Connection Timer ?

system · May 30, 2005, 8:21pm

Hi. I’ve been using Avast4 home edition for months, and have been totally satisfied with the program. Thanks!!

Recently, however; since the last update a few days ago, I now get small pop-up windows from avast telling me various connection timeouts. For example, one I have at the moment reads:

Internet Connection timeout elapsed. Continue waiting? (explorer.exe -> 64.74.96.243:25).

When these pop-ups occur, it tends to kick me out of other programs I am running, mainly on-line multiplayer games. Is there a way to prevent these pop-up windows from occurring?

Any help with this would be greatly appreciated. Thanks!!

Rappy

Lisandro · May 30, 2005, 9:38pm

When the timeout message comes from the mail client (such a ThunderBird or Outlook Express) it’s because these programs should send or receive mails and should be scanned by avast Mail Scanner. You could add your game into the IgnoreProcess list of avast4.ini file section [MailScanner]. For more details, click Settings in my signature

To help us further understand it please open the file C:\Program Files\ALWIL Software\Avast4\DATA\avast4.ini, insert this line Log=20 under [MailScanner] section.

[MailScanner]
Log=20

This will enable detailed logging.
Then try to reproduce the problem with timeout and post here the created log file (from C:\Program Files\ALWIL Software\Avast4\DATA\Log\avMaiSv.log.

Also please try to reproduce the problem with Internet Mail Provider disabled. Do you get any timeouts messages from you mail client when used without avast Mail Scanner?

system · May 30, 2005, 11:37pm

I am not trying to send any mail and I cannot try to reproduce something I am not causing. It is not my gaming that is causing these, but it is what is being effected (among other things) by these constant pop-up windows about connection timeout. These pop-up messages about connection timeout have come from somewhere and I’d like to know how to make them stop. While gaming, as these things pop-up, one of two things happen…either I experience a huge lag spike in the game or my game minimizes. These pop-ups come from various IP’s as I posted previously, mail places such as yahoo (which I do not use), earthlink and many many others. I am not receiving any mail in my email account, nor am I sending any. But this is getting a bit rediculous and I’d like to find an answer to stopping it short of uninstalling what, up until the last few days, has been an excellent product.

alanrf · May 30, 2005, 11:54pm

Rappy,

I am pretty certain that Avast is just reporting a condition that is ocurring on your system.

It is not a normal condition to see explorer.exe connecting to port 25 of servers outside your system and, in your case, for a lengthy period.

Tech was just trying to get you to gather some documentation to try to see what is happening.

While this may be a case of one of your games using port 25 in a “non-standard” way, ie for something else other than email there is another known situation where these circumstances do occur.

There is a class of backdoor trojans that allow another computer to order yours to start sending out spam email and the trojan can hide itself behind explorer.exe (by doing that it can usually avoid any firewall you have from alerting you to its activities).

Apart from creating the log that Tech proposed to you a full virus and spyware scan of your system would be worthwhile.

system · May 31, 2005, 12:57am

I inserted the Log=20 into the .ini file. How long do you suggest I wait before posting what the log shows?

My apologies for sounding rude. I’m just a bit frustrated with this.

Rap

alanrf · May 31, 2005, 2:00am

You mentioned that these alerts are frequent enough to be causing you clear irritation.

Probably best if you use your system as usual - let’s hope you quickly see another timeout alert. Then would be the time to look at the log.

system · May 31, 2005, 2:39am

The file is quite large already, over 8000kb. Here is just a small portion, since pasting the whole thing would exceed your character limit.

