Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: sellers27 on March 24, 2012, 09:10:39 PM
-
Hi: I would like to block outgoing connections to some websites with my avast internet security 7.0.1426. I find in the logs incoming connections being blocked but nothing about outgoing ones. I also use malwarebytes and it has blocked some outgoing connections to malware sites. I was hoping to find what programs etc. are calling out to these malicious sites. Is this possible with avast and if not how can it be done?
Thank you
-
what URLs are these..... do you have a log ?
there is a protection log in malwarebytes
-
also look at the guide here and follow instructions to get a OTL log and attach it here
http://forum.avast.com/index.php?topic=53253.0
essexboy may spot the problem then....if any
-
;D faster than a speeding bullet ;D You just beat me
-
;D faster than a speeding bullet ;D You just beat me
I have a 70/20 broadband line ;D
-
Hello: Yes. There were several times MBAM blocked connections and it looks like this - IP-BLOCK 64.94.137.117 (Type: outgoing) . I looked some of them up and one was from pinballcorp.com. I would like to find out why my pc is trying to connect with it. also what application or script etc. is carrying it out.
thanks
ps. the logs look like this:
2012/03/18 10:15:01 -0400 M-H MESSAGE Starting protection
2012/03/18 10:15:12 -0400 M-H MESSAGE Executing scheduled update: Daily
2012/03/18 10:15:49 -0400 M-H MESSAGE Protection started successfully
2012/03/18 10:15:54 -0400 M-H MESSAGE Starting IP protection
2012/03/18 10:17:03 -0400 M-H MESSAGE IP Protection started successfully
2012/03/18 10:19:13 -0400 M-H MESSAGE Scheduled update executed successfully:
database updated from version v2012.03.17.04 to version v2012.03.18.02
2012/03/18 10:19:13 -0400 M-H MESSAGE Starting database refresh
2012/03/18 10:19:13 -0400 M-H MESSAGE Stopping IP protection
2012/03/18 10:19:14 -0400 M-H MESSAGE IP Protection stopped
2012/03/18 10:21:46 -0400 M-H MESSAGE Database refreshed successfully
2012/03/18 10:21:46 -0400 M-H MESSAGE Starting IP protection
2012/03/18 10:22:13 -0400 M-H MESSAGE IP Protection started successfully
2012/03/18 14:11:53 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:12:01 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:12:13 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:12:16 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:12:22 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:12:42 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:12:45 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:12:51 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:13:03 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:13:06 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 14:13:12 -0400 M-H IP-BLOCK 64.94.137.117 (Type: outgoing)
2012/03/18 15:00:43 -0400 M-H MESSAGE Starting protection
2012/03/18 15:01:33 -0400 M-H MESSAGE Protection started successfully
2012/03/18 15:01:37 -0400 M-H MESSAGE Starting IP protection
2012/03/18 15:03:26 -0400 M-H MESSAGE IP Protection started successfully
2012/03/18 23:24:03 -0400 M-H MESSAGE Starting protection
2012/03/18 23:26:04 -0400 M-H MESSAGE Protection started successfully
2012/03/18 23:26:10 -0400 M-H MESSAGE Starting IP protection
2012/03/18 23:26:43 -0400 M-H MESSAGE IP Protection started successfully
-
Zulu URL Risk Analyzer
http://zulu.zscaler.com/submission/show/ad027f444bb894d337a82f4c2de7ab49-1332622374
http://zulu.zscaler.com/submission/show/52fbf7790a2c06ce9b38b8ea7fa1613b-1332622262
-
Hello Here are the two logs requested.
Thanks
-
Not a lot evident there - some tidying up is all.. Are you noticing any other symptoms ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
SRV - File not found [Auto | Stopped] -- -- (McShield)
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - No CLSID value found.
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
O2 - BHO: (no name) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [USRpdA] File not found
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Hi Several months ago i had a problem where a message popped up that said "What do you know it works". I feared remote access Trojan. I changed from AVG to panda antivirus. then i was having problems with slow internet and hard disk running for a couple minutes for no reason . I then added Malwarebytes.
Then got some BSOD errors. Switched to Avast somewhere in there. Had some problems with not having the right settings/allowances for MBAM and Avast, i got them fixed. For the last few weeks no BSOD errors
-
hi: should i run OTL again?
-
No, there is no real need I just removed some orphan BHO's and an old McAfee service
I have found that MBAM is very aggressive at site blocking - it tends to do a whole domain as opposed to a single web site
-
Hi I saw that my hard disk was running for no reason and i disconnected the dsl line. i dont know if i screwed anything up. Sorry.
-
Would you like me to check deeper ?
-
Hi sellers27 and essexboy,
Also consider this info: http://forums.malwarebytes.org/index.php?showtopic=97285 (poster 1PW on malwarebyte's blog),
polonus
-
Hello: Pondus: The second to last entry on that thread has the moderator asking him to post to their malware removal forum for more work.
Essexboy: I am not sure but in 2010 i had norton work on my pc and they removed a virus in the temporary files that ran a key logger and somehow or other there were a huge number of hidden files of our pc's activities logged. things were good for about a year and lately things have been getting worse and worse except for the past 3 weeks. since nothing has been found i don't feel great about stopping but i also don't want to impose.
thanks
-
No imposition, peace of mind is as important - whether we find anything or not
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Hello: I followed your instructions for combofix but i must have made a mistake because it opened a dialogue box saying it detected a security application interfering with it running. If i remember right It asked if it should continue anyways and i selected no. i double checked avast 7.0.1426 its protection modules were off. Also i had exited MBAM. I don't have any other active protection modules that i know of. How should i proceed ?
