Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

DSO Exploit/Dr.Watson [CLOSED]


  • This topic is locked This topic is locked

#1
Frankjacob1

Frankjacob1

    New Member

  • Member
  • Pip
  • 5 posts
I have a Dr. Watson Debugger DSO Exploit Challenge. Thanking you in advance for any help you can provide

Frank

Here is my HiJack and Spybot files

Hijackl

Logfile of HijackThis v1.99.1
Scan saved at 11:37:27 AM, on 5/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cusrvc.exe
C:\WINDOWS\System32\NALNTSRV.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\wm.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\NWTRAY.EXE
c:\windows\system32\ngvytw.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\mfcfl.exe
C:\WINDOWS\sdkox.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Documents and Settings\Frank\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kwoxi.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kwoxi.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kwoxi.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kwoxi.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kwoxi.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kwoxi.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kwoxi.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4098B116-3E9F-6C68-3DD2-D1F9DE132411} - C:\WINDOWS\netho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [zvidlu] c:\windows\system32\ngvytw.exe
O4 - HKLM\..\Run: [sdkox.exe] C:\WINDOWS\sdkox.exe
O4 - HKLM\..\RunOnce: [mfcfl.exe] C:\WINDOWS\mfcfl.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...382/mcfscan.cab
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\apisy32.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\System32\wm.exe


Spybot


--- Search result list ---
IE Plugin: Executable (File, nothing done)
C:\WINDOWS\wupdt.exe
IE Plugin: Data (File, nothing done)
C:\WINDOWS\lu.dat
IE Plugin: Library (File, nothing done)
C:\WINDOWS\systb.dll
IE Plugin: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}
IE Plugin: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}
IE Plugin: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}
IE Plugin: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}
IE Plugin: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52}
IE Plugin: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{98B2DDBA-6DA2-4421-AF2B-814E98F53649}
IE Plugin: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{7371AD3F-C419-4DC0-8E8A-E21FAFAD53E0}
IE Plugin: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{6A288140-3E1C-4CD9-AAC5-E20FDD4F5D64}
IE Plugin: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{220959EA-B54C-4201-8DF2-1CFAC8B59FD7}
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.PopupWindow.1
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.PopupWindow
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.PopupBrowser.1
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.PopupBrowser
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.LeftFrame.1
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.LeftFrame
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.BottomFrame.1
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.BottomFrame

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1966542408-3578686292-842749767-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi


--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Windows Media Player: Windows Media Player Hotfix [See KB837272 for more information]
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player: Windows Media Update 819639
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Windows XP Hotfix - KB893066
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)


--- Startup entries list ---
Located: HK_LM:Run, BJCFD
command: C:\Program Files\BroadJump\Client Foundation\CFD.exe
file: C:\Program Files\BroadJump\Client Foundation\CFD.exe
size: 368706
MD5: ba9af06103549a96f77036861fde357b

Located: HK_LM:Run, EnvyHFCPL
command: C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
file: C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
size: 1757696
MD5: 9e03161b5294a7744fc6f8440c3a46fc
Located: HK_LM:Run, Microsoft Works Portfolio

command: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Located: HK_LM:Run, Microsoft Works Update Detection

command: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
file: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
size: 28738
MD5: 5ac34c17115d3818dc9c9f5b2d909858

Located: HK_LM:Run, MMTray
command: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
file: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
size: 131072
MD5: 16cea30c3ec3494b1cb957d8017c9b3f

Located: HK_LM:Run, NWTRAY
command: NWTRAY.EXE
file: C:\WINDOWS\system32\NWTRAY.EXE
size: 28672
MD5: 8ea25db3b87bf8837f8799cda811f719

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 98304
MD5: c341ccfbe98bc7df6e0b856bb9fc265a

Located: HK_LM:Run, RoxioAudioCentral
command: "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
file: C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
size: 319488
MD5: b96cb1da50f3c1d37e08e756264597b6

Located: HK_LM:Run, RoxioDragToDisc
command: "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
file: C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
size: 868352
MD5: 7c7e293fea522f7da0244015bad79bd4

Located: HK_LM:Run, RoxioEngineUtility
command: "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
file: C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe
size: 65536
MD5: 364784a6f653df81b76424a39dba237b

Located: HK_LM:Run, sdkox.exe
command: C:\WINDOWS\sdkox.exe
file: C:\WINDOWS\sdkox.exe
size: 33856
MD5: 9281e6b74184a823cafa981fd8610861

Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
file: C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
size: 36975
MD5: 1f6573d67dd5dc06dd29ec7fcf81dc6f

Located: HK_LM:Run, Sunkist2k
command: C:\Program Files\Multimedia Card Reader\shwicon2k.exe
file: C:\Program Files\Multimedia Card Reader\shwicon2k.exe
size: 139264
MD5: af5b568570206eb72ff31494dd82e934

Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: b8e684df9a97497edd2f87444a6307fb

Located: HK_LM:Run, zvidlu
command: c:\windows\system32\ngvytw.exe
file: c:\windows\system32\ngvytw.exe
size: 75776
MD5: 639c64c1f97175cfa775d6a6746060a9

Located: HK_LM:RunOnce, mfcfl.exe
command: C:\WINDOWS\mfcfl.exe
file: C:\WINDOWS\mfcfl.exe
size: 11475
MD5: 9061a0e993f4acca8988e5eed87ebd82

Located: HK_CU:Run, AIM
command: C:\Program Files\aim\aim.exe -cnetwait.odl

Located: HK_CU:Run, Steam
command: C:\Program Files\Valve\Steam\\Steam.exe -silent

Located: Startup (common), BigFix.lnk
command: C:\Program Files\BigFix\BigFix.exe
file: C:\Program Files\BigFix\BigFix.exe
size: 1742384
MD5: 3802278fed9e3594b4bc3377ff0cff3b

Located: Startup (disabled), Microsoft Office (DISABLED)
command: C:\PROGRA~1\MICROS~4\Office10\OSA.EXE -b -l



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: ACROIEHELPER.OCX
info link: http://www.adobe.com.../readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 11/3/2003 2:17:44 PM
Date (last access): 5/28/2005 10:40:04 AM
Date (last write): 11/3/2003 2:17:44 PM
Filesize: 54248
Attributes: archive
MD5: FC7850324464E4D19A24A03D882B5CC4
CRC32: 452E8571
Version: 0.6.0.0

{4098B116-3E9F-6C68-3DD2-D1F9DE132411} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\
Long name: netho.dll
Short name:
Date (created): 5/11/2005 6:37:20 AM
Date (last access): 5/28/2005 10:40:04 AM
Date (last write): 5/11/2005 6:37:20 AM
Filesize: 103534
Attributes: archive
MD5: 189290AEFE47F7570369CA0EB16513FC
CRC32: A7BF9480
Version: 255.255.255.255

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: Googletoolbar.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar2.dll
Short name: GOOGLE~2.DLL
Date (created): 12/14/2004 5:48:04 PM
Date (last access): 5/28/2005 11:29:32 AM
Date (last write): 12/2/2004 2:59:32 PM
Filesize: 720896
Attributes: readonly archive
MD5: D4E9B7B696E8C40A0E5CB76621A03EE4
CRC32: 019AF69C
Version: 0.2.0.0



--- ActiveX list ---
{00000075-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
description: Microsoft Audio Codec
classification: Legitimate
known filename: VOXACM.CAB
info link:
info source: Patrick M. Kolla

{02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control)
DPF name:
CLSID name: Microsoft Office Template and Media Control
Path: C:\PROGRA~1\MICROS~4\OFFICE11\
Long name: IEAWSDC.DLL
Short name:
Date (created): 7/14/2003 10:57:44 PM
Date (last access): 5/28/2005 9:53:54 AM
Date (last write): 7/14/2003 10:57:44 PM
Filesize: 87096
Attributes: archive
MD5: 7D6EB2CEC6635CAD293664E78055822E
CRC32: 813DED2B
Version: 0.11.0.0

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 1/28/2005 4:38:00 PM
Date (last access): 5/28/2005 10:02:30 AM
Date (last write): 1/28/2005 4:38:00 PM
Filesize: 421128
Attributes: archive
MD5: C3C3864DA698F0CC1BE56F9695534DD8
CRC32: C0FC216A
Version: 0.1.0.0

{1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class)
DPF name:
CLSID name: LSSupCtl Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: LSSupCtl.dll
Short name:
Date (created): 10/27/2004 3:10:26 PM
Date (last access): 5/28/2005 11:35:10 AM
Date (last write): 10/27/2004 3:10:26 PM
Filesize: 111752
Attributes: archive
MD5: C8FEBEA460AAD5C1B6817F9676E03F78
CRC32: 807349F9
Version: 0.3.0.1

{2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class)
DPF name:
CLSID name: ICSScannerLight Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ICSScannerLight.dll
Short name: ICSSCA~1.DLL
Date (created): 3/29/2004 4:42:32 PM
Date (last access): 5/28/2005 11:35:10 AM
Date (last write): 3/29/2004 4:42:32 PM
Filesize: 786432
Attributes: archive
MD5: 1D9B3A211E5A3AE2BD77384A8A825410
CRC32: 6A70E9F6
Version: 0.1.0.0

{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)
DPF name:
CLSID name: Symantec AntiVirus scanner
description: Symantec online scanner
classification: Legitimate
known filename: AVSNIFF.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\Downloaded Program Files\
Long name: avsniff.dll
Short name:
Date (created): 6/29/2004 11:28:02 AM
Date (last access): 5/28/2005 11:35:10 AM
Date (last write): 2/18/2005 4:11:56 PM
Filesize: 202352
Attributes: archive
MD5: 0A7529D49E89E9CF66102F4527BC9E3D
CRC32: 35DAF580
Version: 7.212.0.12

{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:

{39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class)
DPF name:
CLSID name: FilePlanet Download Control Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: FilePlanetDownloadCtrl.dll
Short name: FILEPL~1.DLL
Date (created): 6/21/2004 7:11:18 PM
Date (last access): 5/28/2005 11:35:10 AM
Date (last write): 6/21/2004 7:11:18 PM
Filesize: 294912
Attributes: archive
MD5: E6B0A532DC0404BCB678CB0F6757008D
CRC32: AE97F52E
Version: 0.1.0.0

{644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
DPF name:
CLSID name: Symantec RuFSI Utility Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: rufsi.dll
Short name:
Date (created): 6/29/2004 11:28:18 AM
Date (last access): 5/28/2005 11:35:10 AM
Date (last write): 6/29/2004 11:28:18 AM
Filesize: 160928
Attributes: archive
MD5: 903343D152B0733DBFA22D7408AB59EC
CRC32: FFE4B0EE
Version: 7.212.0.6

{74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
DPF name:
CLSID name: HouseCall Control
description: Trend Micro Antivirus online scanner
classification: Legitimate
known filename: XSCAN53.OCX
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\DOWNLO~1\
Long name: xscan53.ocx
Short name:
Date (created): 3/24/2004 6:22:12 PM
Date (last access): 5/28/2005 10:40:04 AM
Date (last write): 6/9/2004 4:56:02 PM
Filesize: 435712
Attributes: archive
MD5: DCFFCA7F818B4CF4DF29B8932907735D
CRC32: 89BBB9BF
Version: 0.5.0.70

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_02
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_02\bin\
Long name: NPJPI150_02.dll
Short name: NPJPI1~1.DLL
Date (created): 3/4/2005 3:36:50 AM
Date (last access): 5/28/2005 9:46:24 AM
Date (last write): 3/4/2005 3:54:18 AM
Filesize: 69746
Attributes: archive
MD5: 6C9A4C573C0C771D99D902EE06DA3CBB
CRC32: 55F989EE
Version: 0.5.0.0

{924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class)
DPF name:
CLSID name: YbUploadFavsCtl Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: YbConvFav030408.dll
Short name: YBCONV~1.DLL
Date (created): 4/8/2003 4:11:32 PM
Date (last access): 5/28/2005 11:35:10 AM
Date (last write): 4/8/2003 4:11:32 PM
Filesize: 107168
Attributes: archive
MD5: 031D1626A95E6B5ADD11AF82C8BFD7C7
CRC32: DDA6DB71
Version: 7.211.0.4

{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla

{BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class)
DPF name:
CLSID name: McObjectFactory Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: McMysec.dll
Short name:
Date (created): 11/10/2003 12:51:36 PM
Date (last access): 5/28/2005 11:35:10 AM
Date (last write): 11/10/2003 12:51:36 PM
Filesize: 37888
Attributes: archive
MD5: 51E166312800BAFF061CF76AFDD84E63
CRC32: 85D95EDB
Version: 0.1.0.0

{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1)
DPF name: Java Runtime Environment 1.3.1
CLSID name: Java Plug-in 1.3.1
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\JavaSoft\JRE\1.3.1\bin\
Long name: NPJava131.dll
Short name: NPJAVA~1.DLL
Date (created): 2/5/2004 6:04:08 AM
Date (last access): 5/28/2005 9:46:38 AM
Date (last write): 5/6/2001 2:14:22 PM
Filesize: 53338
Attributes: archive
MD5: 8D7694975F0E5C1F153AADD68A460887
CRC32: 2AD23CCB
Version: 0.1.0.3

{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_02)
DPF name: Java Runtime Environment 1.3.1_02
CLSID name: Java Plug-in 1.3.1_02
Path: C:\Program Files\JavaSoft\JRE\1.3.1_02\bin\
Long name: NPJava131_02.dll
Short name: NPJAVA~1.DLL
Date (created): 2/5/2004 6:00:18 AM
Date (last access): 5/28/2005 9:46:44 AM
Date (last write): 3/4/2002 6:37:58 PM
Filesize: 53338
Attributes: archive
MD5: CAFFD6C4A881EB5E8AEDE346343C2796
CRC32: 2E8A0377
Version: 0.1.0.3

{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02)
DPF name: Java Runtime Environment 1.4.1_02
CLSID name: Java Plug-in 1.4.1_02
Path: C:\Program Files\Java\j2re1.4.1_02\bin\
Long name: NPJPI141_02.dll
Short name: NPJPI1~1.DLL
Date (created): 6/12/2004 10:46:38 AM
Date (last access): 5/28/2005 9:45:38 AM
Date (last write): 2/20/2003 4:42:34 PM
Filesize: 61553
Attributes: archive
MD5: E4EFF4ADF1367AA79815A9061E64C0D9
CRC32: A0446F8E
Version: 0.1.0.4

{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_04
Path: C:\Program Files\Java\j2re1.4.2_04\bin\
Long name: NPJPI142_04.dll
Short name: NPJPI1~1.DLL
Date (created): 2/22/2068 11:44:46 PM
Date (last access): 5/28/2005 9:45:50 AM
Date (last write): 2/22/2004 11:44:42 PM
Filesize: 65650
Attributes: archive
MD5: 2BCA54CB6A12A5EFBF922C0C1856F30D
CRC32: 3D4A4E94
Version: 0.1.0.4

{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_05
Path: C:\Program Files\Java\j2re1.4.2_05\bin\
Long name: NPJPI142_05.dll
Short name: NPJPI1~1.DLL
Date (created): 6/3/2068 10:05:12 PM
Date (last access): 5/28/2005 9:46:00 AM
Date (last write): 6/3/2004 10:05:06 PM
Filesize: 65650
Attributes: archive
MD5: 174488C8877FA852448D1937C322AABB
CRC32: 62C2460D
Version: 0.1.0.4

{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_06
Path: C:\Program Files\Java\j2re1.4.2_06\bin\
Long name: NPJPI142_06.dll
Short name: NPJPI1~1.DLL
Date (created): 9/28/2004 9:26:10 PM
Date (last access): 5/28/2005 9:46:12 AM
Date (last write): 9/28/2004 9:26:00 PM
Filesize: 65650
Attributes: archive
MD5: 69E5147BA901A9238C4EB08C84E1A85B
CRC32: 6CB34BCC
Version: 0.1.0.4

{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_02
Path: C:\Program Files\Java\jre1.5.0_02\bin\
Long name: NPJPI150_02.dll
Short name: NPJPI1~1.DLL
Date (created): 3/4/2005 3:36:50 AM
Date (last access): 5/28/2005 11:36:48 AM
Date (last write): 3/4/2005 3:54:18 AM
Filesize: 69746
Attributes: archive
MD5: 6C9A4C573C0C771D99D902EE06DA3CBB
CRC32: 55F989EE
Version: 0.5.0.0

{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class)
DPF name:
CLSID name: ActiveDataInfo Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: SymAData.dll
Short name:
Date (created): 12/20/2004 7:03:36 PM
Date (last access): 5/28/2005 11:35:10 AM
Date (last write): 12/20/2004 7:03:36 PM
Filesize: 157288
Attributes: archive
MD5: D39C8355D0587B6A3FD2325DA7E2919C
CRC32: B639D5B5
Version: 0.2.0.0

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\macromed\flash\
Long name: Flash.ocx
Short name:
Date (created): 4/8/2004 5:51:02 PM
Date (last access): 5/28/2005 10:01:54 AM
Date (last write): 12/8/2003 3:01:58 PM
Filesize: 933888
Attributes: archive
MD5: F7E435D02F7A48120B746E33254A70BC
CRC32: 02AF493D
Version: 0.7.0.0

{EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker)
DPF name:
CLSID name: MSN Money Ticker
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ticker13.ocx
Short name:
Date (created): 6/11/2003 8:27:56 AM
Date (last access): 5/28/2005 9:58:20 AM
Date (last write): 6/11/2003 8:27:56 AM
Filesize: 430080
Attributes: archive
MD5: 3D9371E944259D20E828A08ACBE9EF62
CRC32: 669A676E
Version: 0.13.7.211

{EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class)
DPF name:
CLSID name: McFreeScan Class
Path: C:\WINDOWS\McAfee.com\FreeScan\
Long name: mcfscan.dll
Short name:
Date (created): 7/28/2004 10:09:46 AM
Date (last access): 5/28/2005 10:00:00 AM
Date (last write): 7/28/2004 10:09:46 AM
Filesize: 91208
Attributes: archive
MD5: 88B730D8E357943CC3616950BAE93E12
CRC32: 6990399B
Version: 0.2.0.0



