AvastSvc.exe doing some wierd stuff

[rushman]

I guess this is a 2 part question.

1. Why does AvastSvc.exe have more than 50 outbound connections to about 15 different IP addresses?
2. Why is the only ip addresses with 2+ megabytes of transferred data addressed to google.com?

[Gargamel360]

The multitude of Avast! connections are related to the Web Shield functionality.

As for the bulk going to Google, that I do not know.

Btw, your Email address is showing, you may with to hide it from spam harvesters.

[Eric March]

@rushman

Hi!
Which tool do you rely to gather that information about all those connections?

And - what all is part of your system's autostart? I will not wonder about such a lot of connections when (maybe via a http://free.antivirus.com/hijackthis/ HJT-Log) the autostart is overseen…

Eric

[rushman]

Thanks Gargamel360. Resolved email issue. I was using Comodo Internet Security to view these connections.

Eric, here is what hijackthis found. Is this what you wanted?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:21:37 AM, on 8/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\program files\Comodo\comodo internet security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WinAbility Encryption Driver.10.2.0.1180\WED32.EXE
C:\Program Files\Aston2\Aston2.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files\Winstep\Nexus-Ultimate.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bing.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.parent.mypisd.net/mychild/thomas,sb254585
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - Disabled:{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
O2 - BHO: (no name) - Disabled:{C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - (no file)
O2 - BHO: (no name) - Disabled:{DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - Disabled:{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [OpenDNS Updater] "C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
O4 - HKCU\..\Run: [Nexus-Ultimate] C:\Program Files\Winstep\Nexus-Ultimate.exe autostart
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - Startup: WorldTime.lnk = C:\Program Files\PawPrint.net\WorldTime\worldtime.exe
O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\Michael\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264296166563
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5888/mcfscan.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - AppInit_DLLs:    C:\WINDOWS\system32\guard32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\program files\Comodo\comodo internet security\cmdagent.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: WinAbility Encryption Driver - WinAbility® Software Corporation - C:\Program Files\WinAbility Encryption Driver.10.2.0.1180\WED32.EXE

--
End of file - 7609 bytes

[YoKenny]

I see you are running stuff from IOBit

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

I would remove anything from IOBit

IObit is a software company based in Chengdu, China and the company has created and developed many useful software such as Advanced SystemCare, Security 360, Smart Defrag and Game Booster. So far all software are freewares and the Advanced SystemCare and Security 360 has the Pro version as well which provides more options than the free edition.

Few months back IObit has been accused by Malwarebytes of stealing their malware database and this has caused many users to stop trusting IObit and uninstall the software from their computers. The built-in uninstaller works without problems but because IObit creates many temporary files which are not automatically removed, this has caused the uninstaller not to recognize the file and doesn’t remove them off even after the software has been uninstalled.

http://www.zhacks.com/2010/03/17/bitremover-cleans-up-iobit-program-traces-after-uninstall

[Lisandro]

Run away from iObit!

[Rednose]

Hi rushman

You can fix these O2 entries with HijackThis :

O2 - BHO: AcroIEHelperStub - Disabled:{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
O2 - BHO: (no name) - Disabled:{C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - (no file)
O2 - BHO: (no name) - Disabled:{DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - Disabled:{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)

Nothing to worry about, they are just dead entries

Greetz, Red.

[Skystryder]

Beside that one small accusation which I'm not sure is true or not i haven't researched it for my self why should anyone not use the Advanced systemcare 3 Pro. I happen to be using it with Avast and Comondo Firewall along with a combo of Superantispyware and Malwarebytes on XP systems and my one Vista 64 system and it seems to run fine and this setup is one of the few that seems to play well with the Vista 64 OS.

[CraigB]

ASC (iobit) has an av incorporated into it and you should never have two av's installed on the same system, even if one is disabled it can still cause conflict as the low level driver's are still running, your lucky to have not had a problem yet! or have you? multiple av's can also minimise your protection and make you more at risk.
There are several other issue's i see in your list, do you have the comodo suite intalled as you can only have the firewall, plus i see bit's of Bitdefender,panda software,McAfee,Spybot. No need for any of these program's as they can all conflict in one way or another especially if you have teatimer activated in spybot.
For your own wellbeing and your systems benifit i would just run avast with malwarebytes, MBAM PRO would be the ideal blend of protection with avast but even the on demand only is still good and these two program's will protect you far better than all that other rubbish sitting on your system.
 Hope this help's you some

[CraigB]

Beside that one small accusation which I'm not sure is true or not i haven't researched it for my self why should anyone not use the Advanced systemcare 3 Pro. I happen to be using it with Avast and Comondo Firewall along with a combo of Superantispyware and Malwarebytes on XP systems and my one Vista 64 system and it seems to run fine and this setup is one of the few that seems to play well with the Vista 64 OS.

Well Skystryder you can do all the research you want but we deal with problem's that interfear with avast all the time and ASC (iobit ) is one of them, plus the fact that they are an unreputable company that in the past has stolen from other company's so are not trustworthy either.

[DavidCo]

Some AV vendors add false definitions to their database so if another 'lazy' vendor tries to get a 'free ride' and just copies the defs it is easy to spot.

[Lisandro]

Beside that one small accusation

Small
http://www.google.com.br/search?q=iobit+stole+definitions+from+Malwarebytes+MBAM&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:pt-BR:official&client=firefox-a&safe=active

[SafeSurf]

Did anyone realize that Skystryder posted to a thread that was 4 months old?  But everyone is correct in that if you do a search on the forum, you will see the many problems noted here in this thread (and numerous others) about the software mentioned and the conflicts it has caused with other security software.