Hi
Thanks for the help. I have run everything suggested - found nothing! - phew!
Does Avast run any servers? Just a thought. The connection from reverse the planet was momentary. However there was a connection. I gathered some more info - it may not be that usefull, but it may illustrate whats happening:
(THIS IS POLLING CONTINUOUSLY,IS IT PART OF AVAST)
explorer.exe:300 824E4D00 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX (THIS IS POLLING CONTINUOUSLY,IS IT PART OF AVAST)
(IS THIS AVAST POLLING THROUGH LOCALHOST)
3472 82489EF8 TDI_SEND TCP:127.0.0.1:1372 127.0.0.1:1373 SUCCESS Length:1
1501 48.54470163 firefox.exe:3472 8246BB38 TDI_EVENT_RECEIVE TCP:0.0.0.0:1373 127.0.0.1:1372 MORE_PROCESSING_REQUIRED Length:0 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
1502 48.54471387 firefox.exe:3472 826A2F00 TDI_RECEIVE TCP:0.0.0.0:1373 127.0.0.1:1372 SUCCESS
(FIREWALL CLOSED, NO BROWSER OPEN)
ashWebSv.exe:1696 TCP sonscomputer:1359 67.15.193.147:http ESTABLISHED
(FIREWALL UP, BROWSER OPEN WITH BLANK PAGE)
ashWebSv.exe:1696 TCP sonscomputer:1359 ev1s-67-15-193-147.ev1servers.net:http FIN_WAIT1
Ev1Servers.net
390 Benmar Drive
Suite 200
Houston, TX 77060
US
Domain name: EV1SERVERS.NET
Administrative Contact:
Manager, Domain domainmanager@ev1.net
390 Benmar Drive
Suite 200
Houston, TX 77060
US
+1.7133337873 Fax: +1.7139429332
Technical Contact:
Manager, Domain domainmanager@ev1.net
390 Benmar Drive
Suite 200
Houston, TX 77060
US
+1.7133337873 Fax: +1.7139429332
Registration Service Provider:
EV1Servers.net / Everyones Internet, domainmanager@ev1.net
+1.713.333.7873
Registrar of Record: TUCOWS, INC.
Record last updated on 03-May-2005.
Record expires on 31-Jul-2006.
Record created on 31-Jul-2003.
Domain servers in listed order:
NS1.EV1SERVERS.NET 207.218.245.135
NS2.EV1SERVERS.NET 207.218.247.135
Connects to microsoft, but why is is it connecting to mvps.org wich appears to be an association of microsoft experts?. This address is also associated with dns, but not my isp's dns?
[System Process]:0 TCP SonsComputer:12080 localhost:1104 TIME_WAIT
[System Process]:0 TCP SonsComputer:12080 localhost:1106 TIME_WAIT
[System Process]:0 TCP SonsComputer:12080 localhost:1091 TIME_WAIT
[System Process]:0 TCP SonsComputer:12080 localhost:1094 TIME_WAIT
[System Process]:0 TCP SonsComputer:12080 localhost:1100 TIME_WAIT
[System Process]:0 TCP sonscomputer:1082 mvps.org:http TIME_WAIT
[System Process]:0 TCP sonscomputer:1088 207.46.19.30:http TIME_WAIT
[System Process]:0 TCP sonscomputer:1090 65.54.194.118:http TIME_WAIT
[System Process]:0 TCP sonscomputer:1097 207.46.19.30:http TIME_WAIT
firefox.exe:3700 TCP SonsComputer:1098 localhost:1099 ESTABLISHED
firefox.exe:3700 TCP SonsComputer:1099 localhost:1098 ESTABLISHED
lsass.exe:832 UDP SonsComputer:isakmp *:*
lsass.exe:832 UDP SonsComputer:4500 *:*
svchost.exe:1252 UDP SonsComputer:1093 *:*
svchost.exe:1252 UDP SonsComputer:1025 *:*
svchost.exe:1252 UDP SonsComputer:1054 *:*
System:4 TCP SonsComputer:microsoft-ds SonsComputer:0 LISTENING
System:4 TCP sonscomputer:netbios-ssn SonsComputer:0 LISTENING
System:4 UDP SonsComputer:microsoft-ds *:*
System:4 UDP sonscomputer:netbios-dgm *:*
System:4 UDP sonscomputer:netbios-ns *:*
And Here's the Highjackthis Log:
Logfile of HijackThis v1.99.1
Scan saved at 11:59:33, on 17/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\ZYBAN\Desktop\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:4001
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I notice that AVG did not uninstall cleanly. I will now re-install the whole lot again - did some one mention Linux.
Thanks
Tuck