: concurrent connections limit in avast
Post by: lukor on December 12, 2007, 01:36:50 PM
Please test it, it takes you just one restart. It helps on my machine.
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 12, 2007, 06:26:54 PM
Please test it, it takes you just one restart. It helps on my machine.
Why we, users, hate to restart? ;D
It did the trick. Solved. I could use Windows Mail & Gmail & avast & Stunnel & Comodo.
Lukas, you've got the day, my hero :)
Title: Re: concurrent connections limit in avast
Post by: DavidR on December 12, 2007, 06:32:36 PM
@ lukor
Now we know that works or appears to, exactly what does it do ?

Is it only something that happens with comodo firewall installed or possibly other applications ?

Finally will this registry fix be done in a VPS update or will it need to be added to the next program update ?
Title: Re: concurrent connections limit in avast
Post by: lukor on December 12, 2007, 07:28:24 PM
DavidR,
this registry change just instructed aswrdr.sys to load as late as possible. The motivation here is to load AFTER any firewall (Comodo) drivers. TDI filters in this case load one upon the other, so the last one which loads is on top. When application make a network call (like connect() ) aswrdr would be the first to process the request. (on the other hand, when data are received from the network - it would be the last to see them, but as aswrdr does not care for data it does not matter here).

Being on top, the first to see the call, aswrdr.sys has the chance to spot the correct calling process (Windows Mail and Internet Mail Scanner in this case) before Comodo makes its processing, which is necesarry to prevent the looping. This is also the how it is implemented in WinXP and lower, but it is at the same time against Microsoft recommendation for TDI drivers on Vista - they have even phoned us to implement it the other way. So, I don't know if it should be made the default or not - more testing is probably needed. We have another driver (network shield) loaded which adheres to the MS recommendations and as I understand that this should be enough to initiate TDI network stack in the correct way.

Let's see how it will behave  ;D and what will Vlk's opinion be on the possible change.
L.


Title: Re: concurrent connections limit in avast
Post by: DavidR on December 12, 2007, 07:37:19 PM
Thanks for the update.
Title: Re: concurrent connections limit in avast
Post by: alanrf on December 14, 2007, 11:59:33 AM
This explanation seems to focus on the XP versus Vista differences. 

Might this have any bearing on the (apparently) unresolved problems (and even bluescreens) reported with using avast and TDIMon in XP?
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 14, 2007, 01:16:27 PM
TDI filters in this case load one upon the other, so the last one which loads is on top.
I hope other manufactures (in this case, Comodo) won't use the same 'trick' just to be 'on top' and then bringing troubles to the users. Can't Windows manage this better and should only be at manufactures' hands?
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 16, 2007, 08:37:16 PM
Please test it, it takes you just one restart. It helps on my machine.
Lukas, can I restore the defaults? How?
I'm uninstalled Comodo (http://forum.avast.com/index.php?topic=32001.msg267751#msg267751) and want the system on the state back.
Title: Re: concurrent connections limit in avast
Post by: lukor on December 16, 2007, 10:31:51 PM
Tech, you can restore the default back to 1 - which is start type automatic. That would be back to MS recommended config.

Just edit the reg. file.

regfile.reg:
-----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswRdr]
"Start"=dword:00000001
Title: Re: concurrent connections limit in avast
Post by: Lisandro on December 17, 2007, 03:16:32 PM
Tech, you can restore the default back to 1 - which is start type automatic. That would be back to MS recommended config.

Just edit the reg. file.

regfile.reg:
-----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswRdr]
"Start"=dword:00000001
Thanks... I'll try next boot ;)