unable to browse the web

Hi,

I just installed and updated avast home on one of my computers. Now, if I open a browser (Firefox or IE, doesn´t matter), pages are empty or only partially loaded. The Avast-Site (www.avast.com) for example looks like beeing from the seventies (screenshot: http://www.endlich-mail.de/avast.jpg). I left all the avast-settings to default.

When trying to load a page, the Avast-Icon is NOT animating while loading, but the webscan is enabled.

After disabling the webscan-provider I can browse the web.

Some more infos:

  • Windows 2000 SP4, all avail. updates
  • Avast 4.6.691
  • IE6 (all patches)
  • Firefox 1.0.4, 1.0.5, Deer Park Alpha 2 (doesn´t matter)
  • NO additional proxy!
  • NO software-firewall like za, kerio, sygate or what ever
  • harware-router just NAT-ing
  • 2 other pc´s working fine with the same settings

Thanks for helping me!

Greetings from germany,
Jens
(and sorry for possible mistakes in english :slight_smile: )

Try to disable ad-muncher if it helps?

thanks Lukas.

Edit: BTW: ad-muncher is a proxy!

Hi,

avast is working on two of my computers very well, just one pc does not work. All mashines have the same settings, so I don´t think changing a setting won´t be the solution…

If it has something to do with ads, why isn´t www.avast.com displayed correctly? I don´t think, that avast is using ads to “phish” someone…

BTW: where do I set “ad-muncher”?

Greetings from germany,
Jens

What can I say, If all machines have same configuration that it must be some extraterestrial evil force!

I see an ad-muncher icon on your screenshot, that is why I am asking about it. Perhaps it has nothing to do with WebShield, and perhaps it has. It might give us some clue…

Hi,

The Icons you see belong to VNC-Server and distributed.net-client.

The only add-blocker installed is addblock for firefox, but the effect does happen with IE as well.

Greetings from germany,
Jens

Hi,

OK, cleared that on my system, and made some new screenshots:

Before taking the screenshots I killed the cache of both browsers as well.

The effect is still the same: The avast-icon in the systemtray is not rotating while trying to load any site with any browser and, as you can see, with ff I can see some part of the site, but with ie I see an empty page (but with the sitename in the topline).

I hope, you have an idea for my problem??

Greetings from germany,
Jens

It seems like something is blocking WebShield from accessing the web. Does anything changes when you configure the localhost:12080 as a HTTP proxy?

Also you can enable logging in webshield and see if we get some info.

To enable logging, please edit avast4.ini c:\program files\alwil software\avast4\data\avast4.ini,
in the section [WebScanner] add the line:
EnableLogging=1

and restart WebShield.
The log file should be created in the c:\program files\alwil software\avast4\data\log\ashwebsv.log

Another usefull information would be the list of open connections and ports. Either dump from “netstat -a” or (better) saved log from TcpView (from http://www.sysinternals.com) would help.

Hi,

did as you told:

Here is ashwebsv.log:

20.07.2005 15:28:17,“http://www.avast.com/",“text/html”,"GET”,206,0,1127,1452,500,474,1454,UNKNOWN PROCESS,PID: 0, SEQ: 0
20.07.2005 15:28:18,“http://www.avast.com/browserdetect.js",“application/x-javascript”,"GET”,206,0,232,568,451,425,570,UNKNOWN PROCESS,PID: 0, SEQ: 0
20.07.2005 15:28:18,“http://www.avast.com/eng/images/web_26.jpg",“image/jpeg”,"GET”,200,0,4993,5266,418,392,5268,UNKNOWN PROCESS,PID: 0, SEQ: 0

and here is the tcpview:

ashMaiSv.exe:1024 TCP jens-ii:12025 jens-ii:0 LISTENING
ashMaiSv.exe:1024 TCP jens-ii:12110 jens-ii:0 LISTENING
ashMaiSv.exe:1024 TCP jens-ii:12119 jens-ii:0 LISTENING
ashMaiSv.exe:1024 TCP jens-ii:12143 jens-ii:0 LISTENING
ashWebSv.exe:1088 TCP jens-ii:12080 jens-ii:0 LISTENING
ashWebSv.exe:1088 TCP jens-ii:1062 jens-ii:0 LISTENING
ashWebSv.exe:1088 TCP jens-ii:1064 jens-ii:0 LISTENING
ashWebSv.exe:1088 TCP jens-ii:1066 jens-ii:0 LISTENING
ashWebSv.exe:1088 TCP jens-ii.domain.de:1062 www.avast.com:http CLOSE_WAIT
ashWebSv.exe:1088 TCP jens-ii:12080 localhost:1063 ESTABLISHED
ashWebSv.exe:1088 TCP jens-ii:12080 localhost:1061 ESTABLISHED
ashWebSv.exe:1088 TCP jens-ii.domain.de:1064 www.avast.com:http CLOSE_WAIT
ashWebSv.exe:1088 TCP jens-ii.domain.de:1066 www.avast.com:http CLOSE_WAIT
ashWebSv.exe:1088 TCP jens-ii:12080 localhost:1065 ESTABLISHED
firefox.exe:1352 TCP jens-ii:1060 jens-ii:0 LISTENING
firefox.exe:1352 TCP jens-ii:1059 jens-ii:0 LISTENING
firefox.exe:1352 TCP jens-ii:1060 localhost:1059 ESTABLISHED
firefox.exe:1352 TCP jens-ii:1059 localhost:1060 ESTABLISHED
firefox.exe:1352 TCP jens-ii:1061 jens-ii:0 LISTENING
firefox.exe:1352 TCP jens-ii:1063 jens-ii:0 LISTENING
firefox.exe:1352 TCP jens-ii:1065 jens-ii:0 LISTENING
firefox.exe:1352 TCP jens-ii:1061 localhost:12080 ESTABLISHED
firefox.exe:1352 TCP jens-ii:1063 localhost:12080 ESTABLISHED
firefox.exe:1352 TCP jens-ii:1065 localhost:12080 ESTABLISHED
LSASS.EXE:228 UDP jens-ii.domain.de:isakmp :
LSASS.EXE:228 UDP jens-ii.domain.de:4500 :
mstask.exe:616 TCP jens-ii:1025 jens-ii:0 LISTENING
svchost.exe:400 TCP jens-ii:epmap jens-ii:0 LISTENING
System:8 TCP jens-ii:microsoft-ds jens-ii:0 LISTENING
System:8 TCP jens-ii:1026 jens-ii:0 LISTENING
System:8 TCP jens-ii.domain.de:netbios-ssn jens-ii:0 LISTENING
System:8 UDP jens-ii:microsoft-ds :
System:8 UDP jens-ii.domain.de:netbios-ns :
System:8 UDP jens-ii.domain.de:netbios-dgm :

I hope it helps!

Gretings from germany,
Jens

Strange, I wonder who opens these ports inside ashWebSv process. It must be some kind of a LSP.

The list of loaded LSP plugins can be obtained from LSPFIX program, or HijackThis. But you said the system was clear…

Ah, the famous LSP fighter Lukor can see another victim ;D

Hi,

This is the hijackthis-log:

Logfile of HijackThis v1.99.1
Scan saved at 07:06:53, on 21.07.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programme\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Java\jre1.5.0\bin\jusched.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\util32\hijackthis\HijackThis.exe

O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121317437940
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121317424821
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.de
O17 - HKLM\System\CCS\Services\Tcpip..{91906FBC-D981-4C0E-94C5-CC72DAFB3008}: NameServer = 10.151.13.199
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.de
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.de
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programme\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

I don´t know, what that (file missing) is about, but all avast-services (yes, and vnc again :slight_smile: ) are running… The Nameserver and domain are ok, both entered by myself.

LSPFIX shows the following 4 dlls:

mr20.dll
winr.dll
msafd.dll
rsvpsp.dll

Spybot S&D and Ad-Aware (latest versions) did not find any bad software or settings. A complete virusscan with avast did not find any viruses.

If I configure the manual proxysettings for IE of FF, as you described, nothing changes.

I hope, these infos help solving my problem.

Greetings from germany,
Jens

The 023 entries, especially for avast are bugs with HJT v1.99.1 ignore them, the files aren’t missing if you check your HDD you would notice if they were web shield and the mail scanner wouldn’t work.

The rest of the log looks OK providing the 017 entries relate to your ISP.

Hi,

Yep, I thought that, because alle avast-services and my vnc-server are running…

As I wrote above, the 017 entries are ok, they belong to my LAN, 10.151.13.199 ist my DNS and GW, domain.de is my local domain for internal use only and let me say it again :slight_smile: :

When I disable the avast-webscanservice I CAN browse the internet!

I am not far away from reinstalling the whole system, but it is possibly an interesting thing for alvil to find the bug on my system, just in case some else has the same problem in the future. Two other systems have no problems, but the one with this problem is “most clean one”, because it is only used for backup-purposes and is nearly an original (unmodified) out-of-the-box-installation.

If anybody wants some more information, I´ll be glad to post them.

Greetings from germany,
Jens

Hi,

… or he doesn´t ;D

Greetings from germany,
Jens

Indeed, your computer seems to be clear. I don’t really know what next. :-[

I still wonder what can be the possible cause that those three ports (1062, 1064, 1066) are listening, but it does not seem to be any LSP.

Hi,

It might be written in the stars… :frowning:

I created a harddisk-image of that buggy installation and I am at the moment installing a new and clean system.

If you or anyone else has another idea in the future, drop me a line and I will restore the image again and test that.

Meanwhile, thanks for trying to help me!

Greetings from germany,
Jens

Hi,

any new ideas to test? As I saw in the forum today, there seem to be some more people having simmilar problems with browsing the web.

My new installation is runnig fine with avast atm…

But as I connected an even older pc of mine, running w2ksp4 (again, nearly out of the box installed) I had the same problem again. That pc was not used for a while (6 months), so I had to update the latest ms-updates, firefox, etc (switched of the webshield for that)… After that, I have had the same effects I had before with my other machine.

I did the same tests (hijackthis, tcpdump, …) but I could only browse the web, after disabling the webshield.

After reinstalling that pc as well, I have no more probs.

Greetings from germany,
Jens