AVAST.setup file - is it supposed to contact other websites ?

is it supposed to connect to websites such as : “wasteaminute.com”, “adtegrity.com”, “247media.com”,
www.joetec.net”, “www.aboutus.org”, “www.alexa.com”, “www.sempo.com”, and others…?

I noticed that, because I have the above sites on my “restricted list” in my Zonealarm Firewall.

It seems odd to me that Avast, as a trojan detector and destroyer, is not able to prevent

some other program to use their own “Avast.setup” file to contact websites that are known to

be dangerous or at least annoying. For example, “Alexa.com” has been around for at least 5 years,

and it is known to deal with creepy advertising, spyware-cookies, and so forth.

Unless, of course, Avast has some sort of advertising deal going with the various websites mentioned

above. Can anyone explain to me whether these connection attempts by “Avast.setup” are

authorized by Avast or not ?

Thank you for your consideration!

W K

Other programs can’t use avast.setup as the self-defence module would stop them from editing it. The avast.setup is the avast update process, it has a a specific list of servers that it can access and that is contained in the servers.def file. They are avast download servers.

So I have no idea what ZA is detecting or if it is the C:\Program Files\Alwil Software\Avast4\Setup\avast.setup file.

Can you post the log showing avast.setup accessing these sites.

I certainly don’t see anything like this in my logs with Outpost Pro 2009. However, ZA isn’t that hot at stoping leaks out of the system, see http://www.matousec.com/projects/firewall-challenge/results.php.

No.

Which avast version are you using?
This is not suppose to happen.

No, it does not.

WK
I take it you have by now locked down your system, raised the drawbridge, turned the crocodiles loose in the moat?
Post back if you need some help getting rid of this hijacker or whatever it is

start with a Rogue Remover and MBAM scan
post back ASAP

also a boot time avast scan

I was on vacation. Below a copy of a ZoneAlarm log, dated 09-01-08, with notes by me added:

ZoneAlarm Logging Client v7.0.483.000
Windows XP-5.1.2600-Service Pack 2-SP
type,date,time,source,destination,transport (Security)
type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,… (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
ACCESS,2008/09/01,21:25:36 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address
(69.42.217.55)).,N/A,N/A
ACCESS,2008/09/01,21:27:40 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address
(64.191.218.11)).,N/A,N/A
ACCESS,2008/09/01,22:22:44 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address
(207.44.249.93)).,N/A,N/A <— (My NOTE: which is “www.joetec.net”)
ACCESS,2008/09/01,22:22:44 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address
(209.234.171.100)).,N/A,N/A <— (MY NOTE: which is “www.alexa.com”)
ZLUpdate,2008/09/01,22:56:20 -5:00 GMT,Auto
ZLUpdate,2008/09/01,22:56:24 -5:00 GMT,Auto
ACCESS,2008/09/01,23:27:00 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address
(64.191.218.11)).,N/A,N/A <---- (MY NOTE: which is “www.247Realmedia.com”)
ACCESS,2008/09/02,00:31:00 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address
(64.191.218.11)).,N/A,N/A
ACCESS,2008/09/02,01:35:02 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address
(64.191.218.11)).,N/A,N/A
ACCESS,2008/09/02,03:43:02 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address
(64.191.218.11)).,N/A,N/A
ACCESS,2008/09/02,04:47:02 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address

(64.191.218.11)).,N/A,N/A
ACCESS,2008/09/02,05:51:02 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address

(64.191.218.11)).,N/A,N/A
ACCESS,2008/09/02,07:27:02 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address
(64.191.218.11)).,N/A,N/A
ACCESS,2008/09/02,08:31:04 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address
(64.191.218.11)).,N/A,N/A
ACCESS,2008/09/02,11:43:04 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address
(64.191.218.11)).,N/A,N/A
ACCESS,2008/09/02,13:51:04 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address
(64.191.218.11)).,N/A,N/A
ACCESS,2008/09/02,15:27:04 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address
(64.191.218.11)).,N/A,N/A
ACCESS,2008/09/02,16:28:00 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address
(64.191.218.11)).,N/A,N/A
ACCESS,2008/09/02,17:35:04 -5:00 GMT,Your computer was prevented from connecting to a restricted site (a restricted address

(64.191.218.11)).,N/A,N/A
LOCK,2008/09/02,18:39:10 -5:00 GMT,Generic Host Process for Win32 Services,207.46.30.24,N/A
LOCK,2008/09/02,19:28:26 -5:00 GMT,Generic Host Process for Win32 Services,205.171.3.65,N/A
LOCK,2008/09/02,19:28:26 -5:00 GMT,Generic Host Process for Win32 Services,205.171.2.65,N/A
LOCK,2008/09/02,19:28:28 -5:00 GMT,Generic Host Process for Win32 Services,205.171.1.65,N/A
LOCK,2008/09/02,19:28:40 -5:00 GMT,Generic Host Process for Win32 Services,127.0.0.1,N/A

Note: the reason the addresses are “restricted” is that I specifically blocked them in the “Sites” of the ZA Firewall settings.