Okay - First is the l2m and last but not least HJT
L2Mfix 1.02b
Running From:
C:\Documents and Settings\Mike Love\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C access for really "Everyone"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\Mike Love\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\Mike Love\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]
Killing PID 128 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]
Error, Cannot find a process with an image name of rundll32.exe
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINDOWS\system32\AGTAPI.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\asi2cqag.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\azauli5918.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\CKWFLT32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\czintf210.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dn2401fqe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enpsl1771.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f6l02g3mg6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fn2021fmg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpns0357e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g4jo0e13eh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i8jqli1518.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j02q0af5ed2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt84l7lq1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q8nuli5918.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qaery.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sivsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\spnsapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ump10.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\AGTAPI.DLL
Successfully Deleted: C:\WINDOWS\system32\AGTAPI.DLL
deleting: C:\WINDOWS\system32\asi2cqag.dll
Successfully Deleted: C:\WINDOWS\system32\asi2cqag.dll
deleting: C:\WINDOWS\system32\azauli5918.dll
Successfully Deleted: C:\WINDOWS\system32\azauli5918.dll
deleting: C:\WINDOWS\system32\CKWFLT32.DLL
Successfully Deleted: C:\WINDOWS\system32\CKWFLT32.DLL
deleting: C:\WINDOWS\system32\czintf210.dll
Successfully Deleted: C:\WINDOWS\system32\czintf210.dll
deleting: C:\WINDOWS\system32\dn2401fqe.dll
Successfully Deleted: C:\WINDOWS\system32\dn2401fqe.dll
deleting: C:\WINDOWS\system32\enpsl1771.dll
Successfully Deleted: C:\WINDOWS\system32\enpsl1771.dll
deleting: C:\WINDOWS\system32\f6l02g3mg6.dll
Successfully Deleted: C:\WINDOWS\system32\f6l02g3mg6.dll
deleting: C:\WINDOWS\system32\fn2021fmg.dll
Successfully Deleted: C:\WINDOWS\system32\fn2021fmg.dll
deleting: C:\WINDOWS\system32\fpns0357e.dll
Successfully Deleted: C:\WINDOWS\system32\fpns0357e.dll
deleting: C:\WINDOWS\system32\g4jo0e13eh.dll
Successfully Deleted: C:\WINDOWS\system32\g4jo0e13eh.dll
deleting: C:\WINDOWS\system32\i8jqli1518.dll
Successfully Deleted: C:\WINDOWS\system32\i8jqli1518.dll
deleting: C:\WINDOWS\system32\j02q0af5ed2.dll
Successfully Deleted: C:\WINDOWS\system32\j02q0af5ed2.dll
deleting: C:\WINDOWS\system32\kt84l7lq1.dll
Successfully Deleted: C:\WINDOWS\system32\kt84l7lq1.dll
deleting: C:\WINDOWS\system32\q8nuli5918.dll
Successfully Deleted: C:\WINDOWS\system32\q8nuli5918.dll
deleting: C:\WINDOWS\system32\qaery.dll
Successfully Deleted: C:\WINDOWS\system32\qaery.dll
deleting: C:\WINDOWS\system32\sivsvc.dll
Successfully Deleted: C:\WINDOWS\system32\sivsvc.dll
deleting: C:\WINDOWS\system32\spnsapi.dll
Successfully Deleted: C:\WINDOWS\system32\spnsapi.dll
deleting: C:\WINDOWS\system32\ump10.dll
Successfully Deleted: C:\WINDOWS\system32\ump10.dll
Desktop.ini sucessfully removed
Zipping up files for submission:
adding: AGTAPI.DLL (164 bytes security) (deflated 6%)
adding: asi2cqag.dll (164 bytes security) (deflated 5%)
adding: azauli5918.dll (164 bytes security) (deflated 5%)
adding: CKWFLT32.DLL (164 bytes security) (deflated 4%)
adding: czintf210.dll (164 bytes security) (deflated 5%)
adding: dn2401fqe.dll (164 bytes security) (deflated 5%)
adding: enpsl1771.dll (164 bytes security) (deflated 6%)
adding: f6l02g3mg6.dll (164 bytes security) (deflated 5%)
adding: fn2021fmg.dll (164 bytes security) (deflated 5%)
adding: fpns0357e.dll (164 bytes security) (deflated 5%)
adding: g4jo0e13eh.dll (164 bytes security) (deflated 5%)
adding: i8jqli1518.dll (164 bytes security) (deflated 4%)
adding: j02q0af5ed2.dll (164 bytes security) (deflated 4%)
adding: kt84l7lq1.dll (164 bytes security) (deflated 5%)
adding: q8nuli5918.dll (164 bytes security) (deflated 5%)
adding: qaery.dll (164 bytes security) (deflated 6%)
adding: sivsvc.dll (164 bytes security) (deflated 5%)
adding: spnsapi.dll (164 bytes security) (deflated 5%)
adding: ump10.dll (164 bytes security) (deflated 6%)
adding: clear.reg (164 bytes security) (deflated 46%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: desktop.ini (164 bytes security) (deflated 14%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 82%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 66%)
adding: test.txt (164 bytes security) (deflated 76%)
adding: test2.txt (164 bytes security) (deflated 27%)
adding: test3.txt (164 bytes security) (deflated 27%)
adding: test5.txt (164 bytes security) (deflated 27%)
adding: xfind.txt (164 bytes security) (deflated 70%)
adding: backregs/6145838F-0075-4763-BFE2-A0F60045A47B.reg (164 bytes security) (deflated 69%)
adding: backregs/69971A88-BE4F-430C-A046-CD9433C489B4.reg (164 bytes security) (deflated 69%)
adding: backregs/8217E7AD-2ACC-46CD-9932-E276F226B8B4.reg (164 bytes security) (deflated 69%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for really "Everyone"
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: AGTAPI.DLL
deleting local copy: asi2cqag.dll
deleting local copy: azauli5918.dll
deleting local copy: CKWFLT32.DLL
deleting local copy: czintf210.dll
deleting local copy: dn2401fqe.dll
deleting local copy: enpsl1771.dll
deleting local copy: f6l02g3mg6.dll
deleting local copy: fn2021fmg.dll
deleting local copy: fpns0357e.dll
deleting local copy: g4jo0e13eh.dll
deleting local copy: i8jqli1518.dll
deleting local copy: j02q0af5ed2.dll
deleting local copy: kt84l7lq1.dll
deleting local copy: q8nuli5918.dll
deleting local copy: qaery.dll
deleting local copy: sivsvc.dll
deleting local copy: spnsapi.dll
deleting local copy: ump10.dll
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\AGTAPI.DLL
C:\WINDOWS\system32\asi2cqag.dll
C:\WINDOWS\system32\azauli5918.dll
C:\WINDOWS\system32\CKWFLT32.DLL
C:\WINDOWS\system32\czintf210.dll
C:\WINDOWS\system32\dn2401fqe.dll
C:\WINDOWS\system32\enpsl1771.dll
C:\WINDOWS\system32\f6l02g3mg6.dll
C:\WINDOWS\system32\fn2021fmg.dll
C:\WINDOWS\system32\fpns0357e.dll
C:\WINDOWS\system32\g4jo0e13eh.dll
C:\WINDOWS\system32\i8jqli1518.dll
C:\WINDOWS\system32\j02q0af5ed2.dll
C:\WINDOWS\system32\kt84l7lq1.dll
C:\WINDOWS\system32\q8nuli5918.dll
C:\WINDOWS\system32\qaery.dll
C:\WINDOWS\system32\sivsvc.dll
C:\WINDOWS\system32\spnsapi.dll
C:\WINDOWS\system32\ump10.dll
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{69971A88-BE4F-430C-A046-CD9433C489B4}"=-
"{8217E7AD-2ACC-46CD-9932-E276F226B8B4}"=-
"{6145838F-0075-4763-BFE2-A0F60045A47B}"=-
[-HKEY_CLASSES_ROOT\CLSID\{69971A88-BE4F-430C-A046-CD9433C489B4}]
[-HKEY_CLASSES_ROOT\CLSID\{8217E7AD-2ACC-46CD-9932-E276F226B8B4}]
[-HKEY_CLASSES_ROOT\CLSID\{6145838F-0075-4763-BFE2-A0F60045A47B}]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF448F1C-69AD-4096-B946-FD94935A37DD}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{FF448F1C-69AD-4096-B946-FD94935A37DD}</IDone>
<IDtwo>DS3</IDtwo>
<VERSION>200</VERSION>
****************************************************************************
Logfile of HijackThis v1.99.1
Scan saved at 4:36:35 PM, on 3/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$VISTAVISION\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\winupdt.exe
C:\WINDOWS\system32\ati2dvag.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\system\qqchcmrw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HJT\HijackThis.exe
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\isrvs\ceres.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [5881ac371b9b] C:\WINDOWS\system32\ati2dvag.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe