WORMS ISASS NETWORK HIDDING CONECTIONS

Discussion in 'Windows Vista Security' started by ANDERSON, Mar 11, 2008.

  1. ANDERSON

    ANDERSON Guest

    Hi,

    My computer have a big problem in security system. He was infected by ISASS
    malware, a WORM that hide in windows system folders and share my conection
    with anothers users without my autorization.

    In firewall i can see a lot of ports opened without my UAC identify. Anti
    vírus like norton or kaspersky don't solve my problem. Spybot did not help me
    too. I tried windows defender, and tried RegistryBooster 2, both without
    sucess.

    I studied a internet forum about the problems and i believed that i will
    solve the problem with a tool of microsoft:

    http://www.microsoft.com/downloads/...E0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

    but after dowloaded and scanner computer, the tool dont find any problem...

    I finded a soluction for WINDOWS XP in this link:

    http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

    but its a soluction of 2004 year, and dont help windows vista users.

    My firewall keep blocking some ports but it isn't a solucion for a problem.
    I keep have problem, a critical problem, and i dont know how solve.

    I founded a tool to solve a problem in "host file", on folder system, but i
    dont believe that this tool will solve my problem. His name is RRT 4.6 and
    was made for solve this kind of problem, but only remove malware problems if
    i pay for this, and i dont believe that i will need this paralel soluction.

    This is the log of HijackThis:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:51:28 PM, on 3/11/2008
    Platform: Unknown Windows (WinNT 6.00.1904)
    MSIE: Internet Explorer v8.00 (8.00.6001.17184)

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Spare Backup\SpareBackup.exe
    C:\Program Files\Napster\napster.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\BigFix\bigfix.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Windows\system32\conime.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE
    c:\users\anderson\desktop\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6834
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6834
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6834
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper -
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
    Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C}
    - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F}
    - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
    - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
    c:\program files\google\googletoolbar1.dll
    O2 - BHO: Windows Live Toolbar Helper -
    {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live
    Toolbar\msntb.dll
    O2 - BHO: Me.dium IE Add-on - {D5E5C1E6-78DB-49F0-A137-8D594F342FD6} -
    "C:\Program Files\Me.dium\Me.dium IE Add-on\MediumIEAddOn.dll" (file missing)
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
    files\google\googletoolbar1.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
    - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows
    Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage
    Manager\Iaanotif.exe"
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera
    Assistant Software for Gateway\traybar.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google
    Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare
    Backup\SpareBackup.exe" /silent
    O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft
    Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
    Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [cmpe] C:\Windows\system32\cmpe.exe
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft
    Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program
    Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program
    Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [PPort9reminder] "C:\Program
    Files\ScanSoft\PaperPort\WebEreg\Ereg.exe" -r
    "C:\ProgramData\ScanSoft\PaperPort\9\Config\ereg.ini"
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet
    Security 7.0\avp.exe"
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash
    /minimized
    O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program
    Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows
    Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
    Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media
    Player\WMPNSCFG.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program
    Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program
    Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
    O9 - Extra button: Web Anti-Virus statistics -
    {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky
    Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
    O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600}
    - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer -
    {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows
    Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49}
    - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote -
    {2670000A-7350-4f3c-8081-5663EE0C6C49} -
    C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Me.dium - {47F8FF58-8C1E-4584-92CD-CE8B1FE1AF44} -
    "C:\Program Files\Me.dium\Me.dium IE Add-on\MediumIEAddOn.dll" (file missing)
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} -
    C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
    C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
    {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O13 - Gopher Prefix:
    O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare
    safety scanner control) -
    http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
    http://gfx2.hotmail.com/mail/w2/resources/VistaMSNPUpldpt-br.cab
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) -
    http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -
    http://www.onlineregister.com/gateway/serial/gwCID.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 -
    HKLM\System\CCS\Services\Tcpip\..\{4D29593B-A1B0-4198-A748-A05CC3CC023B}:
    NameServer = 200.165.132.148 200.165.132.155
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -
    C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -
    C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -
    C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
    C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
    C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} -
    C:\Program Files\Windows Live\Mail\mailcomm.dll
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} -
    C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - AppInit_DLLs:
    C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: klogon - C:\Windows\system32\klogon.dll
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere
    Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner -
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r
    (file missing)
    O23 - Service: Context Manager Process Extension (cmpe) - LightComm -
    C:\Windows\system32\cmpe.exe
    O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown
    owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program
    Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program
    Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
    Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel
    Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner -
    %windir%\system32\svchost.exe (file missing)
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer
    Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) -
    Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program
    Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101
    (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media
    Player\wmpnetwk.exe (file missing)



    My firewall keep showing a lot of SVCHOST.EXE paralel works, with TCP and
    UDP ports opened without my autorization.

    I dont know how solve my security problem. Can you help me?

    Thanks
     
    ANDERSON, Mar 11, 2008
    #1
    1. Advertisements

  2. Your computer is massively infected with malware and requires a clean install
    of Windows Vista.

    Cleaning a Compromised System
    http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

    --
    Carey Frisch
    Microsoft MVP
    Windows Shell/User

    ---------------------------------------------------------------

    :

    Hi,

    My computer have a big problem in security system. He was infected by ISASS
    malware, a WORM that hide in windows system folders and share my conection
    with anothers users without my autorization.

    In firewall i can see a lot of ports opened without my UAC identify. Anti
    vírus like norton or kaspersky don't solve my problem. Spybot did not help me
    too. I tried windows defender, and tried RegistryBooster 2, both without
    sucess.