05/30/05 19:06:53 00000BE0: ->SMTP DATA 05/30/05 19:06:53 00000BE0: sent 50(0x00000032) 05/30/05 19:06:54 00000BE0: received 960(0x000003C0) 05/30/05 19:06:54 000003A4: SMTP accept connection from: 127.0.0.1 05/30/05 19:06:54 000003A4: Connection handler: 0x00000BE8 05/30/05 19:06:54 00000BE8: Ignored PIDs: 1844 1436 05/30/05 19:06:54 00000BE8: Ignored Addresses: 68.114.216.61:119 127.0.0.1:119 68.114.216.61:143 127.0.0.1:143 68.114.216.61:25 127.0.0.1:25 68.114.216.61:110 127.0.0.1:110 198.200.173.74:80 198.200.173.139:80 127.0.0.1:80 05/30/05 19:06:54 00000BE8: Ignored Processes: avgemc.exe forx.exe FXMadeEasy.exe aoltpspd.exe waol.exe V3P3AT.EXE bitcomet.exe mpftray.exe ABC.EXE CZDCPlusPlus.ex CRAXY.EXE NETMONSV.EXE SYMPROXYSVC.EXE NAVAPW32.EXE WEBPROXY.EXE EMULE.EXE TMPROXY.EXE isafe.exe SMPROXY.EXE ccLgView.exe ccSetMgr.exe ccPwdSvc.exe ccApp.exe ccProxy.exe ccPxySvc.exe ccEvtMgr.exe winroute.exe avast.setup 05/30/05 19:06:54 00000BE8: --SMTP command REDIRECT 144.124.16.43:25 1684 05/30/05 19:06:54 00000BE8: PATH: \Device\HarddiskVolume1\WINDOWS\explorer.exe 05/30/05 19:06:54 00000BE0: received 5(0x00000005) 05/30/05 19:06:54 00000BE0: ProcessFile entrance C:\WINDOWS\TEMP\_avast4_\unp41805340 05/30/05 19:06:54 00000BE0: ProcessFile 2 E-mail 'Asian Teen Masturbating In Red Dress' From: "Ira" , To: 05/30/05 19:06:54 00000BE0: ProcessFile scanDlgPID before E-mail 'Asian Teen Masturbating In Red Dress' From: "Ira" , To: 05/30/05 19:06:54 00000BE0: ProcessFile scanDlgPID after E-mail 'Asian Teen Masturbating In Red Dress' From: "Ira" , To: 05/30/05 19:06:54 00000BE0: ProcessFile exit 1(0x00000001) 05/30/05 19:06:54 00000BE0: --SMTP Mail is clean 05/30/05 19:06:54 00000BE0: sent 6(0x00000006) 05/30/05 19:06:54 00000BE0: received 14(0x0000000E) 05/30/05 19:06:54 00000BE0: <-SMTP 354 go ahead 05/30/05 19:06:54 00000BE0: --SMTP Modified message to send: C:\WINDOWS\TEMP\_avast4_\unp41805340 05/30/05 19:06:54 00000BE8: Connected to SMTP server 144.124.16.43 25 05/30/05 19:06:54 00000BE0: sent 1056(0x00000420) 05/30/05 19:06:54 000003A4: SMTP accept connection from: 127.0.0.1 05/30/05 19:06:54 000003A4: Connection handler: 0x00000BEC 05/30/05 19:06:54 00000BEC: Ignored PIDs: 1844 1436 05/30/05 19:06:54 00000BEC: Ignored Addresses: 68.114.216.61:119 127.0.0.1:119 68.114.216.61:143 127.0.0.1:143 68.114.216.61:25 127.0.0.1:25 68.114.216.61:110 127.0.0.1:110 198.200.173.74:80 198.200.173.139:80 127.0.0.1:80 05/30/05 19:06:54 00000BEC: Ignored Processes: avgemc.exe forx.exe FXMadeEasy.exe aoltpspd.exe waol.exe V3P3AT.EXE bitcomet.exe mpftray.exe ABC.EXE CZDCPlusPlus.ex CRAXY.EXE NETMONSV.EXE SYMPROXYSVC.EXE NAVAPW32.EXE WEBPROXY.EXE EMULE.EXE TMPROXY.EXE isafe.exe SMPROXY.EXE ccLgView.exe ccSetMgr.exe ccPwdSvc.exe ccApp.exe ccProxy.exe ccPxySvc.exe ccEvtMgr.exe winroute.exe avast.setup 05/30/05 19:06:54 00000BEC: --SMTP command REDIRECT 67.28.113.10:25 1684 05/30/05 19:06:54 00000BEC: PATH: \Device\HarddiskVolume1\WINDOWS\explorer.exe 05/30/05 19:06:54 00000BEC: Connected to SMTP server 67.28.113.10 25 05/30/05 19:06:54 00000BEC: received 57(0x00000039) 05/30/05 19:06:54 00000BEC: <-SMTP (PID) 220 YSmtp mta144.mail.re2.yahoo.com ESMTP service ready 168405/30/05 19:06:54 00000BEC: sent 57(0x00000039) 05/30/05 19:06:54 00000BE0: received 15(0x0000000F) 05/30/05 19:06:54 00000BE0: <-SMTP 250 ok dirdel 05/30/05 19:06:54 00000BE0: sent 15(0x0000000F)

Rap

alanrf · May 31, 2005, 3:35am

Rap,

as you can see for yourself, this log shows you sending an email

From: “Ira” brokenarrowmedrgvo@hotmail.com
To: grcanyonman@yahoo.com
Subject: Asian Teen …

The process sending this appears as explorer.exe.

May I assume that you did not intend for this email to be sent from your system?

If the answer is “no” and given the length of the mail log from Avast then I must conclude that your computer has been compromised by a backdoor trojan.

Have you run the full virus and spyware scans?

Lisandro · May 31, 2005, 3:37am

After running a full avast scanning and/or a boot time scanning, use antispyware applications (freeware): download, install, update and run it.

Ad-Aware
Spybot Search and Destroy
Spywareblaster
A-squared
Ewido

alanrf · May 31, 2005, 4:09am

Rap,

are you also using a firewall in additon to Avast?

system · May 31, 2005, 12:09pm

are you also using a firewall in additon to Avast?

Yes, I use the WinXP firewall, but no others. I've had problems in the past with a couple others.

After running a full avast scanning and/or a boot time scanning, use antispyware applications (freeware): download, install, update and run it.
Ad-Aware
Spybot Search and Destroy
Spywareblaster
A-squared
Ewido

I already use Ad-Aware and had ran a full scan of it earlier yesterday. All it removed was the “normal” tracking garbage that you get whenever you are on the internet.

I’m at work now, but I’ll try running a scan of both again when I get home. Thanks!

Rap

Lisandro · May 31, 2005, 12:17pm

Running away won’t make it easy… better will be trying to troubleshoot and have a ‘full’ firewall as Windows one is just for inbound attacks.

Sometimes, Ad-aware can’t caught everything… no software is perfect… maybe some of the others will help you…

DavidR · May 31, 2005, 12:59pm

Windows firewall is only doing half the job, it doesn’t have any outbound protection, that is why emails (spam, etc.) are being sent without your interaction, your system doesn’t belong to you.

Regardless of the problems you might have had with some firewalls in the past you have to find one that works for you to provide outbound protection. Firewalls have been discussed extensively in the forums.

system · May 31, 2005, 9:54pm

Just wanted to say thanks for the help with this, and hopefully its all sorted now. Did a thorough scan when I got home and avast4 found 2 trojans and they’ve now been removed. Hopefully all will be good now. Also in the process of choosing a new firewall so this doesnt happen again.

Thanks again!!

Rap

system · May 31, 2005, 10:52pm

??? Still getting these pop-up things. When I get a firewall installed, will that solve this problem?

Rap

Lisandro · May 31, 2005, 11:05pm

Could you post a screenshot with the pop-up message?
It’s difficult to imagine what is happening…

alanrf · May 31, 2005, 11:24pm

Rap,

if the pop still looks the same as before (explorer.exe) then can you create the log again too, so we can see if the same problem is still there?

Sometimes these trojans can take some effort to remove.

By the way what trojans did Avast report finding?

system · June 1, 2005, 12:01am

I dont remember now what Trojans Avast found. I deleted them as they were detected and didnt think to note the names.

I’ve downloaded and installed Kerio, but from what I see it allows all outgoing same as what you said about the built in XP firewall and I’m not finding how to change that.

How would I go about posting a view of the next pop-up?

Rap

Lisandro · June 1, 2005, 12:45am

For sure not… You must configure your firewall to ‘ask’ your what programs would be allowed to connect.
I suggest you visit the Kerio webpage and see the tutorials there

alanrf · June 1, 2005, 1:53am

If you do not know how to do the screenshot of the popup then just as much of the contents as possible would be fine.

While I agree with all that has been said about firewalls by Tech and DavidR I do not want you to be under any illusions. Installing a firewall is not going to eradicate the problem in your system right now. It will certainly do a lot to make sure it cannot come back after you have have cleared the current problem.

Sorry, there are both of those tasks still to do.

defend your system better against future attacks
eliminate the current problem in your system

Connection Timer ?

Announcements