TCP localhost:2266 188.131.141.230:3389 SYN_SENT 832
TCP localhost:2267 88.184.60.211:3389 SYN_SENT 832
TCP localhost:2268 122.228.207.232:9477 SYN_SENT 832
TCP localhost:2269 81.1.120.167:3389 SYN_SENT 832
TCP localhost:2270 104.115.210.138:3389 SYN_SENT 832
TCP localhost:2271 131.91.148.141:3389 SYN_SENT 832
TCP localhost:2272 122.228.207.232:9477 SYN_SENT 832
TCP localhost:2273 146.144.143.13:3389 SYN_SENT 832
I did a research again and found that the virus is actually hiding in
C:\WINDOWS\Offline Web Pages
The following is what I found in the directory:
09/10/2011 02:44 AM 0 1.64_0910
09/15/2011 04:08 AM 0 1.65_0913
09/21/2011 05:16 PM 0 1.67_0921
10/05/2011 04:17 PM 0 1.70_1005
10/19/2011 03:52 PM 0 1.71_1019
09/10/2011 02:43 AM 0 2011-09-09 1843
04/14/2008 05:00 PM 8,704 cache.txt
09/21/2011 08:00 PM 28,164 ce
04/14/2008 05:00 PM 19,766 m13318.plg
04/14/2008 05:00 PM 19,571 m18830.plg
04/14/2008 05:00 PM 19,360 m21900.plg
04/14/2008 05:00 PM 19,581 m27070.plg
04/14/2008 05:00 PM 19,634 m39531.plg
04/14/2008 05:00 PM 19,600 m40466.plg
09/27/2011 02:00 PM 28,160 svchost.exe
15 File(s) 182,540 bytes
2 Dir(s) 6,371,610,624 bytes free
The solution is actually quite simple. You just need to empty the folder. That's it. The tricky part is that the virus will not allow you to delete some of the files. You will need to boot from another disk (e.g. USB drive) and remove the content in the directory. Please notice that cache.txt will keep reappear if the virus is still in your system.
As this time, no anti-virus can catch the above virus, but it's quite easy to manually remove those. This took me about 2 hours to figure out.
