Author Topic: Please Help!  (Read 17271 times)

0 Members and 1 Guest are viewing this topic.

AleKx

  • Guest
Please Help!
« on: April 04, 2008, 10:02:07 AM »
Greetings.

I formatted my C: drive 3 days ago and re-installed Windows XP. I'm also behind a router, and I run Avast!. Not two hours after the fresh installation, I checked the status of netstat and found one address constantly listening to certain ports. At first I thought it was normal, considering Avast! has a Network Shield and Web Shield and an Email shield etc... But then I uninstalled Avast!, to see if the listening host would leave, expecting it too, if indeed that IP is used by Avast! to run the Shields or whatever, but no. Even after uninstalling Avast! completely, (Also cleaning my cache's and temp files) the host was still listening. This got me more then intrigued. There's also the fact that it was the same IP.

I did a Network Lookup on the host/IP with http://network-tools.com/ for the IP that was listening. Here's what I got.

I also want to mention that I have a DSL modem, and I tried changing my IP by resetting the modem (which worked), but the IP was still listening...

Quote
IP address: 151.32.25.54
Host name: ppp-54-25.32-151.iol.it

Then, I googled the IP itself (151.32.25.54) and there's only one query reply. It's a website with a blacklist, containing IP addresses. Guess which IP is on the blacklist, 151.32.25.54 - Try it yourself, open up a browser, and google the IP: "151.32.25.54".

At this point my worries aren't lessening in any way. I downloaded X-Netstat, and the program would detect EVERY connection but that one. I then tried NetStat Agent, the program would also detect EVERY connection but that one, 151.32.25.54.

The IP is listening on very sensitive ports, which are very common for worms or trojans. One of them is a very well know virus called Blaster, and coindently, the IP is using the same port many trojans would use, and the IP is also using processes, which was even scarier. Here's what I found in Netstat -ab (to find out the PID and process the connection is or might be using).

Quote
Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.

C:\DOCUME~1\ADMINI~1>netstat -ab

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    box:epmap              ppp-54-25.32-151.iol.it:0  LISTENING       808
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\RPCRT4.dll
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  -- unknown component(s) --
  [svchost.exe]

  TCP    box:microsoft-ds       ppp-54-25.32-151.iol.it:0  LISTENING       4
  [System]

  TCP    box:2869               ppp-54-25.32-151.iol.it:0  LISTENING       1088
  C:\WINDOWS\System32\httpapi.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  TCP    box:1026               ppp-54-25.32-151.iol.it:0  LISTENING       1700
  [alg.exe]

  TCP    box:12025              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

  TCP    box:12080              ppp-54-25.32-151.iol.it:0  LISTENING       1104
  [ashWebSv.exe]

  TCP    box:12110              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

  TCP    box:12119              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

  TCP    box:12143              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

  TCP    box:netbios-ssn        ppp-54-25.32-151.iol.it:0  LISTENING       4
  [System]


Here is the result of Netstat -a after Uninstalling Avast!

Quote
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    box:epmap              ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:microsoft-ds       ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:2869               ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:1026               ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:1046               localhost:1045         TIME_WAIT
  TCP    box:12025              ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:12080              ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:12110              ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:12119              ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:12143              ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:netbios-ssn        ppp-54-25.32-151.iol.it:0  LISTENING

The connections are still there. Notice that it's listening on port 0, and that it's also listening on the netbios.

That being said, I would appreciate greatly if someone could shed some light on this for me. I'm here thinking it's a virus, but then if it is, why isn't Avast! catching it? But then again, if it was a virus, why would Avast! use it?

And if it isn't a virus, and it is from Avast!, why is it still there after I Uninstall?

Notice that the host-name starts with "ppp" - meaning it's either a dial-up or DSL modem. Why would a company such as Avast! use "possibly" dial-up or DSL modems? Wouldn't they use oc12's or at least a T1/T3 ?

I'm utterly confused even after doing a vast amount of research on every single piece of information I could gather. I don't expect all my questions to be answered - but if anyone could answer me this one: Why does Avast! use the ip and listen in on my ports when installed, and why does it still do it after I have uninstalled?

Thank you for taking the time to read, any help is greatly appreciated!

« Last Edit: April 04, 2008, 10:50:56 AM by AleKx »

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: Please Help!
« Reply #1 on: April 04, 2008, 11:17:08 AM »
I think you have some misunderstanding of the information you are seeing ... but the there is some basis for concern although not perhaps in the way that you think.

It does appear that you have been unsuccessful in removing avast from your system.  If you had been successful then avast would not still be intercepting the ports that your report shows. 

How did you uninstall avast? 

