winmsd.exe & startup items

[Naval_Aviator]

ran winmsd to see what was in startup
just curiosity
and found the following two items (flagged with ^^^^^^^^^^)
i hunted them down and they do NOT exist on this system
tried to delete the registry keys and the moment regedit closes thet
are back
comments welcome

AWMON "c:\program files\lavasoft\ad-aware se
professional\ad-watch.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ad-Watch SE Professional c:\progra~1\lavasoft\ad-awa~2\ad-watch.exe
All Users Common Startup
Adobe Gamma Loader c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe
All Users Common Startup
Adobe Reader Speed Launch
e:\progra~1\adobe\acroba~1.0\reader\reader~1.exe All Users
Common Startup
CoolSwitch c:\windows\system32\taskswitch.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DiskeeperSystray "d:\program files\diskeeper\dkicon.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FastUser c:\windows\system32\fast.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GhostStartTrayApp d:\program files\symantec\norton ghost
2003\ghoststarttrayapp.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logitech Utility logi_mwx.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MicrosoftOffice microsoftoffice.hta All Users Common Startup
NeroFilterCheck c:\windows\system32\nerocheck.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

PopUpStopperProfessional "d:\progra~1\pop-up~1\popups~1.exe"
STANTON01\Stanton
HKU\S-1-5-21-1085031214-2111687655-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
RoxioDragToDisc "d:\program files\roxio\easy cd creator
6\dragtodisc\drgtodsc.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RoxioEngineUtility "c:\program files\common files\roxio
shared\system\engutil.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SpyHunter c:\program files\enigma software <--------------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
group\spyhunter\spyhunter.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SpybotSD TeaTimer d:\program files\spybot - search &
destroy\teatimer.exe STANTON01\Stanton
HKU\S-1-5-21-1085031214-2111687655-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp "c:\program files\common files\symantec shared\ccapp.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe c:\windows\system32\ctfmon.exe STANTON01\Stanton
HKU\S-1-5-21-1085031214-2111687655-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini NT AUTHORITY\SYSTEM Startup
desktop desktop.ini STANTON01\Stanton Startup
desktop desktop.ini .DEFAULT Startup
desktop desktop.ini All Users Common Startup
pgaccount e:\progra~1\proces~1\pgacco~1.exe All Users
Common Startup
vptray d:\progra~1\symant~1\vptray.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

[Nepatsfan]

ran winmsd to see what was in startup
just curiosity
and found the following two items (flagged with ^^^^^^^^^^)
i hunted them down and they do NOT exist on this system
tried to delete the registry keys and the moment regedit
closes thet are back
comments welcome

AWMON "c:\program files\lavasoft\ad-aware se
professional\ad-watch.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ad-Watch SE Professional
c:\progra~1\lavasoft\ad-awa~2\ad-watch.exe All Users Common
Startup
Adobe Gamma Loader
c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe All Users
Common Startup
Adobe Reader Speed Launch
e:\progra~1\adobe\acroba~1.0\reader\reader~1.exe All Users
Common Startup
CoolSwitch c:\windows\system32\taskswitch.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DiskeeperSystray "d:\program files\diskeeper\dkicon.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FastUser c:\windows\system32\fast.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GhostStartTrayApp d:\program files\symantec\norton ghost
2003\ghoststarttrayapp.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logitech Utility logi_mwx.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MicrosoftOffice microsoftoffice.hta All Users Common Startup
NeroFilterCheck c:\windows\system32\nerocheck.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

PopUpStopperProfessional "d:\progra~1\pop-up~1\popups~1.exe"
STANTON01\Stanton
HKU\S-1-5-21-1085031214-2111687655-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
RoxioDragToDisc "d:\program files\roxio\easy cd creator
6\dragtodisc\drgtodsc.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RoxioEngineUtility "c:\program files\common files\roxio
shared\system\engutil.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SpyHunter c:\program files\enigma software <--------------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
group\spyhunter\spyhunter.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SpybotSD TeaTimer d:\program files\spybot - search &
destroy\teatimer.exe STANTON01\Stanton
HKU\S-1-5-21-1085031214-2111687655-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp "c:\program files\common files\symantec
shared\ccapp.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe c:\windows\system32\ctfmon.exe STANTON01\Stanton
HKU\S-1-5-21-1085031214-2111687655-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini NT AUTHORITY\SYSTEM Startup
desktop desktop.ini STANTON01\Stanton Startup
desktop desktop.ini .DEFAULT Startup
desktop desktop.ini All Users Common Startup
pgaccount e:\progra~1\proces~1\pgacco~1.exe All Users
Common Startup
vptray d:\progra~1\symant~1\vptray.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Take a look here for more info on SpyHunter:

Note on Enigma SpyHunter:
http://www.spywarewarrior.com/rogue_anti-spyware.htm#sh_note

The item on your startup list that is definitely suspicious is
this one:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MicrosoftOffice microsoftoffice.hta

Have you run a scan lately with AdAware and Norton? If not,
make sure both applications are up-to-date and run a scan.

Next, you might want to visit some of the online virus scanners
and see what they find:

Run both the AntiVirus and the AntiSpyware scan on this site:
http://housecall.trendmicro.com/

Click on the Scan your PC button while holding down the CTRL
key (to over ride PopUpStopper):
http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

McAfee FreeScan
http://us.mcafee.com/root/mfs/default.asp?WWW_URL=www.mcafee.com/myapps/mfs/default.asp

Finally, go to this web site and download HijackThis:

HijackThis 1.99.1
http://www.merijn.org/files/hijackthis.zip

Run the program and save the log. There are a number of web
sites where HijackThis logs should be posted. Here are some of
the more popular ones:

CastleCops HijackThis Forum
http://castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

Aumha Forums - HijackThis Logs
http://forum.aumha.org/

HijackThis Logs and Analysis
http://www.bleepingcomputer.com/forums/HijackThis_Logs_and_Analysis-f22.html

HijackThis Logs and Spyware/Malware Removal
http://forums.tomcoyote.org/index.php?showforum=27

Spyware Warrior HijackThis Logs
http://spywarewarrior.com/viewforum.php?f=5

These forums are staffed by volunteers who have demonstrated
their ability to interpret these logs and provide safe and
helpful assistance. Also, the forums are moderated, adding a
degree of assurance that the advice given is valid. Please do
not post a HijackThis log on one of these newsgroups. You have
no assurance that the advice given would not make a bad
situation worse.
Good luck

Nepatsfan