I’ve noticed that after installing Avast on a system that used to have NAV on it that my firewall logs show spoolsv.exe attempting to connect to download6.avast.com (67.15.0.83).
Reading through prior forum posts on the spooler service, I didn’t see a cause or solution identified.
Could this have something to do with Avast trying to act as a DNS proxy, even though I have no proxy identified in either Windows or in the Avast settings?
System is XPsp2, printer is a local network printer with its own local IP address on the subnet, and in ZoneAlarm’s “Trusted Zone”.
avast WebShield works like a local proxy, but not as a DNS server proxy.
I guess this could be related to remains of NAV. Can you try Norton Removal Tool for Windows 2000/XP/Vista?
I have to wonder why you bother to ask for help and then reject it. if you really want help then engage with those who know a lot more about avast and the issues that can be encountered than you appear to.
If you continue with the “I know better” attitude it will appear that you really do not want assistance.
Thiat’s for sure.
BTW pkfdy, may I suggest you to download AVG AS & make a scan with it, it look’s like there’s some kind of mallware that acts lile a DNS.
Cheers & don’t regret us we only want to help you.
Hello again all who replied and thank-you for taking the time to comment. I didn’t mean to appear rude or a know-it-all, and I should have been more specific about why I don’t think the problem is leftover from NAV.
I keep my security tighter than most folks: two hardware firewalls, one software firewall, AV, malware and adware scanners, I don’t use IE, and don’t run unnecessary services. I’ve scanned with several different vendors’ AV products, run Lavasoft’s anti-spyware tools, SysInternal’s rootkit revealer, and rolled up my sleeves and done some forensic investigation on this problem, and come up with nothing. The registry is clean, there aren’t any configuration files or any of the usual suspects that might explain this, of which I can find. Of course, one can always miss something.
My gut feeling, wrong or not, is that its one of several other things, and I’d welcome your feedback.
Possibly, because the printer is a network printer with its own IP address on the subnet, and because this printer is configured to save its print jobs, that that may have something to do with this. Perhaps ZoneAlarm is part of the problem.
Also, I know its possible to compromise network printers (assuming one can get past the hardware firewalls) to get to the printer.
I somehow doubt that a malware of any kind would be connecting exactly to avast! updating server… (to download avast! updates that could detect it? ;D)
I’m afraid I have no idea how this could happen… my guess would be something like a confused firewall, but I’m not a big expert on network/firewall stuff.
If the firewall was saying that Print Spooler was connecting to some reallybadsite.com, I might have admitted that it’s a piece of malware injected to the process. However, if it’s actually connecting to our servers, it’s quite a mystery.
To me, it also sounds like a confused firewall (ZA). Is it the latest version of ZA, by the way?
And is it always download6.avast.com, or does the number change? Our updating infrastructure currently uses 200+ servers, and these are load balanced. So if these requests were actually coming from an avast component (avast updater, typically), you’d see a bunch of different servers being used (downloadNNN.avast.com).
Last but not least, on which port are the connections taking place? HTTP?
Igor, your comment is spot on, and I laughed at the thought too, when it crossed my mind. If that were the case (that malware would connect to download a program that could detect it), such malware would have to be some kind of intercept and disable app, but of course the likelihood of that seems very low.
Vlk, the ZApro version is the latest (7.0.462.000), however the instances occurred (Nov 26) prior to the latest update (Nov 28). Before the 28th the box was running the then-latest version of ZApro. The outgoing connections attempted by spoolsv.exe (ver 5.1.2600.2696) were to download5[and 6 and 15].avast.com, 67.15.0.83, 67.19.185.82 and 70.86.43.210. whereas when avast updates itself it seems usually to connect to one of the higher number servers, such as download930[and 963].avast.com. Between attempts to connect to those servers, spoolsv.exe attempted to receive incoming data from 70.86.43.210 as well.
I wasn’t tracking port-specific activity at the time and ZA Analyser gives N/A for the transport and null values for the ports involved.
Thanks for any thoughts on this.
PS, as I wrote this, ZA informs me Windows NT Logon App (winlogon.exe) wants to use avast service to connect to 67.19.106.250:DNS. You may be right about a confused firewall. Hmm.