Have you downloaded and run the latest avast uninstall utility ((here) from the avast website?   
« Last Edit: April 04, 2008, 12:18:42 PM by alanrf »

AleKx

  • Guest
Re: Please Help!
« Reply #2 on: April 04, 2008, 07:27:52 PM »
I used the control panel to remove Avast!

99% of programs I use don't need for you to download it's own uninstaller, it already comes with it. All my programs are safe to delete from the control panel, cleaning my temp folders and cache helps too. This is the first time I have to download a separate "uninstaller" - It's not like Avast! makes sure you know either. Thanks for the tip. I'll see if that works.

Why is the IP Avast! is using, is also on some online blacklists?

AleKx

  • Guest
Re: Please Help!
« Reply #3 on: April 04, 2008, 07:40:38 PM »
Ok so I re-installed Avast! to make sure no clonflicts would arise when properly uninstalling. I installed Avast! - the connections remained. I closed Avast! and ran the "aswclear.exe" - Avast!'s uninstall. And guess what, the connection is still there (even after rebooting). Except it's no longer using ashweb.exe and stuff. It's using system processes and DLL files. I think that I'm a lot more on the mark than you think. Avast! is completely uninstalled, my cache is cleaned and so are my temp folders, I also defragged my registry, my pc is super healthy.

The only possible explanation I can come up with is that Avast! can't detect the worm or virus that is trying to phone home. I's constantly listening on my ports, albeit waiting for one to open (fat chance, I'm behind a router) - but I still want to know who the hell keeps listening on my ports. This is a fresh install of windows XP,  I shouldn't have any problems. Avast! uses the same IP that is STILL CONNECTED to me after uninstalling Avast!. Why?!
And why does it use system processes and .DLL files?!

This is very frustrating. I have a right to know who's listening on my ports. If a Staff member of the forums could answer? Thank you for all your help in advance to whoever is taking the time to read and help me!

Here is Netstat -ab WITH Avast! INSTALLED:
Quote
Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.

C:\DOCUME~1\ADMINI~1>netstat -ab

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    box:epmap              ppp-54-25.32-151.iol.it:0  LISTENING       808
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\RPCRT4.dll
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  -- unknown component(s) --
  [svchost.exe]

  TCP    box:microsoft-ds       ppp-54-25.32-151.iol.it:0  LISTENING       4
  [System]

  TCP    box:2869               ppp-54-25.32-151.iol.it:0  LISTENING       1088
  C:\WINDOWS\System32\httpapi.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  TCP    box:1026               ppp-54-25.32-151.iol.it:0  LISTENING       1700
  [alg.exe]

  TCP    box:12025              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

  TCP    box:12080              ppp-54-25.32-151.iol.it:0  LISTENING       1104
  [ashWebSv.exe]

  TCP    box:12110              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

  TCP    box:12119              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

  TCP    box:12143              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

  TCP    box:netbios-ssn        ppp-54-25.32-151.iol.it:0  LISTENING       4


Here's Netstat -ab after UNINSTALLING Avast! with "aswclear.exe"

Quote
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>netstat -ab

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    box:epmap              ppp-54-25.32-151.iol.it:0  LISTENING       796
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\RPCRT4.dll
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\ADVAPI32.dll
  [svchost.exe]

  TCP    box:microsoft-ds       ppp-54-25.32-151.iol.it:0  LISTENING       4
  [System]

  TCP    box:1028               ppp-54-25.32-151.iol.it:0  LISTENING       444
  [alg.exe]

  TCP    box:netbios-ssn        ppp-54-25.32-151.iol.it:0  LISTENING       4
  [System]

  TCP    box:1032               localhost:1033         ESTABLISHED     1696
  [firefox.exe]

  TCP    box:1033               localhost:1032         ESTABLISHED     1696
  [firefox.exe]

  TCP    box:1034               localhost:1035         ESTABLISHED     1696
  [firefox.exe]

  TCP    box:1035               localhost:1034         ESTABLISHED     1696
  [firefox.exe]

  UDP    box:isakmp             *:*                                    588
  [lsass.exe]

  UDP    box:1036               *:*                                    908
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    box:4500               *:*                                    588
  [lsass.exe]

  UDP    box:microsoft-ds       *:*                                    4
  [System]

  UDP    box:1900               *:*                                    944
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    box:ntp                *:*                                    864
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    box:netbios-ns         *:*                                    4
  [System]

  UDP    box:1900               *:*                                    944
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    box:netbios-dgm        *:*                                    4
  [System]

  UDP    box:ntp                *:*                                    864
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]




« Last Edit: April 04, 2008, 07:55:08 PM by AleKx »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Please Help!
« Reply #4 on: April 04, 2008, 07:57:34 PM »
This is the first time I have to download a separate "uninstaller" - It's not like Avast! makes sure you know either.
It's there just in case that the common Add/Remove programs failed. It's not a must have, but just if the default way failed (for any reason).
The best things in life are free.

