Avast and ports

[avastreally?]

is avast suppose connect through
port :50056
avastsvc.exe
avast updates with no conflicts with comodo HIPS, so not sure whats this is about


RogueKiller V8.7.4 [Oct 16 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : PatricK [Admin rights]
Mode : Scan -- Date : 10/17/2013 10:07:49
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] IAT @explorer.exe (UnhookWindowsHookEx) : USER32.dll -> HOOKED (C:\Program Files\Alwil Software\Avast5\snxhk.dll @ 0x6DC11A70)
[Address] IAT @explorer.exe (SetWindowsHookExW) : USER32.dll -> HOOKED (Unknown @ 0x717E0000)
[Address] IAT @explorer.exe (SetWinEventHook) : USER32.dll -> HOOKED (Unknown @ 0x717A0000)
[Inline] EAT @explorer.exe (LdrLoadDll) : ntdll.dll -> HOOKED (C:\Program Files\Alwil Software\Avast5\snxhk.dll @ 0x6DC0A520)
[Inline] EAT @explorer.exe (ChangeServiceConfig2A) : sechost.dll -> HOOKED (C:\Program Files\Alwil Software\Avast5\snxhk.dll @ 0x6DC0C370)
[Inline] EAT @explorer.exe (ChangeServiceConfig2W) : sechost.dll -> HOOKED (C:\Program Files\Alwil Software\Avast5\snxhk.dll @ 0x6DC0C5C0)
[Inline] EAT @explorer.exe (ChangeServiceConfigA) : sechost.dll -> HOOKED (C:\Program Files\Alwil Software\Avast5\snxhk.dll @ 0x6DC0BB20)
[Inline] EAT @explorer.exe (ChangeServiceConfigW) : sechost.dll -> HOOKED (C:\Program Files\Alwil Software\Avast5\snxhk.dll @ 0x6DC0BF90)
[Inline] EAT @explorer.exe (CreateServiceA) : sechost.dll -> HOOKED (C:\Program Files\Alwil Software\Avast5\snxhk.dll @ 0x6DC0ACD0)
[Inline] EAT @explorer.exe (CreateServiceW) : sechost.dll -> HOOKED (C:\Program Files\Alwil Software\Avast5\snxhk.dll @ 0x6DC0B1A0)
[Inline] EAT @explorer.exe (DeleteService) : sechost.dll -> HOOKED (C:\Program Files\Alwil Software\Avast5\snxhk.dll @ 0x6DC0B8B0)
[Inline] EAT @explorer.exe (SetServiceObjectSecurity) : sechost.dll -> HOOKED (C:\Program Files\Alwil Software\Avast5\snxhk.dll @ 0x6DC0E980)
[Inline] EAT @explorer.exe (UnhookWinEvent) : USER32.dll -> HOOKED (C:\Program Files\Alwil Software\Avast5\snxhk.dll @ 0x6DC115A0)
[Inline] EAT @explorer.exe (UnhookWindowsHookEx) : USER32.dll -> HOOKED (C:\Program Files\Alwil Software\Avast5\snxhk.dll @ 0x6DC11A70)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - WDC WD5000AADS-67S9B1 ATA Device +++++
--- User ---
[MBR] 5985724ba892a5726b4ce24e2f48fbe8
[BSP] eb11fb66582f439466a24426dcc02753 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 76217 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 156299264 | Size: 400620 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_10172013_100748.txt >>

[avastreally?]

BUMP

[DavidR]

You don't give is much to work with, crucially why did you feel the need to run roguekiller ?

What version of avast are you using free/pro/AIS, etc and what build number ?
As this folder location is very old C:\Program Files\Alwil Software\Avast5\ you must have had an old version installed an only ever have updated from the user interface or this location would have changed. A install would have resulted in this folder location C:\Program Files\AVAST Software\Avast\.

The avastSvc.exe is the main avast service and as such controls the shields and the web shield proxy, that will have some unusual ports, which are most likely localhost ports, but your log information doesn't go into much data in that regard, so it is hard to say one way or another.

This is why the first question is important, why did you run roguekiller.

[avastreally?]

You don't give is much to work with, crucially why did you feel the need to run roguekiller ?

What version of avast are you using free/pro/AIS, etc and what build number ?
As this folder location is very old C:\Program Files\Alwil Software\Avast5\ you must have had an old version installed an only ever have updated from the user interface or this location would have changed. A install would have resulted in this folder location C:\Program Files\AVAST Software\Avast\.

The avastSvc.exe is the main avast service and as such controls the shields and the web shield proxy, that will have some unusual ports, which are most likely localhost ports, but your log information doesn't go into much data in that regard, so it is hard to say one way or another.

This is why the first question is important, why did you run roguekiller.

Hi david, ran roguekiller just to ease my mine that a rootkit wasnt on the pc which would trigger a false alarm:) (as i have comodo HIPS running and it never conflicts with avast)
and only paste the result because i never saw avast inserting hooks before
i use avast 8.0.1497 free
everything is fine now on the avast side, i will update the program to 9.xx later , if im going to 9.0 should i just update the progrma or should i do a refresh install?
i have tackle this svchost query here
http://forum.avast.com/index.php?topic=137198.msg1003349#msg1003349
one more thing, do you know how to lock down svchost.exe in firewall settings so that only important stuff run through it and not random ip through random susceptible ports?
and finally, is it necessary to have IPv6 ticked?(both IPv6 and 4 are ticked by default)

[DavidR]

Virtually all resident AVs insert hooks of some sort so that they can intercept items/traffic in order to scan it before it is actioned.

Running specialist tools like roguekiller are more than likely to throw up things that look strange, which is why generally they are run under the guidance of a malware removal specialist. Otherwise it can cause more confusion rather than clarity.

Personally I think you should do a clean install of avast 9.0.2006, uninstall avast 8 using control panel > programs and features, then use aswclear.exe to ensure clean up reboot and only then install avast 9.0.2006. That will give you a clean start with none of the references to old avast installation locations in the registry, etc.

I can't help on locking down svchost, as it has a legitimate use in windows updates and would probably require a complex rule in your firewall, which I don't know what that is. I suggest that you modify your forum profile and compile a signature giving some information on your system, so when seeking help people don't have to ask these kind of questions every time.

Since ivp4 is being upgraded to ivp6 (running out of ivp4 IP addresses) and many domains now have an ivp6 IP address then I would say yes you need it.

[avastreally?]

Virtually all resident AVs insert hooks of some sort so that they can intercept items/traffic in order to scan it before it is actioned.

Running specialist tools like roguekiller are more than likely to throw up things that look strange, which is why generally they are run under the guidance of a malware removal specialist. Otherwise it can cause more confusion rather than clarity.

Personally I think you should do a clean install of avast 9.0.2006, uninstall avast 8 using control panel > programs and features, then use aswclear.exe to ensure clean up reboot and only then install avast 9.0.2006. That will give you a clean start with none of the references to old avast installation locations in the registry, etc.

I can't help on locking down svchost, as it has a legitimate use in windows updates and would probably require a complex rule in your firewall, which I don't know what that is. I suggest that you modify your forum profile and compile a signature giving some information on your system, so when seeking help people don't have to ask these kind of questions every time.

Since ivp4 is being upgraded to ivp6 (running out of ivp4 IP addresses) and many domains now have an ivp6 IP address then I would say yes you need it.

Thanks

[DavidR]

You're welcome.