Avast WEBforum

Other => Viruses and worms => Topic started by: Jaguro on June 25, 2012, 07:17:35 AM

Title: Question: I think I have a malware/worm
Post by: Jaguro on June 25, 2012, 07:17:35 AM
So I had a malware before I reformatted but I feel the malware/worm is still in my hardrive. I'm abit new to windows 7 so when I do netstat -ano I get,

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\ChuBear>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       920
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       560
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       992
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       428
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       640
  TCP    0.0.0.0:49176          0.0.0.0:0              LISTENING       632
  TCP    127.0.0.1:2559         0.0.0.0:0              LISTENING       4016
  TCP    127.0.0.1:12025        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12080        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12080        127.0.0.1:50546        ESTABLISHED     1396
  TCP    127.0.0.1:12110        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12119        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12143        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12465        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12563        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12993        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12995        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:27275        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:50546        127.0.0.1:12080        ESTABLISHED     4960
  TCP    193.169.1.127:139      0.0.0.0:0              LISTENING       4
  TCP    193.169.1.127:50114    149.7.241.52:80        ESTABLISHED     1396
  TCP    193.169.1.127:50390    74.125.142.125:5222    ESTABLISHED     4960
  TCP    193.169.1.127:50412    74.125.226.32:443      ESTABLISHED     4960
  TCP    193.169.1.127:50519    208.43.71.134:80       CLOSE_WAIT      3684
  TCP    193.169.1.127:50520    208.43.71.134:80       CLOSE_WAIT      3684
  TCP    193.169.1.127:50521    184.169.70.96:80       CLOSE_WAIT      3684
  TCP    193.169.1.127:50647    74.125.226.53:443      ESTABLISHED     4960
  TCP    193.169.1.127:50690    204.160.108.126:80     LAST_ACK        1396
  TCP    193.169.1.127:50691    204.160.108.126:80     LAST_ACK        1396
  TCP    193.169.1.127:50692    204.160.108.126:80     LAST_ACK        1396
  TCP    193.169.1.127:50693    204.160.108.126:80     LAST_ACK        1396
  TCP    [::]:135               [::]:0                 LISTENING       920
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       560
  TCP    [::]:49153             [::]:0                 LISTENING       992
  TCP    [::]:49154             [::]:0                 LISTENING       428
  TCP    [::]:49155             [::]:0                 LISTENING       640
  TCP    [::]:49176             [::]:0                 LISTENING       632
  UDP    0.0.0.0:5355           *:*                                    1320
  UDP    127.0.0.1:1900         *:*                                    4776
  UDP    127.0.0.1:48000        *:*                                    4016
  UDP    127.0.0.1:48001        *:*                                    3348
  UDP    127.0.0.1:58204        *:*                                    4776
  UDP    193.169.1.127:137      *:*                                    4
  UDP    193.169.1.127:138      *:*                                    4
  UDP    193.169.1.127:1900     *:*                                    4776
  UDP    [::]:5355              *:*                                    1320
  UDP    [::1]:1900             *:*                                    4776
  UDP    [::1]:58203            *:*                                    4776
  UDP    [fe80::4029:c587:25e9:4dbe%11]:1900  *:*
     4776


Windows XP never had a lot of these ip and ports open before. My avast and everything are saying it's ok. But I really want to make sure that malware/worm is gone.

One last thing, with chrome I can't seem to put a theme without avast stopping me. Anyone know how to fix it even if it's temp?

Thank you for time

~Jaguro
Title: Re: Question: I think I have a malware/worm
Post by: Pondus on June 25, 2012, 07:21:44 AM
follow this guide and attach  (not copy and paste)  logs from malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0



help will then arrive later today
Title: Re: Question: I think I have a malware/worm
Post by: Jaguro on June 25, 2012, 07:52:32 AM
Posted it all four files. Also I'm seeing a desktop.ini in every folder. Scaring me sigh...don't know what to do.
Title: Re: Question: I think I have a malware/worm
Post by: mikaelrask on June 25, 2012, 08:29:09 AM
hey one of the malware expert will lock throught those logs and give you instructions on how to proceed.
Title: Re: Question: I think I have a malware/worm
Post by: Jaguro on June 25, 2012, 08:55:02 AM
Thank you looking forward removing whatever I have
Title: Re: Question: I think I have a malware/worm
Post by: essexboy on June 25, 2012, 09:30:59 PM
Alas you have............. Nothing, the logs look good

I have attached my netstat, I am on 7 as well

Quote
Also I'm seeing a desktop.ini in every folder. Scaring me sigh...don't know what to do
OTL has done that it sets all files to visible, when we uninstall it they will disappear again.. They are legitimate

How is the computer behaving ? Any problems ?
Title: Re: Question: I think I have a malware/worm
Post by: Jaguro on June 25, 2012, 09:52:18 PM
My firewall in avast, is blocking all ports 1900, 55226, and other 50000+. I'd show you the log but I dunno how. Is that normal for Avast to block all these ports?

Also, I can't seem to install a theme setting for my chrome. Avast blocks it, and I dunno how to make it accept it just that one time.

Thank you for your time =)
Title: Re: Question: I think I have a malware/worm
Post by: essexboy on June 25, 2012, 10:02:30 PM
When Avast blocks it I assume it is the behaviour shield

If it is then in the drop down select run as normal
Title: Re: Question: I think I have a malware/worm
Post by: Jaguro on June 26, 2012, 12:35:47 AM
Quote from: essexboy on June 25, 2012, 10:02:30 PM
When Avast blocks it I assume it is the behaviour shield

If it is then in the drop down select run as normal


here is also my router activity, I feel maybe it's ddos?
Title: Re: Question: I think I have a malware/worm
Post by: essexboy on June 26, 2012, 04:18:02 PM
OK lets go for a little fishing trip...  The IP's are in Russia

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1  (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here  (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)

(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Title: Re: Question: I think I have a malware/worm
Post by: Jaguro on June 26, 2012, 06:47:59 PM
Here you go, essexboy.
Title: Re: Question: I think I have a malware/worm
Post by: essexboy on June 26, 2012, 07:23:27 PM
Do you have the initial sequence of this i.e the originator

Quote
(6/25/12 00:25:25) Source:193.169.1.127, Destination:91.202.222.1, Name:cäØ
(6/25/12 00:25:25) Source:193.169.1.127, Destination:46.118.192.166, Name:cäØ
(6/25/12 00:25:25) Source:193.169.1.127, Destination:203.185.169.205, Name:cäØ
Title: Re: Question: I think I have a malware/worm
Post by: Jaguro on June 26, 2012, 11:39:15 PM
I dunno where it's coming from. But everyday it's popping up. Here is the latest today.
Title: Re: Question: I think I have a malware/worm
Post by: essexboy on June 27, 2012, 12:16:02 AM
Could you get the two or three lines prior to that conection please
Title: Re: Question: I think I have a malware/worm
Post by: Jaguro on June 27, 2012, 04:59:52 AM
Nope, that's all my router shows. I talked to my ISP and they said there isn't any problem on their end. -.- so confused. I want it to stop :(

My routers info deletes here and there. To fill more info.
Title: Re: Question: I think I have a malware/worm
Post by: essexboy on June 27, 2012, 04:53:27 PM
Apart form the router data are you experiencing  any problems or weirdness at all ?
Title: Re: Question: I think I have a malware/worm
Post by: Jaguro on June 29, 2012, 03:47:20 AM
random times having slow internet. or cut completely. Other than that I think I'm fine, but then again. My computer is a tank.
Title: Re: Question: I think I have a malware/worm
Post by: essexboy on June 29, 2012, 03:06:55 PM
From my investigations, it is not a problem... But windows 7 does have a lot of tools that were not available on XP and will present you with data that you may be unfamiliar with