AleKx

  • Guest
Re: Please Help!
« Reply #5 on: April 04, 2008, 08:00:25 PM »
Clearly the IP is still there and using important processes, listening on sensitive ports. My registry is healthy, my copy of widows is legit, I just formatted not long ago, and I had installed Avast! right away.

I know 3 things.

1)Avast! uses the ip that is listening on my ports.
2)The ip is still there after completely uninstalling Avast!, and continues to listen on my ports.
3)I don't want anyone listening on my ports. If my router goes down, chances are the ports will open. Right now the host is constantly on "Listening" because my router blocks the ports.

Also - Why is avast using an IP that listens on my port - but that ip is on a BLACKLIST Google 151.32.25.54

I also tried updating some of the files that it was trying to use: WS2_32.dll and RPCRT4.dll - the host is still listening.

AleKx

  • Guest
Re: Please Help!
« Reply #6 on: April 04, 2008, 08:06:36 PM »
Tech said:
Quote
It's there just in case that the common Add/Remove programs failed. It's not a must have, but just if the default way failed (for any reason).

I don't mean to be rude but are you going to offer me any help with this matter?

I was expecting a little more help from a Staff member. than just "we have the uninstaller in case add/remove programs fails".

can you explain why the IP is still listening on my ports after completely uninstalling Avast! ? And why is that IP that Avast! uses on a IP Blacklist?


 ???  ???  ???  ???  ???  ???  ???  ???  ???  ???  ???  ???
« Last Edit: April 04, 2008, 08:08:07 PM by AleKx »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Please Help!
« Reply #7 on: April 04, 2008, 08:06:59 PM »
avast never uses a tracking back system.
To update, avast checks if there is an available connection each 40 seconds.
If there isn't, wait more 40 seconds to check. Checking does not take more than one second and, of course, does not use the Internet band.
If there is a connection, check for an update. If there is not any new file to download, wait 4 hours to start checking again. If there is an available update, start it and install it. Again, wait 4 hours to check the next time.

If any program is trying to 'listen' your ports, look, maybe you're infected.
avast does not do that and even less if it is uninstalled... that makes no sense at all...
The best things in life are free.

AleKx

  • Guest
Re: Please Help!
« Reply #8 on: April 04, 2008, 08:09:40 PM »
How can I have a virus?

I installed Windows 4 days ago. CLEAN COMPUTER.

Before connecting the internet long term, I installed Avast!

I'm behind a router.

To be honest Tech you seem to have NO clue, thanks for the help though.

THE IP THAT AVAST USES FOR ASHWEB AND OTHER THINGS IS THE SAME IP THAT IS STILL LISTENING EVEN AFTER UNINSTALLING AVAST.

Please read my posts carefully, I've been on this problem ever since it started. I'm a fairly intelligent person with a good sense of logic. So far no one has been able to tell me something I don't know other than "we have aswclear.exe in case add/remove programs dont work"

 >:(

If no one can help me here, I will go through the painful process of calling ISP's.

AVAST USES THIS IP
Quote
CP    box:12025              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

The ip STILL LISTENS ON MANY PORTS, USING VERY IMPORTANT PROCESSES, AVAST IS UNINSTALLED
« Last Edit: April 04, 2008, 08:15:36 PM by AleKx »

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 87071
  • No support PMs thanks
Re: Please Help!
« Reply #9 on: April 04, 2008, 08:17:18 PM »
Well that IP doesn't belong to avast, if something on your system is trying to accesst the internet over one of the ports (80 http or email, 25, 110, 119, 143) that avast redirects through a localhost proxy, the reporting software may consider that avast is connecting to that IP.

Here are my netstat results whilst on-line
Quote
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    PC1:803                PC1:0                  LISTENING       1444
  [outpost.exe]

  TCP    PC1:1025               PC1:0                  LISTENING       2200
  [alg.exe]

  TCP    PC1:12025              PC1:0                  LISTENING       2084
  [ashMaiSv.exe]

  TCP    PC1:12080              PC1:0                  LISTENING       2100
  [ashWebSv.exe]

  TCP    PC1:12110              PC1:0                  LISTENING       2084
  [ashMaiSv.exe]

  TCP    PC1:12119              PC1:0                  LISTENING       2084
  [ashMaiSv.exe]

  TCP    PC1:12143              PC1:0                  LISTENING       2084
  [ashMaiSv.exe]