Thanks
-
It is seeing the low level drivers of Avast
So run Combofix again and this time allow it to run
Do not let Avast sandbox/quarantine anything during the run
-
Hi: Well it ran for about 15 minutes then pc locked up. clock and cursor was frozen. Also it downloaded recovery console first. I had to power down to reboot. What should i try?
Thanks
-
Could you run from safe mode please
-
Hi: I ran combofix in safe mode. It made a restore point and scanned for 14 minutes then clock stopped incrementing and the cursor locked up. I allowed it to go on for 30 more minutes in the off chance that it was still running. No luck, so i rebooted.
I also have not been able to run DDS. It locks up as well.
-
OK this one will take a bit longer to run. When the analysis phase is done could you upoload the zip file to mediafire and post the sharing link so that I can check it out
Download AVPTool from Here (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/) to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan
Click the cog in the upper right
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPfront.gif)
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpsettings.gif)
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif)
On completion click the link to locate the zip file to upload and attach to your next post
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif)
-
Hello: I am about to begin the av scan. About how long will it take 2 hours 24 hours?
Thanks
-
Dependant on the drive size between one and two hours, on my system just 30 minutes 'cos it is quite empty
-
i had a trojan. here are two reports.. last one to follow
-
http://www.mediafire.com/?msuxabyzl7dnk08 (http://www.mediafire.com/?msuxabyzl7dnk08)
-
Those were in your inbox, that is one area that my other tools do not look, but I have found the miscreant running from a registry key.
If you have no objections I will also remove all the old McAfee drivers for you
If you do not want that then let me know and I will rework the script
- Re-run AVPTool
- Select the Manual Disinfection tab and press Script execution
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpmanual.gif)
- Where it states Insert text script in the following box copy the below script and press Run script
Copy from Begin until End
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpscript.gif)
begin
SetAVZPMStatus(True);
SetAVZGuardStatus(True);
SearchRootkit(true, true);
RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}');
RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}');
RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7B297BFD-85E4-4092-B2AF-16A91B2EA103}');
RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{215B8138-A3CF-44C5-803F-8226143CFC0A}');
RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{6BB594E2-6E4D-4CC9-98B0-931C323F9165}');
StopService('MPFP');
DeleteService('mfesmfk');
StopService('mfesmfk');
DeleteService('mferkdk');
StopService('mferkdk');
DeleteService('mfehidk');
StopService('mfehidk');
DeleteService('mfebopk');
StopService('mfebopk');
DeleteService('mfeavfk');
StopService('mfeavfk');
DeleteService('McShield');
StopService('McShield');
BC_DeleteSvc('McShield');
BC_DeleteSvc('mfeavfk');
BC_DeleteSvc('mfebopk');
BC_DeleteSvc('mfehidk');
BC_DeleteSvc('mferkdk');
BC_DeleteSvc('mfesmfk');
BC_DeleteSvc('MPFP');
DeleteFile('0.exe');
BC_DeleteFile('0.exe');
DeleteFile('C:\Program Files\McAfee\MPF\MPFSrv.exe');
BC_DeleteFile('C:\Program Files\McAfee\MPF\MPFSrv.exe');
BC_ImportDeletedList;
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
- Your system will reboot on completion, if it does not please do so yourself
- On completion please run another analysis scan and attach the zip file
-
i just want to add my voice to the chorus: mbam's alert popups block avastsvc.exe, outgoing, port 54450 -- 66.150.14.65 .. this latter maps to the U.S... Bellevue, Washington (state), "Bellevue Pinball Corp."
what is this outgoing missive? is is malware; if it is, then is it using avast as a vehicle? what course of action should i take; is it safe to just add these alert ip's to mbam's 'ignore list'?
i just received this response from uTorrent, with which i was having the same symptoms: http://forum.utorrent.com/viewtopic.php?pid=649862#p649862
and one more noob q.: what is "OTL"?
-
MBAM appears to take the shotgun approach if one domain on the server has hosted malware then the server gets it
-
Hello: Here is the link to the second analysis scan. http://www.mediafire.com/download.php?kec4byss73zhpqb
as a general question... if a malware is found in an email application, did it necessarily come in via that application or could it just be stored or hidden there. For example in my case, we never use outlook express, could this trojan have come in through an attachment in IE mail or something else.
Also how should i proceed. Should i now try combofix to see if it now works?
Many Thanks for all of your help.
-
You could retry, but you may be one of those one in a thousand systems where it refuses to work
Yes they did come attached to e-mails - any windows client will generally share the e-mail folder
How is the computer now ?
-
Hello: Our pc seems okay now, no symptoms. Thank you very much for your help.
Can you recommend a place where i can learn more about using malware removal tools?
thanks again
-
Well I am totally biased ;D Geeks to Go has an exceptional training school, but it depends how much time you are able to put into learning
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[CLEARALLRESTOREPOINTS]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall
(Notice the space between the "x" and "/")
then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif) Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave: