Ok, that was rough - here are all the logs
-I couldn't download LQfix - link didn't work
-There was no 04 with the lonely " r" at the end
-SurfSideKick was really hard to uninstall - I think I got it in the end - but not positive
-Couldn't locate the "System Startup Service" in services.msc so I didn't do those two parts - doesn't seem to exist
-Thanks for all the help!!!
AB Log file
AboutBuster 5.0 reference file 31
Scan started on [9/2/2005] at [4:52:55 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\Q814995.log:bjbknj
Removed Stream! C:\WINDOWS\_default.pif:avpovd
Removed Stream! C:\WINDOWS\_default.pif:lpsyrq
------------------------------------------------
Removed File! : C:\Windows\System32\qtugc.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:53:13 PM
__________________________________________________________________
Spsehjfix log file
(9/2/05 4:54:30 PM) SPSeHjFix started v1.1.2
(9/2/05 4:54:30 PM) OS: WinXP Service Pack 1 (5.1.2600)
(9/2/05 4:54:30 PM) Language: english
(9/2/05 4:54:30 PM) Win-Path: C:\WINDOWS
(9/2/05 4:54:30 PM) System-Path: C:\WINDOWS\System32
(9/2/05 4:54:30 PM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(9/2/05 4:54:35 PM) Disinfection started
(9/2/05 4:54:35 PM) Bad-Dll(IEP): c:\windows\vpeii.dll
(9/2/05 4:54:35 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:35 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:35 PM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://c:\windows\vpeii.dll/sp.html#10001
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, CustomizeSearch: about:blank
(9/2/05 4:54:35 PM) Stealth-String not found
(9/2/05 4:54:35 PM) No locked Files to delete. End without Reboot
(9/2/05 4:54:46 PM) Disinfection started
(9/2/05 4:54:46 PM) Bad-Dll(IEP): c:\windows\vpeii.dll
(9/2/05 4:54:46 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:46 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:46 PM) Bad IE-pages: (none)
(9/2/05 4:54:46 PM) Stealth-String not found
(9/2/05 4:54:46 PM) No locked Files to delete. End without Reboot
(9/2/05 4:54:46 PM) Disinfection started
(9/2/05 4:54:46 PM) Bad-Dll(IEP): c:\windows\vpeii.dll
(9/2/05 4:54:46 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:46 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:46 PM) Bad IE-pages: (none)
(9/2/05 4:54:46 PM) Stealth-String not found
(9/2/05 4:54:46 PM) No locked Files to delete. End without Reboot
(9/2/05 4:54:46 PM) Disinfection started
(9/2/05 4:54:46 PM) Bad-Dll(IEP): c:\windows\vpeii.dll
(9/2/05 4:54:47 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:47 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:47 PM) Bad IE-pages: (none)
(9/2/05 4:54:47 PM) Stealth-String not found
(9/2/05 4:54:47 PM) No locked Files to delete. End without Reboot
(9/2/05 4:54:54 PM) SPSeHjFix started v1.1.2
(9/2/05 4:54:54 PM) OS: WinXP Service Pack 1 (5.1.2600)
(9/2/05 4:54:54 PM) Language: english
(9/2/05 4:54:54 PM) Win-Path: C:\WINDOWS
(9/2/05 4:54:54 PM) System-Path: C:\WINDOWS\System32
(9/2/05 4:54:54 PM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(9/2/05 4:54:55 PM) Disinfection started
(9/2/05 4:54:55 PM) Bad-Dll(IEP): (not found)
(9/2/05 4:54:55 PM) Bad-Dll(IEP) in BHO: (not found)
(9/2/05 4:54:55 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:55 PM) UBF: 8 - UBB: 2 - UBR: 13
(9/2/05 4:54:55 PM) Bad IE-pages: (none)
(9/2/05 4:54:55 PM) Stealth-String not found
(9/2/05 4:54:55 PM) Not infected->END
________________________________________________________________
L2MFix log file
Setting Directory
C:\
C:\
System Rebooted!
Running From:
C:\
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003
[email protected]
Killing PID 1284 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003
[email protected]
Killing PID 1316 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINDOWS\system32\bec42d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\bec42d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dAdim.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dAdim.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dgutil.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dgutil.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iEssam.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iEssam.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrdmo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrdmo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\okexl32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\okexl32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smbiop.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smbiop.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wjspdmoe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wjspdmoe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\bec42d.dll
Successfully Deleted: C:\WINDOWS\system32\bec42d.dll
deleting: C:\WINDOWS\system32\bec42d.dll
Successfully Deleted: C:\WINDOWS\system32\bec42d.dll
deleting: C:\WINDOWS\system32\dAdim.dll
Successfully Deleted: C:\WINDOWS\system32\dAdim.dll
deleting: C:\WINDOWS\system32\dAdim.dll
Successfully Deleted: C:\WINDOWS\system32\dAdim.dll
deleting: C:\WINDOWS\system32\dgutil.dll
Successfully Deleted: C:\WINDOWS\system32\dgutil.dll
deleting: C:\WINDOWS\system32\dgutil.dll
Successfully Deleted: C:\WINDOWS\system32\dgutil.dll
deleting: C:\WINDOWS\system32\iEssam.dll
Successfully Deleted: C:\WINDOWS\system32\iEssam.dll
deleting: C:\WINDOWS\system32\iEssam.dll
Successfully Deleted: C:\WINDOWS\system32\iEssam.dll
deleting: C:\WINDOWS\system32\mrdmo.dll
Successfully Deleted: C:\WINDOWS\system32\mrdmo.dll
deleting: C:\WINDOWS\system32\mrdmo.dll
Successfully Deleted: C:\WINDOWS\system32\mrdmo.dll
deleting: C:\WINDOWS\system32\okexl32.dll
Successfully Deleted: C:\WINDOWS\system32\okexl32.dll
deleting: C:\WINDOWS\system32\okexl32.dll
Successfully Deleted: C:\WINDOWS\system32\okexl32.dll
deleting: C:\WINDOWS\system32\smbiop.dll
Successfully Deleted: C:\WINDOWS\system32\smbiop.dll
deleting: C:\WINDOWS\system32\smbiop.dll
Successfully Deleted: C:\WINDOWS\system32\smbiop.dll
deleting: C:\WINDOWS\system32\wjspdmoe.dll
Successfully Deleted: C:\WINDOWS\system32\wjspdmoe.dll
deleting: C:\WINDOWS\system32\wjspdmoe.dll
Successfully Deleted: C:\WINDOWS\system32\wjspdmoe.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
Zipping up files for submission:
adding: bec42d.dll (188 bytes security) (deflated 48%)
adding: dAdim.dll (188 bytes security) (deflated 48%)
adding: dgutil.dll (188 bytes security) (deflated 48%)
adding: iEssam.dll (188 bytes security) (deflated 48%)
adding: mrdmo.dll (188 bytes security) (deflated 48%)
adding: okexl32.dll (188 bytes security) (deflated 48%)
adding: smbiop.dll (188 bytes security) (deflated 48%)
adding: wjspdmoe.dll (188 bytes security) (deflated 48%)
adding: guard.tmp (188 bytes security) (deflated 48%)
adding: clear.reg (188 bytes security) (deflated 46%)
adding: lo2.txt (188 bytes security) (deflated 86%)
adding: test.txt (188 bytes security) (deflated 85%)
adding: test2.txt (188 bytes security) (deflated 27%)
adding: test3.txt (188 bytes security) (deflated 27%)
adding: test5.txt (188 bytes security) (deflated 27%)
adding: vx2logs.txt (188 bytes security) (stored 0%)
adding: xfind.txt (188 bytes security) (deflated 82%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Restoring Windows Update Certificates.:
deleting local copy: bec42d.dll
deleting local copy: bec42d.dll
deleting local copy: dAdim.dll
deleting local copy: dAdim.dll
deleting local copy: dgutil.dll
deleting local copy: dgutil.dll
deleting local copy: iEssam.dll
deleting local copy: iEssam.dll
deleting local copy: mrdmo.dll
deleting local copy: mrdmo.dll
deleting local copy: okexl32.dll
deleting local copy: okexl32.dll
deleting local copy: smbiop.dll
deleting local copy: smbiop.dll
deleting local copy: wjspdmoe.dll
deleting local copy: wjspdmoe.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\bec42d.dll
C:\WINDOWS\system32\bec42d.dll
C:\WINDOWS\system32\dAdim.dll
C:\WINDOWS\system32\dAdim.dll
C:\WINDOWS\system32\dgutil.dll
C:\WINDOWS\system32\dgutil.dll
C:\WINDOWS\system32\iEssam.dll
C:\WINDOWS\system32\iEssam.dll
C:\WINDOWS\system32\mrdmo.dll
C:\WINDOWS\system32\mrdmo.dll
C:\WINDOWS\system32\okexl32.dll
C:\WINDOWS\system32\okexl32.dll
C:\WINDOWS\system32\smbiop.dll
C:\WINDOWS\system32\smbiop.dll
C:\WINDOWS\system32\wjspdmoe.dll
C:\WINDOWS\system32\wjspdmoe.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{CE05AA2B-DD3D-4AF8-968B-7B3E2EF5E4FD}"=-
"{931AB084-368F-4F5A-AF1F-1A86CB26ACFB}"=-
"{5AEA2036-6F89-4F72-80AE-A46A2C6E9666}"=-
[-HKEY_CLASSES_ROOT\CLSID\{CE05AA2B-DD3D-4AF8-968B-7B3E2EF5E4FD}]
[-HKEY_CLASSES_ROOT\CLSID\{931AB084-368F-4F5A-AF1F-1A86CB26ACFB}]
[-HKEY_CLASSES_ROOT\CLSID\{5AEA2036-6F89-4F72-80AE-A46A2C6E9666}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
_________________________________________________________________
HJT log file
Logfile of HijackThis v1.99.1
Scan saved at 5:42:02 PM, on 9/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\Spyware\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - Default URLSearchHook is missing
O2 - BHO: SDWin32 Class - {8F8E2623-7A34-4C70-A7AD-BC65C07865FC} - C:\WINDOWS\System32\ebgvw.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125256244468
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\izgyhbe.exe (file missing)