So I had a malware before I reformatted but I feel the malware/worm is still in my hardrive. I’m abit new to windows 7 so when I do netstat -ano I get,

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\ChuBear>netstat -ano

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 920
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 560
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 992
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 428
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:49176 0.0.0.0:0 LISTENING 632
TCP 127.0.0.1:2559 0.0.0.0:0 LISTENING 4016
TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING 1396
TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING 1396
TCP 127.0.0.1:12080 127.0.0.1:50546 ESTABLISHED 1396
TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING 1396
TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING 1396
TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING 1396
TCP 127.0.0.1:12465 0.0.0.0:0 LISTENING 1396
TCP 127.0.0.1:12563 0.0.0.0:0 LISTENING 1396
TCP 127.0.0.1:12993 0.0.0.0:0 LISTENING 1396
TCP 127.0.0.1:12995 0.0.0.0:0 LISTENING 1396
TCP 127.0.0.1:27275 0.0.0.0:0 LISTENING 1396
TCP 127.0.0.1:50546 127.0.0.1:12080 ESTABLISHED 4960
TCP 193.169.1.127:139 0.0.0.0:0 LISTENING 4
TCP 193.169.1.127:50114 149.7.241.52:80 ESTABLISHED 1396
TCP 193.169.1.127:50390 74.125.142.125:5222 ESTABLISHED 4960
TCP 193.169.1.127:50412 74.125.226.32:443 ESTABLISHED 4960
TCP 193.169.1.127:50519 208.43.71.134:80 CLOSE_WAIT 3684
TCP 193.169.1.127:50520 208.43.71.134:80 CLOSE_WAIT 3684
TCP 193.169.1.127:50521 184.169.70.96:80 CLOSE_WAIT 3684
TCP 193.169.1.127:50647 74.125.226.53:443 ESTABLISHED 4960
TCP 193.169.1.127:50690 204.160.108.126:80 LAST_ACK 1396
TCP 193.169.1.127:50691 204.160.108.126:80 LAST_ACK 1396
TCP 193.169.1.127:50692 204.160.108.126:80 LAST_ACK 1396
TCP 193.169.1.127:50693 204.160.108.126:80 LAST_ACK 1396
TCP [::]:135 [::]:0 LISTENING 920
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 560
TCP [::]:49153 [::]:0 LISTENING 992
TCP [::]:49154 [::]:0 LISTENING 428
TCP [::]:49155 [::]:0 LISTENING 640
TCP [::]:49176 [::]:0 LISTENING 632
UDP 0.0.0.0:5355 : 1320
UDP 127.0.0.1:1900 : 4776
UDP 127.0.0.1:48000 : 4016
UDP 127.0.0.1:48001 : 3348
UDP 127.0.0.1:58204 : 4776
UDP 193.169.1.127:137 : 4
UDP 193.169.1.127:138 : 4
UDP 193.169.1.127:1900 : 4776
UDP [::]:5355 : 1320
UDP [::1]:1900 : 4776
UDP [::1]:58203 : 4776
UDP [fe80::4029:c587:25e9:4dbe%11]:1900 :
4776

Windows XP never had a lot of these ip and ports open before. My avast and everything are saying it’s ok. But I really want to make sure that malware/worm is gone.

One last thing, with chrome I can’t seem to put a theme without avast stopping me. Anyone know how to fix it even if it’s temp?

Thank you for time

~Jaguro

follow this guide and attach (not copy and paste) logs from malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

help will then arrive later today

Posted it all four files. Also I’m seeing a desktop.ini in every folder. Scaring me sigh…don’t know what to do.

hey one of the malware expert will lock throught those logs and give you instructions on how to proceed.

Thank you looking forward removing whatever I have

Alas you have… Nothing, the logs look good

I have attached my netstat, I am on 7 as well

Also I'm seeing a desktop.ini in every folder. Scaring me sigh...don't know what to do

How is the computer behaving ? Any problems ?

My firewall in avast, is blocking all ports 1900, 55226, and other 50000+. I’d show you the log but I dunno how. Is that normal for Avast to block all these ports?

Also, I can’t seem to install a theme setting for my chrome. Avast blocks it, and I dunno how to make it accept it just that one time.

Thank you for your time =)

When Avast blocks it I assume it is the behaviour shield

If it is then in the drop down select run as normal

here is also my router activity, I feel maybe it’s ddos?

OK lets go for a little fishing trip… The IP’s are in Russia

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here you go, essexboy.

Do you have the initial sequence of this i.e the originator

(6/25/12 00:25:25) Source:193.169.1.127, Destination:91.202.222.1, Name:cäØ (6/25/12 00:25:25) Source:193.169.1.127, Destination:46.118.192.166, Name:cäØ (6/25/12 00:25:25) Source:193.169.1.127, Destination:203.185.169.205, Name:cäØ

I dunno where it’s coming from. But everyday it’s popping up. Here is the latest today.

Could you get the two or three lines prior to that conection please

Nope, that’s all my router shows. I talked to my ISP and they said there isn’t any problem on their end. -.- so confused. I want it to stop

My routers info deletes here and there. To fill more info.

Apart form the router data are you experiencing any problems or weirdness at all ?

random times having slow internet. or cut completely. Other than that I think I’m fine, but then again. My computer is a tank.

From my investigations, it is not a problem… But windows 7 does have a lot of tools that were not available on XP and will present you with data that you may be unfamiliar with