firewall outgoing connections question

Hi: I would like to block outgoing connections to some websites with my avast internet security 7.0.1426. I find in the logs incoming connections being blocked but nothing about outgoing ones. I also use malwarebytes and it has blocked some outgoing connections to malware sites. I was hoping to find what programs etc. are calling out to these malicious sites. Is this possible with avast and if not how can it be done?

Thank you

what URLs are these… do you have a log ?
there is a protection log in malwarebytes

also look at the guide here and follow instructions to get a OTL log and attach it here
http://forum.avast.com/index.php?topic=53253.0

essexboy may spot the problem then…if any

;D faster than a speeding bullet ;D You just beat me

I have a 70/20 broadband line ;D

Hello: Yes. There were several times MBAM blocked connections and it looks like this - IP-BLOCK 64.94.137.117 (Type: outgoing) . I looked some of them up and one was from pinballcorp.com. I would like to find out why my pc is trying to connect with it. also what application or script etc. is carrying it out.

thanks

ps. the logs look like this:

2012/03/18 10:15:01 -0400 M-H MESSAGE Starting protection
2012/03/18 10:15:12 -0400 M-H MESSAGE Executing scheduled update: Daily
2012/03/18 10:15:49 -0400 M-H MESSAGE Protection started successfully
2012/03/18 10:15:54 -0400 M-H MESSAGE Starting IP protection
2012/03/18 10:17:03 -0400 M-H MESSAGE IP Protection started successfully
2012/03/18 10:19:13 -0400 M-H MESSAGE Scheduled update executed successfully:

database updated from version v2012.03.17.04 to version v2012.03.18.02
2012/03/18 10:19:13 -0400 M-H MESSAGE Starting database refresh
2012/03/18 10:19:13 -0400 M-H MESSAGE Stopping IP protection
2012/03/18 10:19:14 -0400 M-H MESSAGE IP Protection stopped
2012/03/18 10:21:46 -0400 M-H MESSAGE Database refreshed successfully
2012/03/18 10:21:46 -0400 M-H MESSAGE Starting IP protection
2012/03/18 10:22:13 -0400 M-H MESSAGE IP Protection started successfully
2012/03/18 14:11:53 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:12:01 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:12:13 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:12:16 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:12:22 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:12:42 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:12:45 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:12:51 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:13:03 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:13:06 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:13:12 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 15:00:43 -0400 M-H MESSAGE Starting protection
2012/03/18 15:01:33 -0400 M-H MESSAGE Protection started successfully
2012/03/18 15:01:37 -0400 M-H MESSAGE Starting IP protection
2012/03/18 15:03:26 -0400 M-H MESSAGE IP Protection started successfully
2012/03/18 23:24:03 -0400 M-H MESSAGE Starting protection
2012/03/18 23:26:04 -0400 M-H MESSAGE Protection started successfully
2012/03/18 23:26:10 -0400 M-H MESSAGE Starting IP protection
2012/03/18 23:26:43 -0400 M-H MESSAGE IP Protection started successfully

Zulu URL Risk Analyzer
http://zulu.zscaler.com/submission/show/ad027f444bb894d337a82f4c2de7ab49-1332622374
http://zulu.zscaler.com/submission/show/52fbf7790a2c06ce9b38b8ea7fa1613b-1332622262

Hello Here are the two logs requested.

Thanks

Not a lot evident there - some tidying up is all… Are you noticing any other symptoms ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV - File not found [Auto | Stopped] -- -- (McShield) O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - No CLSID value found. O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found. O2 - BHO: (no name) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found. O4 - HKLM..\Run: [USRpdA] File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hi Several months ago i had a problem where a message popped up that said “What do you know it works”. I feared remote access Trojan. I changed from AVG to panda antivirus. then i was having problems with slow internet and hard disk running for a couple minutes for no reason . I then added Malwarebytes.

Then got some BSOD errors. Switched to Avast somewhere in there. Had some problems with not having the right settings/allowances for MBAM and Avast, i got them fixed. For the last few weeks no BSOD errors

hi: should i run OTL again?

No, there is no real need I just removed some orphan BHO’s and an old McAfee service

I have found that MBAM is very aggressive at site blocking - it tends to do a whole domain as opposed to a single web site

Hi I saw that my hard disk was running for no reason and i disconnected the dsl line. i dont know if i screwed anything up. Sorry.

Would you like me to check deeper ?

Hi sellers27 and essexboy,

Also consider this info: http://forums.malwarebytes.org/index.php?showtopic=97285 (poster 1PW on malwarebyte’s blog),

polonus

Hello: Pondus: The second to last entry on that thread has the moderator asking him to post to their malware removal forum for more work.
Essexboy: I am not sure but in 2010 i had norton work on my pc and they removed a virus in the temporary files that ran a key logger and somehow or other there were a huge number of hidden files of our pc’s activities logged. things were good for about a year and lately things have been getting worse and worse except for the past 3 weeks. since nothing has been found i don’t feel great about stopping but i also don’t want to impose.

thanks

No imposition, peace of mind is as important - whether we find anything or not

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[size=8pt]Hello: I followed your instructions for combofix but i must have made a mistake because it opened a dialogue box saying it detected a security application interfering with it running. If i remember right It asked if it should continue anyways and i selected no. i double checked avast 7.0.1426 its protection modules were off. Also i had exited MBAM. I don’t have any other active protection modules that i know of. How should i proceed ?

Thanks[/size]

It is seeing the low level drivers of Avast

So run Combofix again and this time allow it to run
Do not let Avast sandbox/quarantine anything during the run

Hi: Well it ran for about 15 minutes then pc locked up. clock and cursor was frozen. Also it downloaded recovery console first. I had to power down to reboot. What should i try?

Thanks