    I studied a internet forum about the problems and i believed that i will
    solve the problem with a tool of microsoft:

    http://www.microsoft.com/downloads/...E0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

    but after dowloaded and scanner computer, the tool dont find any problem...

    I finded a soluction for WINDOWS XP in this link:

    http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

    but its a soluction of 2004 year, and dont help windows vista users.

    My firewall keep blocking some ports but it isn't a solucion for a problem.
    I keep have problem, a critical problem, and i dont know how solve.

    I founded a tool to solve a problem in "host file", on folder system, but i
    dont believe that this tool will solve my problem. His name is RRT 4.6 and
    was made for solve this kind of problem, but only remove malware problems if
    i pay for this, and i dont believe that i will need this paralel soluction.

    This is the log of HijackThis:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:51:28 PM, on 3/11/2008
    Platform: Unknown Windows (WinNT 6.00.1904)
    MSIE: Internet Explorer v8.00 (8.00.6001.17184)

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Spare Backup\SpareBackup.exe
    C:\Program Files\Napster\napster.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\BigFix\bigfix.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Windows\system32\conime.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE
    c:\users\anderson\desktop\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6834
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6834
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6834
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper -
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
    Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C}
    - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F}
    - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
    - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
    c:\program files\google\googletoolbar1.dll
    O2 - BHO: Windows Live Toolbar Helper -
    {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live
    Toolbar\msntb.dll
    O2 - BHO: Me.dium IE Add-on - {D5E5C1E6-78DB-49F0-A137-8D594F342FD6} -
    "C:\Program Files\Me.dium\Me.dium IE Add-on\MediumIEAddOn.dll" (file missing)
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
    files\google\googletoolbar1.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
    - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows
    Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage
    Manager\Iaanotif.exe"
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera
    Assistant Software for Gateway\traybar.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google
    Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare
    Backup\SpareBackup.exe" /silent
    O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft
    Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
    Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [cmpe] C:\Windows\system32\cmpe.exe
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft
    Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program
    Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program
    Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [PPort9reminder] "C:\Program
    Files\ScanSoft\PaperPort\WebEreg\Ereg.exe" -r
    "C:\ProgramData\ScanSoft\PaperPort\9\Config\ereg.ini"
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet
    Security 7.0\avp.exe"
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash
    /minimized
    O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program
    Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows
    Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
    Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media
    Player\WMPNSCFG.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program
    Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program
    Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
    O9 - Extra button: Web Anti-Virus statistics -
    {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky
    Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
    O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600}
    - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer -
    {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows
    Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49}
    - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote -
    {2670000A-7350-4f3c-8081-5663EE0C6C49} -
    C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Me.dium - {47F8FF58-8C1E-4584-92CD-CE8B1FE1AF44} -
    "C:\Program Files\Me.dium\Me.dium IE Add-on\MediumIEAddOn.dll" (file missing)
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} -
    C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
    C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
    {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O13 - Gopher Prefix:
    O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare
    safety scanner control) -
    http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
    http://gfx2.hotmail.com/mail/w2/resources/VistaMSNPUpldpt-br.cab
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) -
    http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -
    http://www.onlineregister.com/gateway/serial/gwCID.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 -
    HKLM\System\CCS\Services\Tcpip\..\{4D29593B-A1B0-4198-A748-A05CC3CC023B}:
    NameServer = 200.165.132.148 200.165.132.155
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -
    C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -
    C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -
    C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
    C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
    C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} -
    C:\Program Files\Windows Live\Mail\mailcomm.dll
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} -
    C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - AppInit_DLLs:
    C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: klogon - C:\Windows\system32\klogon.dll
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere
    Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner -
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r
    (file missing)
    O23 - Service: Context Manager Process Extension (cmpe) - LightComm -
    C:\Windows\system32\cmpe.exe
    O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown
    owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program
    Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program
    Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
    Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel
    Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner -
    %windir%\system32\svchost.exe (file missing)
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer
    Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) -
    Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program
    Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101
    (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media
    Player\wmpnetwk.exe (file missing)



    My firewall keep showing a lot of SVCHOST.EXE paralel works, with TCP and
    UDP ports opened without my autorization.

    I dont know how solve my security problem. Can you help me?

    Thanks
     
    Carey Frisch [MVP], Mar 12, 2008
    #2
    1. Advertisements

  3. I'll third Carey and Dwarf's suggestion. You are *WAY* past any chance
    of a successful cleanup. Back up critical files and do a clean install
    (boot from the XP CD). Be sure to install an AV application and scan any
    backed up files before restoring them....

    --

    Regards,
    Hank Arnold
    Microsoft MVP
    Windows Server - Directory Services
     
    Hank Arnold (MVP), Mar 16, 2008
    #3
  4. ANDERSON

    ANDERSON Guest

    Thanks, i did a full format...
    but i dont believe that a worm of 2004 make me to do this...
    I hate bill gates.
    see u guys, thank you

    Anderson
     
    ANDERSON, Mar 17, 2008
    #4
  5. Sasser?

    Wasn't there a patch for that vulnerability very shortly after its
    discovery?
    How could it possibly work its exploit against the new Vista OS!?
    Rich geniuses piss me off sometimes too... but that's not really on point.
    :eek:)
    Clearly you did the right thing by not wasting time chasing down what might
    have been done by some unknown malware, but I don't think Bill Gates
    is the problem here.

    Sasser, aside from exploit code, abuses functionality that is otherwise
    beneficial.
    Blame the malware, not the rich genius.
     
    FromTheRafters, Mar 17, 2008
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.