View Full Version : Can't remove virtumonde and virtumonde.generic
Nightb1ade
2008-12-14, 21:02
Hi, I've run HjT and combofix (which i didn't realize i shouldn't have). I'll post both log files. I'm new at this so please bear with me.
I ran the combofix first but heres the HJT
Logfile of HijackThis v1.99.1
Scan saved at 2:03:32 PM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Caitlin\Desktop\Mr. Mike\HiJackThis\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\mlJcaXpp.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.5.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: mlJcaXpp - C:\WINDOWS\SYSTEM32\mlJcaXpp.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Nightb1ade
2008-12-14, 21:04
and here is combofix log
ComboFix 08-12-13.03 - Caitlin 2008-12-14 3:21:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.250 [GMT -6:00]
Running from: c:\documents and settings\Caitlin\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Caitlin\Application Data\gadcom
c:\documents and settings\Caitlin\Application Data\gadcom\gadcom.exe
c:\documents and settings\Caitlin\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GetModule
c:\windows\system32\~.exe
c:\windows\system32\KjmmlUvw.ini
c:\windows\system32\KjmmlUvw.ini2
c:\windows\system32\ljJCvTjk.dll
c:\windows\system32\wl.exe
c:\windows\system32\wpv241229210867.cpx
c:\windows\system32\wvUlmmjK.dll
c:\windows\Tasks\lvrpogvj.job
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.
2008-12-13 23:30 . 2008-12-13 23:30 <DIR> d-------- c:\documents and settings\Administrator
2008-12-13 20:15 . 2008-12-13 20:16 34,816 --a------ c:\windows\system32\mlJcaXpp.dll
2008-11-24 18:16 . 2008-12-11 19:37 <DIR> d-------- c:\documents and settings\Caitlin\Application Data\U3
2008-11-20 21:33 . 2008-11-20 21:33 0 --a------ c:\windows\EEventManager.INI
2008-11-17 00:38 . 2008-11-17 00:38 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-17 00:38 . 2008-11-17 00:38 73,728 --a------ c:\windows\system32\javacpl.cpl
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 07:15 --------- d-----w c:\documents and settings\Caitlin\Application Data\BitTorrent
2008-12-14 03:57 --------- d-----w c:\documents and settings\Caitlin\Application Data\AVG7
2008-12-13 18:39 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-13 14:00 --------- d-----w c:\documents and settings\NetworkService\Application Data\AVG7
2008-12-13 05:47 --------- d-----w c:\documents and settings\Caitlin\Application Data\AdobeUM
2008-12-03 21:40 --------- d-----w c:\program files\iPod
2008-12-03 14:00 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2008-11-23 16:58 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-17 06:38 --------- d-----w c:\program files\Java
2008-11-17 06:26 --------- d-----w c:\documents and settings\All Users\Application Data\ArcSoft
2008-11-17 06:25 --------- d-----w c:\documents and settings\Caitlin\Application Data\Arcsoft
2008-11-13 17:11 --------- d-----w c:\documents and settings\Caitlin\Application Data\EPSON
2008-11-09 20:00 --------- d-----w c:\documents and settings\Caitlin\Application Data\Leadertech
2008-11-09 19:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 19:57 --------- d-----w c:\program files\EpsonNet
2008-11-09 19:57 --------- d-----w c:\program files\Common Files\EPSON
2008-11-09 19:57 --------- d-----w c:\documents and settings\All Users\Application Data\EPSON
2008-11-09 19:50 --------- d-----w c:\program files\EPSON
2008-11-09 19:50 --------- d-----w c:\program files\ABBYY FineReader 6.0 Sprint
2008-11-09 19:48 --------- d-----w c:\program files\Common Files\ArcSoft
2008-11-09 19:48 --------- d-----w c:\program files\ArcSoft
2008-11-09 19:46 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-09 19:45 --------- d-----w c:\program files\Epson Software
2008-11-09 19:42 --------- d-----w c:\documents and settings\Caitlin\Application Data\InstallShield
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2005-12-17 17:57 32 -c--a-r c:\documents and settings\All Users\hash.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2008-12-13 20:16 34816 --a------ c:\windows\system32\mlJcaXpp.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="c:\windows\htpatch.exe" [2002-10-30 28672]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-17 136600]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"nwiz"="nwiz.exe" [2004-09-16 c:\windows\system32\nwiz.exe]
"Dit"="Dit.exe" [2002-08-28 c:\windows\Dit.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-01-19 113664]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-07-24 114688]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\mlJcaXpp.dll" [2008-12-13 34816]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJcaXpp]
2008-12-13 20:16 34816 c:\windows\system32\mlJcaXpp.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Caitlin^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Caitlin\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Caitlin^Start Menu^Programs^Startup^BitTorrent.lnk]
path=c:\documents and settings\Caitlin\Start Menu\Programs\Startup\BitTorrent.lnk
backup=c:\windows\pss\BitTorrent.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a--c--- 2005-01-01 21:03 684032 c:\program files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-09-16 14:39 4554752 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2004-09-16 14:39 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
-----c--- 2003-12-17 09:50 19968 c:\windows\LOGI_MWX.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a--c--- 2003-04-24 16:53 54784 c:\windows\SOUNDMAN.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df602f39-c25a-11d9-a847-0010dcd9dcfd}]
\Shell\AutoRun\command - JDSecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder
2008-12-14 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Caitlin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-03 11:20]
.
- - - - ORPHANS REMOVED - - - -
BHO-{0F940102-B95E-4EB0-9B59-E2E9D09E475A} - (no file)
BHO-{3F6C6239-2596-495E-A2AA-E118F46A0C2D} - (no file)
BHO-{426EB2D2-FA42-43A3-A22C-DAB9253B846C} - (no file)
BHO-{45B48326-4951-4C04-AEE6-B2AF8AF94D86} - (no file)
BHO-{C7F6FD1E-DB14-4D62-9CF6-07BA04F3545C} - c:\windows\system32\wvUlmmjK.dll
BHO-{CB79393F-8006-4175-A9C7-1275A16EC25A} - (no file)
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Caitlin\Application Data\Mozilla\Firefox\Profiles\tye0cc2v.default\
FF - prefs.js: browser.startup.homepage - hxxp://portal.louisiana.edu:8088/uPortal/
FF - plugin: c:\documents and settings\Caitlin\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 03:24:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HTpatch = c:\windows\htpatch.exe?ows\CurrentVersion\Run?inst?HLP?Z???????Z???Z???????????????????Z???Z?G?????Z$??????Z????????????S??Z????????m??Z???w????(???{??w???w???????w???w???Z????????d???b6?Z%??Z???Z????"??ZA??Z???Z.??wZ??Z?3?Z?3?Z????st.I???????Z????d???0=?Z?K?Z
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\mlJcaXpp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\DitExp.exe
.
**************************************************************************
.
Completion time: 2008-12-14 3:27:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-14 09:27:19
Pre-Run: 44,781,445,120 bytes free
Post-Run: 44,721,008,640 bytes free
187 --- E O F --- 2008-12-12 09:02:48
Nightb1ade
2008-12-15, 03:59
Hi,
Sorry I became impatient and used various other sources to remove everything. I think I've got it completely cured but I would like cleanup instructions just to be on the safe side. Here is my last hjt log.
HijackThis v1.99.1
Scan saved at 9:09:47 PM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Caitlin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Caitlin\Desktop\Mr. Mike\HiJackThis\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.5.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe