Author Topic: Question: I think I have a malware/worm  (Read 496880 times)

0 Members and 1 Guest are viewing this topic.

Jaguro

  • Guest
Question: I think I have a malware/worm
« on: June 25, 2012, 07:17:35 AM »
So I had a malware before I reformatted but I feel the malware/worm is still in my hardrive. I'm abit new to windows 7 so when I do netstat -ano I get,

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\ChuBear>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       920
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       560
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       992
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       428
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       640
  TCP    0.0.0.0:49176          0.0.0.0:0              LISTENING       632
  TCP    127.0.0.1:2559         0.0.0.0:0              LISTENING       4016
  TCP    127.0.0.1:12025        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12080        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12080        127.0.0.1:50546        ESTABLISHED     1396
  TCP    127.0.0.1:12110        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12119        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12143        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12465        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12563        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12993        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:12995        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:27275        0.0.0.0:0              LISTENING       1396
  TCP    127.0.0.1:50546        127.0.0.1:12080        ESTABLISHED     4960
  TCP    193.169.1.127:139      0.0.0.0:0              LISTENING       4
  TCP    193.169.1.127:50114    149.7.241.52:80        ESTABLISHED     1396
  TCP    193.169.1.127:50390    74.125.142.125:5222    ESTABLISHED     4960
  TCP    193.169.1.127:50412    74.125.226.32:443      ESTABLISHED     4960
  TCP    193.169.1.127:50519    208.43.71.134:80       CLOSE_WAIT      3684
  TCP    193.169.1.127:50520    208.43.71.134:80       CLOSE_WAIT      3684
  TCP    193.169.1.127:50521    184.169.70.96:80       CLOSE_WAIT      3684
  TCP    193.169.1.127:50647    74.125.226.53:443      ESTABLISHED     4960
  TCP    193.169.1.127:50690    204.160.108.126:80     LAST_ACK        1396
  TCP    193.169.1.127:50691    204.160.108.126:80     LAST_ACK        1396
  TCP    193.169.1.127:50692    204.160.108.126:80     LAST_ACK        1396
  TCP    193.169.1.127:50693    204.160.108.126:80     LAST_ACK        1396
  TCP    [::]:135               [::]:0                 LISTENING       920
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       560
  TCP    [::]:49153             [::]:0                 LISTENING       992
  TCP    [::]:49154             [::]:0                 LISTENING       428
  TCP    [::]:49155             [::]:0                 LISTENING       640
  TCP    [::]:49176             [::]:0                 LISTENING       632
  UDP    0.0.0.0:5355           *:*                                    1320
  UDP    127.0.0.1:1900         *:*                                    4776
  UDP    127.0.0.1:48000        *:*                                    4016
  UDP    127.0.0.1:48001        *:*                                    3348
  UDP    127.0.0.1:58204        *:*                                    4776
  UDP    193.169.1.127:137      *:*                                    4
  UDP    193.169.1.127:138      *:*                                    4
  UDP    193.169.1.127:1900     *:*                                    4776
  UDP    [::]:5355              *:*                                    1320
  UDP    [::1]:1900             *:*                                    4776
  UDP    [::1]:58203            *:*                                    4776
  UDP    [fe80::4029:c587:25e9:4dbe%11]:1900  *:*
     4776


Windows XP never had a lot of these ip and ports open before. My avast and everything are saying it's ok. But I really want to make sure that malware/worm is gone.

One last thing, with chrome I can't seem to put a theme without avast stopping me. Anyone know how to fix it even if it's temp?

Thank you for time

~Jaguro
« Last Edit: June 25, 2012, 07:49:43 AM by Jaguro »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37642
  • F-Secure user
Re: Question: I think I have a malware/worm
« Reply #1 on: June 25, 2012, 07:21:44 AM »
follow this guide and attach  (not copy and paste)  logs from malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0



help will then arrive later today

Jaguro

  • Guest
Re: Question: I think I have a malware/worm
« Reply #2 on: June 25, 2012, 07:52:32 AM »
Posted it all four files. Also I'm seeing a desktop.ini in every folder. Scaring me sigh...don't know what to do.

Offline mikaelrask

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1556
Re: Question: I think I have a malware/worm
« Reply #3 on: June 25, 2012, 08:29:09 AM »
hey one of the malware expert will lock throught those logs and give you instructions on how to proceed.
Windows 8.1 amd a10-5700 64 bit
12 GB ram 1 tb hard drive. Avast 18, MBAM

Jaguro

  • Guest
Re: Question: I think I have a malware/worm
« Reply #4 on: June 25, 2012, 08:55:02 AM »
Thank you looking forward removing whatever I have

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Question: I think I have a malware/worm
« Reply #5 on: June 25, 2012, 09:30:59 PM »
Alas you have............. Nothing, the logs look good

I have attached my netstat, I am on 7 as well

Quote
Also I'm seeing a desktop.ini in every folder. Scaring me sigh...don't know what to do
OTL has done that it sets all files to visible, when we uninstall it they will disappear again.. They are legitimate

How is the computer behaving ? Any problems ?

Jaguro

  • Guest
Re: Question: I think I have a malware/worm
« Reply #6 on: June 25, 2012, 09:52:18 PM »
My firewall in avast, is blocking all ports 1900, 55226, and other 50000+. I'd show you the log but I dunno how. Is that normal for Avast to block all these ports?

Also, I can't seem to install a theme setting for my chrome. Avast blocks it, and I dunno how to make it accept it just that one time.

Thank you for your time =)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Question: I think I have a malware/worm
« Reply #7 on: June 25, 2012, 10:02:30 PM »
When Avast blocks it I assume it is the behaviour shield

If it is then in the drop down select run as normal

Jaguro

  • Guest
Re: Question: I think I have a malware/worm
« Reply #8 on: June 26, 2012, 12:35:47 AM »
When Avast blocks it I assume it is the behaviour shield

If it is then in the drop down select run as normal


here is also my router activity, I feel maybe it's ddos?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Question: I think I have a malware/worm
« Reply #9 on: June 26, 2012, 04:18:02 PM »
OK lets go for a little fishing trip...  The IP's are in Russia

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Jaguro

  • Guest
Re: Question: I think I have a malware/worm
« Reply #10 on: June 26, 2012, 06:47:59 PM »
Here you go, essexboy.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Question: I think I have a malware/worm
« Reply #11 on: June 26, 2012, 07:23:27 PM »
Do you have the initial sequence of this i.e the originator

Quote
(6/25/12 00:25:25) Source:193.169.1.127, Destination:91.202.222.1, Name:cäØ
(6/25/12 00:25:25) Source:193.169.1.127, Destination:46.118.192.166, Name:cäØ
(6/25/12 00:25:25) Source:193.169.1.127, Destination:203.185.169.205, Name:cäØ

Jaguro

  • Guest
Re: Question: I think I have a malware/worm
« Reply #12 on: June 26, 2012, 11:39:15 PM »
I dunno where it's coming from. But everyday it's popping up. Here is the latest today.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Question: I think I have a malware/worm
« Reply #13 on: June 27, 2012, 12:16:02 AM »
Could you get the two or three lines prior to that conection please

Jaguro

  • Guest
Re: Question: I think I have a malware/worm
« Reply #14 on: June 27, 2012, 04:59:52 AM »
Nope, that's all my router shows. I talked to my ISP and they said there isn't any problem on their end. -.- so confused. I want it to stop :(

My routers info deletes here and there. To fill more info.