Ok, here you go:
L2Mfix 1.02
Running From:
C:\Documents and Settings\krysztopikm\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C access for really "Everyone"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\krysztopikm\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\krysztopikm\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 260 'explorer.exe'
Killing PID 260 'explorer.exe'
Error 0x5 : Access is denied.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 784 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINNT\system32\czc.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\denhupnp.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dqnput.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fRxroute.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\jt2007fme.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\k244lchq1f4e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\l04q0ah5ed4.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mwmdd.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wahisn.dll
1 file(s) copied.
deleting: C:\WINNT\system32\czc.dll
Successfully Deleted: C:\WINNT\system32\czc.dll
deleting: C:\WINNT\system32\denhupnp.dll
Successfully Deleted: C:\WINNT\system32\denhupnp.dll
deleting: C:\WINNT\system32\dqnput.dll
Successfully Deleted: C:\WINNT\system32\dqnput.dll
deleting: C:\WINNT\system32\fRxroute.dll
Successfully Deleted: C:\WINNT\system32\fRxroute.dll
deleting: C:\WINNT\system32\jt2007fme.dll
Successfully Deleted: C:\WINNT\system32\jt2007fme.dll
deleting: C:\WINNT\system32\k244lchq1f4e.dll
Successfully Deleted: C:\WINNT\system32\k244lchq1f4e.dll
deleting: C:\WINNT\system32\l04q0ah5ed4.dll
Successfully Deleted: C:\WINNT\system32\l04q0ah5ed4.dll
deleting: C:\WINNT\system32\mwmdd.dll
Successfully Deleted: C:\WINNT\system32\mwmdd.dll
deleting: C:\WINNT\system32\wahisn.dll
Successfully Deleted: C:\WINNT\system32\wahisn.dll
Desktop.ini sucessfully removed
Zipping up files for submission:
adding: czc.dll (152 bytes security) (deflated 3%)
adding: denhupnp.dll (152 bytes security) (deflated 4%)
adding: dqnput.dll (152 bytes security) (deflated 4%)
adding: fRxroute.dll (152 bytes security) (deflated 4%)
adding: jt2007fme.dll (152 bytes security) (deflated 3%)
adding: k244lchq1f4e.dll (152 bytes security) (deflated 4%)
adding: l04q0ah5ed4.dll (152 bytes security) (deflated 4%)
adding: mwmdd.dll (152 bytes security) (deflated 5%)
adding: wahisn.dll (152 bytes security) (deflated 4%)
adding: cecho.reg (152 bytes security) (deflated 2%)
adding: clear.reg (152 bytes security) (deflated 69%)
adding: echo.reg (152 bytes security) (deflated 9%)
adding: desktop.ini (152 bytes security) (deflated 15%)
adding: direct.txt (152 bytes security) (stored 0%)
adding: lo2.txt (152 bytes security) (deflated 78%)
adding: readme.txt (152 bytes security) (deflated 49%)
adding: report.txt (152 bytes security) (deflated 74%)
adding: test.txt (152 bytes security) (deflated 69%)
adding: test2.txt (152 bytes security) (deflated 48%)
adding: xfind.txt (152 bytes security) (deflated 62%)
adding: backregs/04FB7F67-778E-4DD7-953C-3674F0FAD406.reg (152 bytes security) (deflated 70%)
adding: backregs/2C78B38D-0997-4730-89E3-6EAE12317653.reg (152 bytes security) (deflated 70%)
adding: backregs/51F641E9-17C9-413B-8250-82EC98BFE5D6.reg (152 bytes security) (deflated 70%)
adding: backregs/52650568-1D1B-413D-9452-7DF2353776B0.reg (152 bytes security) (deflated 70%)
adding: backregs/571BB06E-7E51-4982-B006-ED56C4282BC2.reg (152 bytes security) (deflated 70%)
adding: backregs/6556CBEB-FB97-4F1C-92BE-6EC09207E77E.reg (152 bytes security) (deflated 70%)
adding: backregs/6ACCD3BE-8396-46BA-8EE6-B3B97246A33C.reg (152 bytes security) (deflated 70%)
adding: backregs/70156B48-A1B8-44BB-99CC-B8B3B51693EE.reg (152 bytes security) (deflated 70%)
adding: backregs/9538B45C-77D1-4F6A-BB9F-D5BEA40F4BB9.reg (152 bytes security) (deflated 70%)
adding: backregs/96D3E366-F680-416A-ADE2-36E8AD60AD57.reg (152 bytes security) (deflated 70%)
adding: backregs/B94D2F6D-3A6A-4726-A25E-E9646E6987A1.reg (152 bytes security) (deflated 70%)
adding: backregs/C0370ED7-B3AE-40FB-956D-AFCCE0486920.reg (152 bytes security) (deflated 70%)
adding: backregs/CBBB88E2-0407-40CF-9723-B680623437C4.reg (152 bytes security) (deflated 70%)
adding: backregs/D568B32D-573E-4F8E-9F48-6E3D82BD2588.reg (152 bytes security) (deflated 70%)
adding: backregs/D61826BE-16AD-47F3-BD1C-6BCCD4445A7D.reg (152 bytes security) (deflated 70%)
adding: backregs/EEDEEEAD-B6D9-46A3-A111-407495999D7E.reg (152 bytes security) (deflated 71%)
adding: backregs/EFBFDEAB-C2AF-42CB-A970-8662E9270341.reg (152 bytes security) (deflated 70%)
adding: backregs/FB3CF53A-D3FF-4F18-BA85-96CADE198E53.reg (152 bytes security) (deflated 70%)
adding: backregs/shell.reg (152 bytes security) (deflated 74%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for really "Everyone"
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: czc.dll
deleting local copy: denhupnp.dll
deleting local copy: dqnput.dll
deleting local copy: fRxroute.dll
deleting local copy: jt2007fme.dll
deleting local copy: k244lchq1f4e.dll
deleting local copy: l04q0ah5ed4.dll
deleting local copy: mwmdd.dll
deleting local copy: wahisn.dll
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINNT\\system32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
The following are the files found:
****************************************************************************
C:\WINNT\system32\czc.dll
C:\WINNT\system32\denhupnp.dll
C:\WINNT\system32\dqnput.dll
C:\WINNT\system32\fRxroute.dll
C:\WINNT\system32\jt2007fme.dll
C:\WINNT\system32\k244lchq1f4e.dll
C:\WINNT\system32\l04q0ah5ed4.dll
C:\WINNT\system32\mwmdd.dll
C:\WINNT\system32\wahisn.dll
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{6ACCD3BE-8396-46BA-8EE6-B3B97246A33C}"=-
"{EFBFDEAB-C2AF-42CB-A970-8662E9270341}"=-
"{96D3E366-F680-416A-ADE2-36E8AD60AD57}"=-
"{9538B45C-77D1-4F6A-BB9F-D5BEA40F4BB9}"=-
"{70156B48-A1B8-44BB-99CC-B8B3B51693EE}"=-
"{52650568-1D1B-413D-9452-7DF2353776B0}"=-
"{D61826BE-16AD-47F3-BD1C-6BCCD4445A7D}"=-
"{B94D2F6D-3A6A-4726-A25E-E9646E6987A1}"=-
"{2C78B38D-0997-4730-89E3-6EAE12317653}"=-
"{EEDEEEAD-B6D9-46A3-A111-407495999D7E}"=-
"{FB3CF53A-D3FF-4F18-BA85-96CADE198E53}"=-
"{51F641E9-17C9-413B-8250-82EC98BFE5D6}"=-
"{C0370ED7-B3AE-40FB-956D-AFCCE0486920}"=-
"{CBBB88E2-0407-40CF-9723-B680623437C4}"=-
"{D568B32D-573E-4F8E-9F48-6E3D82BD2588}"=-
"{04FB7F67-778E-4DD7-953C-3674F0FAD406}"=-
"{571BB06E-7E51-4982-B006-ED56C4282BC2}"=-
"{6556CBEB-FB97-4F1C-92BE-6EC09207E77E}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6ACCD3BE-8396-46BA-8EE6-B3B97246A33C}]
[-HKEY_CLASSES_ROOT\CLSID\{EFBFDEAB-C2AF-42CB-A970-8662E9270341}]
[-HKEY_CLASSES_ROOT\CLSID\{96D3E366-F680-416A-ADE2-36E8AD60AD57}]
[-HKEY_CLASSES_ROOT\CLSID\{9538B45C-77D1-4F6A-BB9F-D5BEA40F4BB9}]
[-HKEY_CLASSES_ROOT\CLSID\{70156B48-A1B8-44BB-99CC-B8B3B51693EE}]
[-HKEY_CLASSES_ROOT\CLSID\{52650568-1D1B-413D-9452-7DF2353776B0}]
[-HKEY_CLASSES_ROOT\CLSID\{D61826BE-16AD-47F3-BD1C-6BCCD4445A7D}]
[-HKEY_CLASSES_ROOT\CLSID\{B94D2F6D-3A6A-4726-A25E-E9646E6987A1}]
[-HKEY_CLASSES_ROOT\CLSID\{2C78B38D-0997-4730-89E3-6EAE12317653}]
[-HKEY_CLASSES_ROOT\CLSID\{EEDEEEAD-B6D9-46A3-A111-407495999D7E}]
[-HKEY_CLASSES_ROOT\CLSID\{FB3CF53A-D3FF-4F18-BA85-96CADE198E53}]
[-HKEY_CLASSES_ROOT\CLSID\{51F641E9-17C9-413B-8250-82EC98BFE5D6}]
[-HKEY_CLASSES_ROOT\CLSID\{C0370ED7-B3AE-40FB-956D-AFCCE0486920}]
[-HKEY_CLASSES_ROOT\CLSID\{CBBB88E2-0407-40CF-9723-B680623437C4}]
[-HKEY_CLASSES_ROOT\CLSID\{D568B32D-573E-4F8E-9F48-6E3D82BD2588}]
[-HKEY_CLASSES_ROOT\CLSID\{04FB7F67-778E-4DD7-953C-3674F0FAD406}]
[-HKEY_CLASSES_ROOT\CLSID\{571BB06E-7E51-4982-B006-ED56C4282BC2}]
[-HKEY_CLASSES_ROOT\CLSID\{6556CBEB-FB97-4F1C-92BE-6EC09207E77E}]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{349D1F55-3C0C-4A52-8301-F1772D0729AB}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{349D1F55-3C0C-4A52-8301-F1772D0729AB}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************
Classid's found from regsearch:
****************************************************************************
And for the hijack this log:
Logfile of HijackThis v1.99.0
Scan saved at 12:03:06 PM, on 1/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
c:\program files\mobile automation\marchost.exe
c:\program files\mobile automation\rstate.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\wiwgoo.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\MOBILE~1\rstate.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://searchmiracle.com/sp.phpR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.refdesk.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINNT\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Euppgday] C:\Program Files\Gawq\Kcshw.exe
O4 - HKLM\..\Run: [ntechin] C:\WINNT\system32\n20050308.exe
O4 - HKLM\..\Run: [Live Support Host] "c:\program files\mobile automation\marchost.exe" -servicehelper
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvcln32.exe
O4 - HKLM\..\Run: [Mobile Automation Agent] c:\PROGRA~1\MOBILE~1\rstate.exe /LOGON
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O15 - Trusted Zone:
http://*.windowsupdate.comO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kpt.nuwc.navy.mil
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kpt.nuwc.navy.mil
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kpt.nuwc.navy.mil
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Live Support Host - Mobile Automation, Inc. - c:\program files\mobile automation\marchost.exe
O23 - Service: Mobile Automation Agent - Mobile Automation, Inc. - c:\program files\mobile automation\rstate.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
Thank you...