Why has my zone alarm got 170 attempts by avast.setup to open a connection to a bit torrent tracker ?

Description avast! antivirus Update was temporarily blocked from connecting to the Internet (83.140.65.142:DNS).
Rating High
Date / Time 2005/11/20 07:22:26-0:00 GMT
Type Program Access
Program avast.setup
Source IP
Destination IP 83.140.65.142:53
Direction Outgoing (connect)
Action Taken Blocked
Count 170
Source DNS
Destination DNS tracker.prq.to

WHOIS results for 83.140.65.142
Generated by www.DNSstuff.com
Location: Sweden

ARIN says that this IP belongs to RIPE; I’m looking it up there.

Using 0 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).

% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to ‘83.140.65.0 - 83.140.65.255’

inetnum: 83.140.65.0 - 83.140.65.255
netname: TIAMO-NET
descr: ThePirateBay.ORG
descr: Customer of prq Inet, Box 1206, SE 114 79 Stockholm, SWEDEN
remarks: *******************************************************
remarks: * In case of abuse, send mail to *****@thepiratebay.org
remarks: * Abuse mail to any other address will be ignored!
remarks: *******************************************************
country: SE
tech-c: pIN7-RIPE
admin-c: pIN7-RIPE
mnt-by: MNT-PRQ
notify: *******************@prq.se
changed: *************@prq.se 20041219
source: RIPE
status: ASSIGNED PA

role: prq Inet NOC
address: prq Inet
Box 1206
SE 11479 Stockholm
Sweden
phone: +46 (0)73 9549748
e-mail: ***@prq.se
e-mail: *************@prq.se
remarks: !!!
remarks: !! Abuse reports should ONLY be sent to *****@prq.se !!
remarks: !! Do NOT call unless it’s very urgent !!
remarks: !!!
admin-c: PW1115-RIPE
tech-c: PW1115-RIPE
nic-hdl: pIN7-RIPE
mnt-by: MNT-PRQ
changed: *************@prq.se 20040707
changed: *************@prq.se 20050802
source: RIPE
abuse-mailbox: *****@prq.se

% Information related to ‘83.140.64.0/19AS16150’

route: 83.140.64.0/19
descr: GBG, Port80, Sweden
remarks: ****************************************************
remarks: * In case of abuse, send mail to *****@port80.se
remarks: * Abuse mail to any other address will be ignored!
remarks: ****************************************************
origin: AS16150
mnt-by: PORT80-MNT
changed: ********@port80.se 20040921
source: RIPE
notify: *****************@port80.se

[The following lines added by www.dnsstuff.com per requirement by RIPE]
This service is subject to the terms and conditions stated in the RIPE NCC Database Copyright Notice.
Contact dnsstuff.com’s ‘info@’ address to report problems regarding the functionality of the service.

[If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address].

WTF ???

avast.setup tries to connect to avast servers (not torrent) to check for and download updates.

Is there a location for avast.setup as this file isn’t a permanent file, only being created from the setup.ovr at the time of update, check the servers.def file it should list the URL addresses that it would connect to.

What is your firewall?

So there is a possibility that this isn’t avast.setup, can you do a search for avast.setup, it shouldn’t exist outside of actual update and in that case would be in the ‘C:\Program Files\Alwil Software\Avast4\Setup’ folder, anywhere else and it is wrong.

Description avast! antivirus Update requested permission to access the internet.
Rating High
Date / Time 2005/11/20 05:47:58-0:00 GMT
Type Repeat Program
Program C:\Program Files\Alwil Software\Avast4\Setup\avast.setup
Source IP
Destination IP 83.140.65.134:53
Direction Outgoing (connect)
Action Taken Blocked (once)
Count 1
Source DNS
Destination DNS tracker.prq.to

The firewallis Zone Alarm Pro this is a different entry but connecting to the same IP, the other entrys do not include the path (somthing to do with the way zone alarm logs repeats apparently) avast.setup does not exist on any of my drives, this is my servers.def

[servers]
count=32

[server0]
name=Secondary ASW server
url=http://www.iavs.cz/iavs4x
stats=http://download8.avast.com/cgi-bin/iavs4stats.cgi
products=av_pro,av_srv,av_ker,av_oem,av_pda_palm,av_net,av_mgm,exav,netpurum,av_u3

[server1]
name=Download1 AVAST server
url=http://download1.avast.com/iavs4x
stats=http://download1.avast.com/cgi-bin/iavs4stats.cgi

[server2]
name=Download2 AVAST server
url=http://download2.avast.com/iavs4x
stats=http://download2.avast.com/cgi-bin/iavs4stats.cgi

[server3]
name=Download3 AVAST server
url=http://download3.avast.com/iavs4x
stats=http://download3.avast.com/cgi-bin/iavs4stats.cgi

[server4]
name=Download4 AVAST server
url=http://download4.avast.com/iavs4x
stats=http://download4.avast.com/cgi-bin/iavs4stats.cgi

[server5]
name=Download5 AVAST server
url=http://download5.avast.com/iavs4x
stats=http://download5.avast.com/cgi-bin/iavs4stats.cgi

[server6]
name=Download6 AVAST server
url=http://download6.avast.com/iavs4x
stats=http://download6.avast.com/cgi-bin/iavs4stats.cgi

[server7]
name=Download7 AVAST server
url=http://download7.avast.com/iavs4x
stats=http://download7.avast.com/cgi-bin/iavs4stats.cgi

[server8]
name=Download8 AVAST server
url=http://download8.avast.com/iavs4x
stats=http://download8.avast.com/cgi-bin/iavs4stats.cgi

[server9]
name=Download9 AVAST server
url=http://download9.avast.com/iavs4x
stats=http://download9.avast.com/cgi-bin/iavs4stats.cgi

[server10]
name=Download10 AVAST server
url=http://download10.avast.com/iavs4x
stats=http://download10.avast.com/cgi-bin/iavs4stats.cgi

[server11]
name=Download11 AVAST server
url=http://download11.avast.com/iavs4x
stats=http://download11.avast.com/cgi-bin/iavs4stats.cgi

[server12]
name=Download12 AVAST server
url=http://download12.avast.com/iavs4x
stats=http://download12.avast.com/cgi-bin/iavs4stats.cgi

[server13]
name=Download13 AVAST server
url=http://download13.avast.com/iavs4x
stats=http://download13.avast.com/cgi-bin/iavs4stats.cgi

[server14]
name=Download14 AVAST server
url=http://download14.avast.com/iavs4x
stats=http://download14.avast.com/cgi-bin/iavs4stats.cgi

[server15]
name=Download15 AVAST server
url=http://download15.avast.com/iavs4x
stats=http://download15.avast.com/cgi-bin/iavs4stats.cgi

[server16]
name=Download16 AVAST server
url=http://download16.avast.com/iavs4x
stats=http://download16.avast.com/cgi-bin/iavs4stats.cgi

[server17]
name=Download17 AVAST server
url=http://download17.avast.com/iavs4x
stats=http://download17.avast.com/cgi-bin/iavs4stats.cgi

[server18]
name=Download18 AVAST server
url=http://download18.avast.com/iavs4x
stats=http://download18.avast.com/cgi-bin/iavs4stats.cgi

[server19]
name=Download19 AVAST server
url=http://download19.avast.com/iavs4x
stats=http://download19.avast.com/cgi-bin/iavs4stats.cgi

[server20]
name=Download20 AVAST server
url=http://download20.avast.com/iavs4x
stats=http://download20.avast.com/cgi-bin/iavs4stats.cgi

[server21]
name=Download21 AVAST server
url=http://download21.avast.com/iavs4x
stats=http://download21.avast.com/cgi-bin/iavs4stats.cgi

[server22]
name=Download22 AVAST server
url=http://download22.avast.com/iavs4x
stats=http://download22.avast.com/cgi-bin/iavs4stats.cgi

[server23]
name=Download23 AVAST server
url=http://download23.avast.com/iavs4x
stats=http://download23.avast.com/cgi-bin/iavs4stats.cgi

[server24]
name=Download24 AVAST server
url=http://download24.avast.com/iavs4x
stats=http://download24.avast.com/cgi-bin/iavs4stats.cgi

[server25]
name=Download25 AVAST server
url=http://download25.avast.com/iavs4x
stats=http://download25.avast.com/cgi-bin/iavs4stats.cgi

[server26]
name=Download26 AVAST server
url=http://download26.avast.com/iavs4x
stats=http://download26.avast.com/cgi-bin/iavs4stats.cgi

[server27]
name=Download27 AVAST server
url=http://download27.avast.com/iavs4x
stats=http://download27.avast.com/cgi-bin/iavs4stats.cgi

[server28]
name=Download28 AVAST server
url=http://download28.avast.com/iavs4x
stats=http://download28.avast.com/cgi-bin/iavs4stats.cgi

[server29]
name=Download29 AVAST server
url=http://download29.avast.com/iavs4x
stats=http://download29.avast.com/cgi-bin/iavs4stats.cgi

[server30]
name=Download30 AVAST server
url=http://download30.avast.com/iavs4x
stats=http://download30.avast.com/cgi-bin/iavs4stats.cgi

[server31]
name=Download31 AVAST server
url=http://download31.avast.com/iavs4x
stats=http://download31.avast.com/cgi-bin/iavs4stats.cgi

ASWSignA444F9B739A8212AEB5992EF7B357C955E76AA0E396710304A9D26D77A83575B052D9A2892733ADA0ASWSignA

and its still trying to connect to this torrent tracker, I can only think that maybe the address is being re-used or somthing ? but what I dont get is that avast is allowed and does update fine through the firewall but these keep showing up as being stopped, somhow the firewall knows these are not geniune IP’s to connect to

Not at all sure why this should be happening, does make me think bad things tho when my AV is trying to connect to what seems to be a torrent tracking place for ripped of games and things.

Since the servers.def file only contains the urls of avast servers (not the IP address) then one would have to wonder how the questionable IP address might have been used by avast setup.

There is just a possibility that a nasty piece of software has invaded your system and set up a redirect for one or more of those avast urls to send it to the questionable IP address. You should scan your hosts file and make sure that no such redirections have been set up. On an XP system you can find the hosts file in the C:\Windows\System32\DRIVERS\etc folder.

Why are you thinking your antivirus is trying to connect anything related to torrent or games or anything else?
The list of update servers could be found in servers.def file in setup subdirectory under avast4 folder. There are the names, not IPs but you can check for the IPs yourself.

The problem is that this list could change (and actually is changed) quite frequently (servers are mostly added).
http://www.avast.com/eng/updates2.html#idt_1366

It makes me think that because when I do the DNS lookup of the IP avast is connecting to it belongs to ThePirateBay.org

% Information related to ‘83.140.65.0 - 83.140.65.255’

inetnum: 83.140.65.0 - 83.140.65.255
netname: TIAMO-NET
descr: ThePirateBay.ORG
descr: Customer of prq Inet, Box 1206, SE 114 79 Stockholm, SWEDEN

I will check my hosts to see if anything is in there

It’s a temporary file that appears by the transformation of C:\Program Files\Alwil Software\Avast4\Setup\setup.ovr

Something strange as the avast servers are not related to the ThePirateBay.ORG

Can you check the contents of your HOSTS file?

I don’t have the slightest clue why would setup connect to such a site.

Could you please inspect setup.log in setup directory if it also mentions the ip you’ve mentioned?

# Copyright (c) 1993-2004 Microsoft Corp.
#
# AutoGenerated by Microsoft (R) Windows (R) Malicious Software Removal Tool.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

yea this really is an odd one nothing in there thats not working, now I did a test and told zone alarm to ask me what to do the next time avast.setup runs, it just did and it wanted to connect on port 53 to the torrent tracker again, I said no to the request and a few moments later avast spopped up with the red box an error has occurd while attempting to update, if I do not stop it connecting to that torrent address it seems to update fine :\ wierd huh ?

Very weird, you could as a temporary measure create a rule in ZA to block avast.setup access using port 53 or any other port other than port 80 (UDP/TCP protocols), which I think is used for updates. Perhaps Kubecj could confirm this.

Something very strange is going on, I certainly haven’t seen anything like this since joining the forums and it would be nice to get to the bottom of it.

How would avast.setup be made to use port 53 to connect, when I think it uses port 80.

Just tried a manual update and port 80 is used.

Server: download11.avast.com (67.15.38.62:80) Downloaded files: 3 (0.03 KB) Download time: 4 s

This is the top bit of my setup.log but it wont let me post of 10,000 chars so i c ant show you the full most recent entry but I cannot see anything about that strange ip, mind you I don’ know what I am looking for in this log

14:55:05 min/gen  Started: 14.06.2005, 14:55:05
14:55:05 min/gen  Running setup_av_pro-299 (665)
14:55:05 nrm/sys  Operating system: WindowsXP ver 5.1, build 2600, sp 2.0 [Service Pack 2]
14:55:05 vrb/sys  Computer WinName: ISK-SERVER
14:55:05 min/sys  Windows Net User: ISK-SERVER\ISK
14:55:05 min/gen  Cmdline: /sfx /sfxstorage "C:\DOCUME~1\ISK\LOCALS~1\Temp\_av_sfx.tm~a03108"  /srcpath "C:\DOCUMENTS AND SETTINGS\ISK\DESKTOP" 
14:55:05 vrb/gen  DldSrc set to sfx
14:55:05 min/gen  Old version: ffffffff (-1)
14:55:05 vrb/gen  Install check: SetupVersion does NOT exist
14:55:05 nrm/gen  SGW32P::CheckIfInstalled set m_bAlreadyInstalled to 0
14:55:05 vrb/reg  Get registry: Software\Microsoft\Internet Explorer\Version=6.0.2900.2180
14:55:05 vrb/gen  Operation set to INST_OP_INSTALL
14:55:05 min/gen  GUID: 4474dc69-5d1b-4793-a8df-aecc36568970
14:55:05 nrm/gen  SelectCurrent: selected server 'tmp sfx storage' from 'sfx'
14:55:13 min/pkg  Load C:\DOCUME~1\ISK\LOCALS~1\Temp\_av_sfx.tm~a03108\prod-av_pro.vpu
14:55:13 vrb/pkg  LatestPartInfo: news = news-42
14:55:13 vrb/pkg  LatestPartInfo: program = prg_av_pro-299
14:55:13 vrb/pkg  LatestPartInfo: setup = setup_av_pro-299
14:55:13 vrb/pkg  LatestPartInfo: vps = vps-52102
14:55:13 vrb/pkg  Part prg_av_pro-299 was set to be installed
14:55:13 vrb/pkg  Part vps-52102 was set to be installed
14:55:13 vrb/pkg  Part news-42 was set to be installed
14:55:13 vrb/pkg  Part setup_av_pro-299 was set to be installed
14:55:13 vrb/pkg  FilterOutExistingFiles: 135 & 0 = 135
14:55:13 vrb/pkg  IsFullOkay: setif_av_pro-299.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: setif_av_pro-299.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: setup_av_pro-299.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: setup_av_pro-299.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_core-260.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_core-260.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_dll409-11e.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_dll409-11e.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_hlp409-1db.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_hlp409-1db.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_skins-12.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_skins-12.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: avscan-1bb.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: avscan-1bb.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: winsys-1.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: winsys-1.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: winsysgui-1.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: winsysgui-1.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: vps-52100.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: vps-52100.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: vpsm-52102.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: vpsm-52102.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: news409-2d.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: news409-2d.vpu - not okay
14:55:13 vrb/pkg  FilterOutExistingFiles: 135 & 0 = 135
14:55:13 vrb/pkg  FilterOutExistingFiles: 133 & 0 = 133
14:55:13 vrb/pkg  IsFullOkay: setif_av_pro-299.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: setif_av_pro-299.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: setup_av_pro-299.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: setup_av_pro-299.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_core-260.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_core-260.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_dll409-11e.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_dll409-11e.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_hlp409-1db.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_hlp409-1db.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_skins-12.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_skins-12.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: avscan-1bb.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: avscan-1bb.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: winsys-1.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: winsys-1.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: winsysgui-1.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: winsysgui-1.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: vps-52100.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: vps-52100.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: vpsm-52102.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: vpsm-52102.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: news409-2d.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: news409-2d.vpu - not okay
14:55:13 vrb/pkg  FilterOutExistingFiles: 133 & 0 = 133
14:55:13 vrb/pkg  FilterOutExistingFiles: 135 & 0 = 135
14:55:13 vrb/pkg  IsFullOkay: setif_av_pro-299.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: setif_av_pro-299.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: setup_av_pro-299.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: setup_av_pro-299.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_core-260.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_core-260.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_dll409-11e.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_dll409-11e.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_hlp409-1db.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_hlp409-1db.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_skins-12.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: av_pro_skins-12.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: avscan-1bb.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: avscan-1bb.vpu - not okay
14:55:13 vrb/pkg  IsFullOkay: winsys-1.vpu - not okay

Maybe the bottom of it will be better…

Foxabilo, are you using Home version or the Trial one?

Home to the best of my knowlage been a LOOOOOOOOOOOOOOOOONG time user of avast I registered it etc etc,

15:11:12 min/int  tried 30 servers to get file 'servers.def', but failed (0x20000004)
15:11:12 min/fil  GetNewerStampedFile:GetFileWithRetry failed: C:\WINDOWS\TEMP\_av_proI.tm~a01140\onefile, servers.def, error: 0x20000004
15:11:12 min/pkg  Tried to download servers.def but failed with error 0x20000004.
15:11:12 min/gen  Err:Cannot connect to download4.avast.com (unknown:80).
15:11:12 nrm/pkg  Transferred files: 0
15:11:12 nrm/pkg  Transferred bytes: 0
15:11:12 nrm/pkg  Transfer time: 0 ms
15:11:12 vrb/fil  NeedReboot=false
15:11:12 min/gen  Return code: 0x20000004 [Cannot connect to download4.avast.com (unknown:80).]
15:11:12 min/gen  Stopped: 16.11.2005, 15:11:12


19:19:12 min/gen  Started: 16.11.2005, 19:19:12
19:19:12 min/gen  Running setup_av_pro-2db (731)
19:19:12 nrm/sys  Operating system: WindowsXP ver 5.1, build 2600, sp 2.0 [Service Pack 2]
19:19:12 vrb/sys  Computer WinName: ISK-SERVER
19:19:12 min/sys  Windows Net User: SYSTEM
19:19:14 min/gen  Cmdline: /downloadpkgs /noreboot /updatenews /verysilent /nolog  
19:19:14 vrb/gen  DldSrc set to inet
19:19:14 vrb/gen  Operation set to INST_OP_UPDATE_GET_PACKAGES
19:19:14 min/gen  Old version: 2db (731)
19:19:17 nrm/gen  SGW32P::CheckIfInstalled set m_bAlreadyInstalled to 1
19:19:21 vrb/sys  Computer DnsName: isk-server
19:19:21 vrb/sys  Computer Ip Addr: 192.168.0.1
19:19:26 nrm/int  SYNCER: Type: use IE settings
19:19:26 nrm/int  SYNCER: Auth: another authentication, use WinInet
19:19:26 vrb/pkg  Part prg_av_pro-2db is installed
19:19:26 vrb/pkg  Part vps-54602 is installed
19:19:26 vrb/pkg  Part news-44 is installed
19:19:26 vrb/pkg  Part setup_av_pro-2db is installed
19:19:26 min/gen  Old version: 2db (731)
19:19:51 vrb/fil  SetExistingFilesBitmap: 728->136->136
19:19:51 min/gen  GUID: 4474dc69-5d1b-4793-a8df-aecc36568970
19:19:52 nrm/gen  Server definition(s) loaded for 'main': 30 (maintenance:0)
19:19:52 nrm/gen  SelectCurrent: selected server 'Download5 AVAST server' from 'main'
19:19:56 dbg/gen  Entered SetupProcessPro::Do( INST_OP_UPDATE_GET_PACKAGES )
19:19:56 dbg/gen  Entered SetupProcessWin32Avast::Do( INST_OP_UPDATE_GET_PACKAGES )
19:19:56 dbg/gen  Entered SetupProcessWin32::Do( INST_OP_UPDATE_GET_PACKAGES )
19:19:56 dbg/gen  Entered SetupProcess::Do( INST_OP_UPDATE_GET_PACKAGES )
19:20:27 min/pkg  ERROR:HttpGetWininet, catch returned 0x00002EE7
19:20:45 min/pkg  ERROR:HttpGetWininet, catch returned 0x00002EE7
19:20:45 nrm/gen  InvalidateCurrent: invalidated server 'Download5 AVAST server' from 'main'
19:20:45 nrm/gen  SelectCurrent: selected server 'Download12 AVAST server' from 'main'
19:20:45 dbg/int  while trying to get file 'servers.def', error 0x20000004 has occured, try 1
19:21:02 min/pkg  ERROR:HttpGetWininet, catch returned 0x00002EE7
19:21:02 nrm/gen  InvalidateCurrent: invalidated server 'Download12 AVAST server' from 'main'
19:21:02 nrm/gen  SelectCurrent: selected server 'Download15 AVAST server' from 'main'
19:21:02 dbg/int  while trying to get file 'servers.def', error 0x20000004 has occured, try 2
19:21:21 min/pkg  ERROR:HttpGetWininet, catch returned 0x00002EE7
19:21:21 nrm/gen  InvalidateCurrent: invalidated server 'Download15 AVAST server' from 'main'
19:21:21 nrm/gen  SelectCurrent: selected server 'Download24 AVAST server' from 'main'
19:21:21 dbg/int  while trying to get file 'servers.def', error 0x20000004 has occured, try 3

Heh, it seems that setup is trying normal servers on port 80, as seen in the log.
To me it looks like wrong ZA report? (but how can one trust his firewall if it’s not able to display the correct ip??)

It occurs to me in reading the thread again that the access to this strange IP address was reported as a DNS lookup on port 53 (standard DNS lookup port).

So Foxabilo, can I suggest that, at a command prompt, you type ipconfig /all and make sure that the questionable IP address does not appear in your list of DNS servers.

`
C:\Documents and Settings\ISK>ipconfig /all

Windows IP Configuration

    Host Name . . . . . . . . . . . . : isk-server
    Primary Dns Suffix  . . . . . . . :
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 21:

    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : Realtek RTL8139/810X Family PCI Fast

Ethernet NIC #4
Physical Address. . . . . . . . . : 00-02-44-2E-FC-2B
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

PPP adapter BT Voyager 100 ADSL Modem Connection:

    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
    Physical Address. . . . . . . . . : 00-53-45-00-00-00
    Dhcp Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 86.132.134.199
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . : 86.132.134.199
    DNS Servers . . . . . . . . . . . : 62.6.40.178
                                        194.72.0.98
    NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Documents and Settings\ISK>`

all the DNS servers check out as my offical ISP’s ones

`
C:\Documents and Settings\ISK>ipconfig /all

Windows IP Configuration

    Host Name . . . . . . . . . . . . : isk-server
    Primary Dns Suffix  . . . . . . . :
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 21:

    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : Realtek RTL8139/810X Family PCI Fast

Ethernet NIC #4
Physical Address. . . . . . . . . : 00-02-44-2E-FC-2B
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

PPP adapter BT Voyager 100 ADSL Modem Connection:

    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
    Physical Address. . . . . . . . . : 00-53-45-00-00-00
    Dhcp Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 86.132.134.199
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . : 86.132.134.199
    DNS Servers . . . . . . . . . . . : 62.6.40.178
                                        194.72.0.98
    NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Documents and Settings\ISK>
`

Both DNS addresses check out as official British telecom DNS’s

Well, I’ll admit I’m stumped on this one.

I just did an IP trace of the update function on my system (using Ethereal) and everything being done by avast is completely “proper”.

it gets stranger !
this is a screeny of the ZA program log with the addresses it thinks Avast is connecting too look at the random list thats there googlemail all sorts :S

http://img291.imageshack.us/img291/4856/log11bs.jpg

Foxabilo,

I just use the free ZA firewall (current version) so I am not familiar with this ZA antispyware screen.

However, I notice with concern that it has blocked perfectly normal DNS lookups to your stated BT DNS servers, 62.6.40.178 & 194.72.0.98 (port 53).

I cannot account for the other entries, but in the above cases ZA has simply prevented avast from doing what it is supposed to do.

Were this my system I would have to question the effectiveness and value of the ZA antispyware offering currently installed.

While I certainly would not wish to advise anyone to take risks with their system I again point to the fact that I have run an IP trace against avast update on my system and only seen it perform perfectly safe activity. There are a few free such trace tools if you care to check (as I mentioned previously I use Ethereal).