  TCP    PC1:1055               PC1:1056               ESTABLISHED     1924
  [firefox.exe]

  TCP    PC1:1056               PC1:1055               ESTABLISHED     1924
  [firefox.exe]

  TCP    PC1:1058               PC1:1059               ESTABLISHED     1924
  [firefox.exe]

  TCP    PC1:1059               PC1:1058               ESTABLISHED     1924
  [firefox.exe]

  UDP    PC1:4500               *:*                                    876
  [lsass.exe]

  UDP    PC1:isakmp             *:*                                    876
  [lsass.exe]


So no spurious IPs
You will also notice in your list with and without avast uninstalled there is alg (Application Layer Gateway) which isn't an avast process listrning and associated to that IP (Domain:   iol.it).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

psw

  • Guest
Re: Please Help!
« Reply #10 on: April 04, 2008, 08:25:41 PM »
Picture looks like you really have some malware which injecting into different processes and connecting to .it site.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Please Help!
« Reply #11 on: April 04, 2008, 08:45:39 PM »
To be honest Tech you seem to have NO clue, thanks for the help though.
In fact, seems that I do have clues...

THE IP THAT AVAST USES FOR ASHWEB AND OTHER THINGS IS THE SAME IP THAT IS STILL LISTENING EVEN AFTER UNINSTALLING AVAST.
avast does not use an IP by WebShield. WebShield works like a proxy and does not use an external IP to work. avast does not listen your ports by an IP.

Please read my posts carefully, I've been on this problem ever since it started. I'm a fairly intelligent person with a good sense of logic. So far no one has been able to tell me something I don't know other than "we have aswclear.exe in case add/remove programs dont work"
It's not a matter of good sense... but technical knowledge.

AVAST USES THIS IP
CP    box:12025              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]
This IP is from your ISP server. ashMaiSv.exe is the avast mail provider that is listening a port (not an IP) to scan your mail.

The ip STILL LISTENS ON MANY PORTS, USING VERY IMPORTANT PROCESSES, AVAST IS UNINSTALLED
It's not correct uninstalled... ashMaiSv.exe shouldn't be even running... Did you boot after uninstalling?
The best things in life are free.

AleKx

  • Guest
Re: Please Help!
« Reply #12 on: April 04, 2008, 08:51:02 PM »
Not really connecting, more trying to connect.

Thanks to my router I think it's preventing it from phoning home.

If indeed you two gentlemen have the same hypothesis as I do, and think that I am in fact, infected, then why - why is it that Avast!, was using that IP?

Quote
TCP    box:12025              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

  TCP    box:12080              ppp-54-25.32-151.iol.it:0  LISTENING       1104
  [ashWebSv.exe]

  TCP    box:12110              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

  TCP    box:12119              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

  TCP    box:12143              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

Anyone?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Please Help!
« Reply #13 on: April 04, 2008, 08:53:57 PM »
Anyone?
Uninstall avast and these processes won't be running/listening to anything...
The best things in life are free.

AleKx

  • Guest
Re: Please Help!
« Reply #14 on: April 04, 2008, 09:01:41 PM »
Tech stop being so silly man. HAD YOU READ ALL MY POSTS, AVAST IS UNINSTALLED, I EVEN RAN ASWCLEAR.EXE - AVAST'S OWN UNINSTALL PROGRAM

Of course I rebooted after uninstalling.

I even ran CCleaner and Registry Booster, and Registry Booster is a licensed product that I bought, CCleaner is freeware. Had you read my posts, you wouldn't have needed to ask the question, I already said that I rebooted, ran the cleaner, ran registry booster and did a registry defrag, but you seem more intent on being sarcastic with me because I was sarcastic with you (once). Understand that I am frustrated, and that by having common knowledge, I meant, knowing stuff like, what a registry is, and, rebooting after uninstalling a program like anti-virus software is important, or, don't run two anti-viruses, or firewalls at once. Give me some credit here man.

I ran aswclear.exe and removed everything. That should do the trick itself. You seem to be the only one that doesn't think it's a virus here.

Quote
Quote from: AleKx on Today at 06:09:40 PM
AVAST USES THIS IP
CP    box:12025              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]
This IP is from your ISP server. ashMaiSv.exe is the avast mail provider that is listening a port (not an IP) to scan your mail.

You don't seem to understand this. The program is uninstalled. The IP is no longer using ashmaisv.exe with PID 480, it's using kernel32.dll, and asl.exe, and other important executable and dll files. Apparently bold characters won't work so, Avast! is completely uninstalled and the IP is still listening on ports.

No hate Tech, all <3