Thread: SurfSideKick
View Single Post
Old 03-05-2006, 07:20 AM   #3 (permalink)
peor
Registered User
 
Join Date: Feb 2006
Posts: 7
OS: XP


Thanks. This is the contents of the log.

L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 456 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 552 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1888 'explorer.exe'
Killing PID 1888 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1088 'rundll32.exe'
Killing PID 980 'rundll32.exe'
Killing PID 2168 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\hr0s05d7e.dll
Successfully Deleted: C:\WINDOWS\system32\hr0s05d7e.dll
Deleting: C:\WINDOWS\system32\jt2607fse.dll
Successfully Deleted: C:\WINDOWS\system32\jt2607fse.dll
Deleting: C:\WINDOWS\system32\suarddlg.dll
Successfully Deleted: C:\WINDOWS\system32\suarddlg.dll

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntlRun]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt2607fse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\hr0s05d7e.dll
C:\WINDOWS\system32\jt2607fse.dll
C:\WINDOWS\system32\suarddlg.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6B2866BE-51CB-4270-B6A0-B027E080BD57}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{6B2866BE-51CB-4270-B6A0-B027E080BD57}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B2866BE-51CB-4270-B6A0-B027E080BD57}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B2866BE-51CB-4270-B6A0-B027E080BD57}\InprocServer32]
@="C:\\WINDOWS\\system32\\cRtsrvut.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E1029A4A-BEFF-43A0-B5D8-AC552CF19E87}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E1029A4A-BEFF-43A0-B5D8-AC552CF19E87}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E1029A4A-BEFF-43A0-B5D8-AC552CF19E87}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E1029A4A-BEFF-43A0-B5D8-AC552CF19E87}\InprocServer32]
@="C:\\WINDOWS\\system32\\vxrsion.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6B8F61C8-5BE9-4408-89AF-FC3CA8F2C71D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B8F61C8-5BE9-4408-89AF-FC3CA8F2C71D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B8F61C8-5BE9-4408-89AF-FC3CA8F2C71D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B8F61C8-5BE9-4408-89AF-FC3CA8F2C71D}\InprocServer32]
@="C:\\WINDOWS\\system32\\wchnetbs.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{329D0982-80F3-44D1-B4F3-E6B5506E97E6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{329D0982-80F3-44D1-B4F3-E6B5506E97E6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{329D0982-80F3-44D1-B4F3-E6B5506E97E6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{329D0982-80F3-44D1-B4F3-E6B5506E97E6}\InprocServer32]
@="C:\\WINDOWS\\system32\\oobctrac.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9E989F24-A114-4C25-B3EB-18E5F9DA60A0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9E989F24-A114-4C25-B3EB-18E5F9DA60A0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9E989F24-A114-4C25-B3EB-18E5F9DA60A0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9E989F24-A114-4C25-B3EB-18E5F9DA60A0}\InprocServer32]
@="C:\\WINDOWS\\system32\\nfrsru.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6A8E59D0-805B-494B-B1BE-B1423F37A07C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6A8E59D0-805B-494B-B1BE-B1423F37A07C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6A8E59D0-805B-494B-B1BE-B1423F37A07C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6A8E59D0-805B-494B-B1BE-B1423F37A07C}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{282DA37F-23DB-4589-BB03-B76C52707C6C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{282DA37F-23DB-4589-BB03-B76C52707C6C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{282DA37F-23DB-4589-BB03-B76C52707C6C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{282DA37F-23DB-4589-BB03-B76C52707C6C}\InprocServer32]
