Why Is AvastUI.exe Dialing Out To India?

system · September 18, 2011, 3:20pm

I have no problem with it connecting to Avast servers but some guy in India? I have also seen it connect to Roadrunner servers in the US?

See attached

DavidR · September 18, 2011, 3:37pm

When was this happening ?
I have checked my firewall logs and I don’t see any connections like this one.

system · September 18, 2011, 3:43pm

I think everytime you go into the Avast GUI and enter the screen where you get the Avast upgrade ad, you get the dial-out. The India connection has been “piggy backed” on this dial-out for a while on my PC. What also bothers me is the connection stays in existance in a closed-wait state.

system · September 18, 2011, 4:14pm

What is very interesting is the IP associated with the India guy, 74.55.80.203,is on the same servers Avast is using …

American Registry for Internet Numbers NET74 (NET-74-0-0-0-0) 74.0.0.0 - 74.255.255.255
ThePlanet.com Internet Services, Inc. NETBLK-THEPLANET-BLK-14 (NET-74-52-0-0-1) 74.52.0.0 - 74.55.255.255

DavidR · September 18, 2011, 4:23pm

Well there are a number of avast servers shown as theplanet.net so I don’t know if this is what is causing confusion when resolving the IP address.

EDIT: If I open the UI, Summary these are the TCPView listings, see image.

Lisandro · September 18, 2011, 6:55pm

Servers are globally distributed for update

DavidR · September 18, 2011, 7:15pm

Yes, but the avastUI doesn’t handle updates, the Ad in the Summary and the iNews, etc. has to come from somewhere though.

Vlk · September 18, 2011, 7:30pm

India guy?

74.55.80.203 is definitely our own server.
It is one of the servers that are behind the program.avast.com DNS name, and is physically located in Houston, TX.

Thanks
Vlk

system · September 18, 2011, 8:29pm

I tired a few things on my end and no matter what the second avastui.exe connection in TCPView shows w2k325j.hosttalks.net.

Now it get really weird. Whois.net domain name lookup for w2k325j.hosttalks.net yields an IP address of 128.252.54.18?

Tracert of 128.252.54.18 yields a college endpoint - very suspect.

C:\Users\Don>tracert 128.252.54.18

Tracing route to ACCT-018131.nts.wustl.edu [128.252.54.18]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 192.168.1.254
2 26 ms 25 ms 26 ms adsl-98-91-36-1.chs.bellsouth.net [98.91. - me -
3 36 ms 36 ms 35 ms 72.157.38.17
4 36 ms 35 ms 35 ms 72.157.38.53
5 36 ms 36 ms 56 ms 12.81.68.48
6 35 ms 35 ms 39 ms 12.81.68.24
7 41 ms 35 ms 38 ms ixc00jan-5-1-1.bellsouth.net [65.83.237.87] - ??? -
8 36 ms 35 ms 35 ms 12.81.98.30
9 35 ms 35 ms 73 ms 12.81.104.73
10 35 ms 35 ms 36 ms 12.81.100.4
11 36 ms 35 ms 35 ms 12.81.104.56
12 35 ms 35 ms 34 ms 12.81.56.61
13 101 ms 69 ms 35 ms 65.83.238.190
14 46 ms 45 ms 45 ms cr2.rlgnc.ip.att.net [12.123.152.110]
15 49 ms 47 ms 47 ms cr1.wswdc.ip.att.net [12.122.3.170]
16 44 ms 44 ms 44 ms 12.122.135.165
17 46 ms 45 ms 45 ms 192.205.37.106
18 50 ms 45 ms 46 ms te0-4-0-1.mpd22.dca01.atlas.cogentco.com [15
.41.249]
19 66 ms 64 ms 65 ms te0-2-0-4.mpd22.ord01.atlas.cogentco.com [15
.40.242]
20 66 ms 65 ms 65 ms te0-1-0-0.ccr22.ord01.atlas.cogentco.com [15
.6.178]
21 72 ms 72 ms 72 ms te3-2.ccr01.stl03.atlas.cogentco.com [154.54
30]
22 * * * Request timed out.
23 * * * Request timed out.

I have had no previous problems with using the Whois function in TCPView.

This sure smells like some type of DNS rebind to me.

In any event I found a solution - block outbound on avastui.exe.

system · September 18, 2011, 8:54pm

Why is is that software today always seems to like connecting to the internet for no apparent reason, I must say, on top of all the scareware, logic bombs and shovelware this does seem suspicious.

Vlk · September 18, 2011, 9:04pm

Reverse DNS lookup is often bogus.
What really matters is the IP address - if it was really 74.55.80.203, I don’t think there’s anything suspicious going on…

Blocking AvastUi.exe in the firewall may have negative consequences as it may limit some of the product’s functionality.

Thanks
Vlk

Asyn · September 18, 2011, 9:11pm

Which exactly…??
Thanks,
asyn

Lisandro · September 18, 2011, 9:53pm

Remote content, for instance.

Asyn · September 18, 2011, 9:56pm

Which would be…??

Lisandro · September 18, 2011, 9:59pm

News.

Asyn · September 18, 2011, 10:00pm

Anything more…??

Lisandro · September 19, 2011, 12:41am

Vlk’s secrets ;D

MartinZ · September 19, 2011, 8:12am

Registration, expiration warnings…

Asyn · September 19, 2011, 8:18am

Thanks Martin…!

system · September 19, 2011, 10:56am

The only baseline software reason I can determine avastui.exe is used for is the WebRep feature. I don’t use that feature.

I personally detest “cloud” concepts and processing. To me it equates to giving vendors a built-in spyware backdoor; something by the way that MS has built into their OSes since day one. The risks of clould compting far outweight its benefits.

As far as my situation goes, I could live with the Avast advertising but not when DNS resolution is to questionable sources.

Also closely look at the WhoIs data from my original screen shot. You will notice that the Indian city mentioned is Bombay. Has that city not been named Mumbai for sometime?

Why Is AvastUI.exe Dialing Out To India?

Announcements