Strange activity of AvastSvc.exe ver 7.0.1474.765

Comodo FFW shows very strange activity of AvastSvc.exe ver 7.0.1474.765 (md5: 8FA553E9AE69808D99C164733A0F9590). Every 5 minutes it connects to strange domains all corresponding to IP 184.173.226.244. The domains differs from day to day - landlady48s.com , rime41claim.com , y55o04jjh4.com , 21zkkylf5c.com . All those domains newly registered by anonymous.

Domain Name: Y55O04JJH4.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.onlinenic.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.Y55O04JJH4.COM
Name Server: NS2.Y55O04JJH4.COM
Status: clientTransferProhibited
Updated Date: 06-nov-2012
Creation Date: 06-nov-2012
Expiration Date: 06-nov-2013
Registrant:
Taven Proga email +1.5552228552 +1.5552228552
Maintainability Inc.
Segmentaddressed str. 157
Boise,ID,US I2632

Domain Name:y55o04jjh4.com
Record last updated at
Record created on 11/6/2012
Record expired on 11/06/2013

Domain servers in listed order:
ns1.y55o04jjh4.com ns2.y55o04jjh4.com

Administrator:
Segmentaddressed str. 157
Boise
ID,
US
I2632

name:(Taven Proga)
mail:(email) +1.5552228552
+1.5552228552
Maintainability Inc.
Technical Contactor:
Segmentaddressed str. 157
Boise
ID,
US
I2632

name:(Taven Proga)
mail:(email) +1.5552228552
+1.5552228552
Maintainability Inc.
Billing Contactor:
Segmentaddressed str. 157
Boise
ID,
US
I2632

name:(Taven Proga)
mail:(email) +1.5552228552
+1.5552228552
Maintainability Inc.

http://img685.imageshack.us/img685/4836/60645521.jpg

The md5sums of AvastSvc.exe the same as it should be. Any suggestions?

Unfortunately comodo is unable to determine which process is actually going through the avast (web shield) localhost proxy, it only sees the process controlling the proxy avastSvc.exe.

Avast doesn’t initiate the connections, but redirects all HTTP port connections through the localhost proxy so that the traffic can be scanned. So something on your system is trying to connect to y55o04jjh4.com what that is is going to be a little more difficult to determine.

What browser do you use and does it have any toolbars installed in it (they commonly have activity like this that you didn’t initiate) ?

That said the IP addresss comes up as the same thing ThePlanet.com Internet Services - HostNext Web Solutions.

I do believe that avast has servers in Houston and I think at thePlanet.com, but I don’t know if that would be one as they are normally like this for the domain downloadXXX.avast.com (where XXX is a numeric value).

Thank you for your reply. After uninstalling Avast, I seen in firewall connections to those domains from C\Windows\EXPLORER.EXE. So as you say its not a AvastSvc.exe activity.
Trojan? But EXPLORER.EXE scaned on virustotal.com - ok, and has md5 hash as original Microsoft version. Maybe some dll’s used by explorer? Anyway thank you, and now I try to find where the problem is really hidden.

I would say it looks like you have a hidden/undetected piece of malware (possibly a rootkit) as it is misusing explorer.exe and that is why the explorer.exe files comes up clean on VT.

This usually results in the network shield alerting when this tries to connect to any known malicious site.

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

Found something. Dll that was used by explorer.exe. Added to Nod32 database two days ago.
https://www.virustotal.com/file/18bbeee53bd9ebc20d10b97aeae23db225ee96f5be1b2d3ca50db2a5ec82de13/analysis/1354385213/
Sent zipped and password protected to virus@avast.com

You should follow the information in the link I gave as these things are seldom that easy to resolve.