@="C:\\WINDOWS\\system32\\suarddlg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CB2599AD-690C-49E4-B441-739EB8E915ED}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CB2599AD-690C-49E4-B441-739EB8E915ED}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CB2599AD-690C-49E4-B441-739EB8E915ED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CB2599AD-690C-49E4-B441-739EB8E915ED}\InprocServer32]
@="C:\\WINDOWS\\system32\\MHC42ENU.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B673590E-07AD-4105-ABAA-662396039C80}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B673590E-07AD-4105-ABAA-662396039C80}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B673590E-07AD-4105-ABAA-662396039C80}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B673590E-07AD-4105-ABAA-662396039C80}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{6B2866BE-51CB-4270-B6A0-B027E080BD57}"=-
"{E1029A4A-BEFF-43A0-B5D8-AC552CF19E87}"=-
"{6B8F61C8-5BE9-4408-89AF-FC3CA8F2C71D}"=-
"{329D0982-80F3-44D1-B4F3-E6B5506E97E6}"=-
"{9E989F24-A114-4C25-B3EB-18E5F9DA60A0}"=-
"{6A8E59D0-805B-494B-B1BE-B1423F37A07C}"=-
"{282DA37F-23DB-4589-BB03-B76C52707C6C}"=-
"{CB2599AD-690C-49E4-B441-739EB8E915ED}"=-
"{B673590E-07AD-4105-ABAA-662396039C80}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6B2866BE-51CB-4270-B6A0-B027E080BD57}]
[-HKEY_CLASSES_ROOT\CLSID\{E1029A4A-BEFF-43A0-B5D8-AC552CF19E87}]
[-HKEY_CLASSES_ROOT\CLSID\{6B8F61C8-5BE9-4408-89AF-FC3CA8F2C71D}]
[-HKEY_CLASSES_ROOT\CLSID\{329D0982-80F3-44D1-B4F3-E6B5506E97E6}]
[-HKEY_CLASSES_ROOT\CLSID\{9E989F24-A114-4C25-B3EB-18E5F9DA60A0}]
[-HKEY_CLASSES_ROOT\CLSID\{6A8E59D0-805B-494B-B1BE-B1423F37A07C}]
[-HKEY_CLASSES_ROOT\CLSID\{282DA37F-23DB-4589-BB03-B76C52707C6C}]
[-HKEY_CLASSES_ROOT\CLSID\{CB2599AD-690C-49E4-B441-739EB8E915ED}]
[-HKEY_CLASSES_ROOT\CLSID\{B673590E-07AD-4105-ABAA-662396039C80}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/hr0s05d7e.dll (188 bytes security) (deflated 5%)
adding: dlls/jt2607fse.dll (188 bytes security) (deflated 4%)
adding: dlls/suarddlg.dll (188 bytes security) (deflated 4%)
adding: backregs/282DA37F-23DB-4589-BB03-B76C52707C6C.reg (212 bytes security) (deflated 70%)
adding: backregs/329D0982-80F3-44D1-B4F3-E6B5506E97E6.reg (212 bytes security) (deflated 70%)
adding: backregs/6A8E59D0-805B-494B-B1BE-B1423F37A07C.reg (212 bytes security) (deflated 70%)
adding: backregs/6B2866BE-51CB-4270-B6A0-B027E080BD57.reg (212 bytes security) (deflated 69%)
adding: backregs/6B8F61C8-5BE9-4408-89AF-FC3CA8F2C71D.reg (212 bytes security) (deflated 70%)
adding: backregs/9E989F24-A114-4C25-B3EB-18E5F9DA60A0.reg (212 bytes security) (deflated 70%)
adding: backregs/B673590E-07AD-4105-ABAA-662396039C80.reg (212 bytes security) (deflated 70%)
adding: backregs/CB2599AD-690C-49E4-B441-739EB8E915ED.reg (212 bytes security) (deflated 70%)
adding: backregs/E1029A4A-BEFF-43A0-B5D8-AC552CF19E87.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (188 bytes security) (deflated 87%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)


And the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 14:20:13, on 05/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames9.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe (file missing)
O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-30.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130192207765
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...08/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{760CEC75-2FC1-4673-AD49-C5CA9F7333EF}: NameServer = 158.152.1.58 158.152.1.43
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\jt2607fse.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
peor is offline