ashwebsv.exe opening connections to localhost

as soon as I open a web browser and do a netstat i get this:

TCP chchdesktop01:1032 localhost:1033 ESTABLISHED
TCP chchdesktop01:1033 localhost:1032 ESTABLISHED
TCP chchdesktop01:1034 localhost:1035 ESTABLISHED
TCP chchdesktop01:1035 localhost:1034 ESTABLISHED
TCP chchdesktop01:1060 localhost:12080 ESTABLISHED
TCP chchdesktop01:1092 localhost:12080 ESTABLISHED
TCP chchdesktop01:1098 localhost:12080 ESTABLISHED
TCP chchdesktop01:1476 localhost:12080 ESTABLISHED
TCP chchdesktop01:1478 localhost:12080 ESTABLISHED
TCP chchdesktop01:1485 localhost:12080 ESTABLISHED
TCP chchdesktop01:1487 localhost:12080 ESTABLISHED
TCP chchdesktop01:1489 localhost:12080 ESTABLISHED
TCP chchdesktop01:12080 localhost:1060 ESTABLISHED
TCP chchdesktop01:12080 localhost:1092 ESTABLISHED
TCP chchdesktop01:12080 localhost:1098 ESTABLISHED
TCP chchdesktop01:12080 localhost:1476 ESTABLISHED
TCP chchdesktop01:12080 localhost:1478 ESTABLISHED
TCP chchdesktop01:12080 localhost:1485 ESTABLISHED
TCP chchdesktop01:12080 localhost:1487 ESTABLISHED
TCP chchdesktop01:12080 localhost:1489 ESTABLISHED

more connections open the longer the browser is open, the process comes from firefox and ashwebsv, I have scanned for malware with: avg rootkit, spysweeper, spybot, adaware, terminator, avast, outpost adware.

the internet runs very slowly for browsing, i am sure this is th ecause, the important note here though is this: whatever the first line in my windows hosts file is will be site it connects to, right now its localhost, if i change it to 127.0.0.1 blah in the hosts file i would get:
TCP chchdesktop01:1032 blah:1033 ESTABLISHED

I have avast, outpost and spysweeper all running

Flamer.

What is this chchdesktop01, your PC name (?) perhaps, if not how did you get that column, I did a netstat -a and that gives, Pronto, Local Address, Foreign Address and state.
Only returns two entries for 12080 Established (one on second run) and one each for the emai/news listening ports 11025, 12110,12119 and 12143 all Listening.

What seems to be the originating these other localhost ports I have no idea. I don’t know if SpySweeper is also monitoring with a localhost, I have never used it.

The web shield doesn’t initiate connections, the localhost is a local listening/monitoring connection and nothing to worry about. Only the ones relating to port 12080 have anything to do with web shield. Why there is this

If you have multiple windows or tabs open there are multiple connections downloading, avast is monitoring them. But, that doesn’t appear to be happening to me.

I say your other query on google groups and you are getting some help there also.

You can reset your hosts file to the default, which I think is empty.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

  1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.

thanks for the reply, chchdesktop01 is the name of the pc yes,

I am on a dialup connection, i open firefox, dialup, and those connections start straight away… there is nothing in the background downloading at all. I will experiment later witht he hosts file, it seems strange that avast would use the first entry in hosts rather than just specify localhost, that doesnt seem right to me, i will try disabling web shield too and see what happens then, taskmanager says all those connections are coming from firefox/avast.

Flamer.

The web Shield is not initiating the connections it simply monitors all http traffic, something has to start the ball rolling. Initiating program > Web Shield > Internet what you have to identify is what is creating these other localhost ports and establishing a connection and you won’t see that in netstat it doesn’t provide that kind of information.

The same is true of Task Manager, there is no detailed data.

You need to look at your Outpost Logs (what version are you using ?) Show Detailed Log, Allowed today and Last 10 minutes. This should give you a remote address that the connection is trying to or linked to that may give you an idea what it is about.

Firefox establishes connections for many things when you open it (it needs locking down to stop that), auto updates, Live Bookmarks, CSS/news feeds, Show my windows and tabs from last time (tools options, main), etc.

Disabling the web shield won’t stop any connection, just kill the symptom.

You might want to check some of the tools from sysinternals.com, Process Explorer or Process Monitor.