--- Process list ---
Spybot - Search && Destroy process list report, 5/28/2005 11:36:47 AM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 156 ( 708) C:\WINDOWS\System32\wm.exe
PID: 188 ( 708) C:\WINDOWS\System32\MsPMSPSv.exe
PID: 412 ( 4) \SystemRoot\System32\smss.exe
PID: 640 ( 412) csrss.exe
PID: 664 ( 412) \??\C:\WINDOWS\system32\winlogon.exe
PID: 708 ( 664) C:\WINDOWS\system32\services.exe
PID: 720 ( 664) C:\WINDOWS\system32\lsass.exe
PID: 912 ( 708) C:\WINDOWS\System32\Ati2evxx.exe
PID: 924 ( 708) C:\WINDOWS\system32\svchost.exe
PID: 1012 ( 708) svchost.exe
PID: 1048 ( 708) C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
PID: 1104 ( 708) C:\WINDOWS\System32\svchost.exe
PID: 1160 ( 708) svchost.exe
PID: 1188 ( 708) svchost.exe
PID: 1436 ( 708) C:\WINDOWS\system32\spoolsv.exe
PID: 1612 ( 708) alg.exe
PID: 1656 ( 708) C:\WINDOWS\System32\cusrvc.exe
PID: 1692 ( 708) C:\WINDOWS\System32\NALNTSRV.EXE
PID: 1772 ( 708) C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
PID: 1836 ( 708) C:\WINDOWS\system32\slserv.exe
PID: 1920 ( 708) C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
PID: 1952 ( 708) C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
PID: 2032 ( 708) wdfmgr.exe
PID: 2072 (2064) C:\WINDOWS\mfcfl.exe
PID: 2080 ( 664) C:\WINDOWS\system32\Ati2evxx.exe
PID: 2100 (1856) C:\WINDOWS\sdkox.exe
PID: 2152 (2112) C:\WINDOWS\Explorer.exe
PID: 2320 (2152) C:\Program Files\Multimedia Card Reader\shwicon2k.exe
PID: 2328 (2152) C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
PID: 2348 (2152) C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
PID: 2356 (2152) C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
PID: 2364 (2152) C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
PID: 2380 (2152) C:\Program Files\BroadJump\Client Foundation\CFD.exe
PID: 2396 (2152) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 2416 (2152) C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
PID: 2424 (2152) C:\Program Files\QuickTime\qttask.exe
PID: 2456 (2152) C:\WINDOWS\system32\NWTRAY.EXE
PID: 2540 (2508) c:\windows\system32\ngvytw.exe
PID: 2556 (2152) C:\Program Files\Valve\Steam\Steam.exe
PID: 2568 (2152) C:\Program Files\aim\aim.exe
PID: 2576 ( 924) C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
PID: 2596 (2152) C:\Program Files\BigFix\BigFix.exe
PID: 2768 (2152) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 3464 (2152) C:\Program Files\Netscape\Netscape Browser\netscape.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 5/28/2005 11:36:47 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
res://C:\WINDOWS\kwoxi.dll/sp.html#44768
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
res://C:\WINDOWS\kwoxi.dll/sp.html#44768
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
res://C:\WINDOWS\kwoxi.dll/sp.html#44768
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn...st/srchcust.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
websearch.drsnsrch.com/q.cgi?q=
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
res://C:\WINDOWS\kwoxi.dll/sp.html#44768
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
res://C:\WINDOWS\kwoxi.dll/sp.html#44768
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
res://C:\WINDOWS\kwoxi.dll/sp.html#44768
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
res://C:\WINDOWS\kwoxi.dll/sp.html#44768
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://websearch.drs...esearch.cgi?id=
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsof...search.asp?p=%s


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AF0983AC-9132-4A06-9028-82CD7BD96F67}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AF0983AC-9132-4A06-9028-82CD7BD96F67}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0010E78E-4C10-4607-A3C6-012E93E29E32}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0010E78E-4C10-4607-A3C6-012E93E29E32}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F4975C58-58B2-4C89-8ED9-AE5E54B850A6}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F4975C58-58B2-4C89-8ED9-AE5E54B850A6}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5267010A-C1E9-4F8A-ACC5-E8E3F89044E6}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5267010A-C1E9-4F8A-ACC5-E8E3F89044E6}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4FE32F26-68EB-48D6-BCA2-79343E9EF414}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4FE32F26-68EB-48D6-BCA2-79343E9EF414}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: Novell Directory Services Name Provider
GUID: {DD9F6D10-8E24-11CF-8493-00001B4B58D4}
Filename: %SystemRoot%\system32\netware\NWWS2NDS.DLL

Namespace Provider 4: Novell IPX/SPX SAP Name Provider
GUID: {81FA7960-A290-11CF-9D71-00805FF42892}
Filename: %SystemRoot%\system32\netware\NWWS2SAP.DLL

Namespace Provider 5: Novell SLP Provider
GUID: {644FE400-ACC0-11D0-9FE2-00A0C920B5DE}
Filename: %SystemRoot%\system32\netware\NWWS2SLP.DLL
  • 0

Advertisements


#2
Frankjacob1

Frankjacob1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok I have taken care of Dr. Watson... Now I am working on the Aurora virus.

TrendMicro is catching these two programs starting to load....

I am working on the Aurora solution posted on Geeks To Go and then I will repost.

Virus Log 5/29/2005 YOUR-MB2SWYWKNR
Time Event Source Type Virus Name File Name First Action Second Action
21:11 Real-time Scan File ADW_IMISERV.C C:\WINDOWS\systb.dll Deny Access
21:11 Real-time Scan File ADW_IMISERV.C C:\WINDOWS\systb.dll Deny Access
21:12 Real-time Scan File TROJ_BUDDY.F C:\WINDOWS\axsxsipxgk.exe Quarantine Success
21:13 Real-time Scan File TROJ_BUDDY.F C:\WINDOWS\axsxsipxgk.exe Quarantine Success
21:21 Real-time Scan File TROJ_STERVIS.C C:\WINDOWS\svcproc.exe Quarantine Success
21:21 Real-time Scan File TROJ_STERVIS.C C:\WINDOWS\svcproc.exe Quarantine Success
21:27 Real-time Scan File ADW_IMISERV.C C:\WINDOWS\systb.dll Deny Access
21:27 Real-time Scan File ADW_IMISERV.C C:\WINDOWS\systb.dll Deny Access
21:28 Real-time Scan File TROJ_BUDDY.F C:\WINDOWS\axsxsipxgk.exe Quarantine Success
21:43 Real-time Scan File TROJ_BUDDY.F C:\WINDOWS\axsxsipxgk.exe Quarantine Success
21:43 Real-time Scan File TROJ_BUDDY.F C:\WINDOWS\axsxsipxgk.exe Quarantine Success
21:50 Real-time Scan File TROJ_STERVIS.C C:\WINDOWS\svcproc.exe Quarantine Success
21:50 Real-time Scan File TROJ_STERVIS.C C:\WINDOWS\svcproc.exe Quarantine Success
22:07 Manual Scan File TROJ_AGENT.NP C:\WINDOWS\appcf32.exe Quarantine Success
22:09 Manual Scan File TROJ_AGENT.NP C:\WINDOWS\mfcsz32.exe Quarantine Success
22:10 Manual Scan File TROJ_DLOADER.LZ C:\WINDOWS\sdkox.exe Quarantine Success
22:11 Manual Scan File TROJ_AGENT.NP C:\WINDOWS\system32\apiky.exe Quarantine Success
22:21 Real-time Scan File TROJ_BUDDY.F C:\WINDOWS\axsxsipxgk.exe Quarantine Success
22:27 Real-time Scan File TROJ_BUDDY.F C:\WINDOWS\axsxsipxgk.exe Quarantine Success
22:30 Real-time Scan File TROJ_BUDDY.F C:\WINDOWS\axsxsipxgk.exe Quarantine Success
23:02 Real-time Scan File TROJ_BUDDY.F C:\WINDOWS\axsxsipxgk.exe Quarantine Success
23:05 Real-time Scan File TROJ_BUDDY.F C:\WINDOWS\axsxsipxgk.exe Quarantine Success
23:21 Real-time Scan File ADW_BARGBUDDY.D C:\WINDOWS\system32\mscb.dll (C:\WINDOWS\system32\psis80ex.ax) Deny Access
23:21 Real-time Scan File ADW_BB.B C:\Program Files\CashBack\bin\flash.exe (C:\WINDOWS\system32\psis80ex.ax) Deny Access
23:21 Real-time Scan File --- C:\WINDOWS\system32\psis80ex.ax Deny Access
23:21 Real-time Scan File SPYW_WTANGENT.A C:\WINDOWS\wt\wtvh.dll Deny Access
23:21 Real-time Scan File SPYW_WTANGENT.A C:\WINDOWS\wt\wtvh.dll Deny Access
23:29 Real-time Scan File TROJ_BUDDY.F C:\WINDOWS\axsxsipxgk.exe Quarantine Success
23:30 Real-time Scan File TROJ_BUDDY.F C:\WINDOWS\axsxsipxgk.exe Quarantine Success
23:31 Real-time Scan File TROJ_BUDDY.F C:\WINDOWS\axsxsipxgk.exe Quarantine Success
23:32 Real-time Scan File TROJ_BUDDY.F C:\WINDOWS\axsxsipxgk.exe Quarantine Success
23:33 Real-time Scan File TROJ_BUDDY.F C:\WINDOWS\axsxsipxgk.exe Quarantine Success
23:37 Real-time Scan File TROJ_STERVIS.C C:\WINDOWS\svcproc.exe Quarantine Success
23:38 Real-time Scan File TROJ_STERVIS.C C:\WINDOWS\svcproc.exe Quarantine Success
  • 0

#3
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP