Web pages opening automatically - Free Antivirus Forum

Web pages opening automatically

BullGuard Antivirus Forum > Virus > Virus Questions > Web pages opening automatically

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

sj
New Member

Date Joined Aug 2008
Total Posts : 13

Posted 9-9-2008 7:09 (GMT +1)

I am working with Win XP SP2.As soon as i am working on i-explorer,some unknown web pages get opened in the background and the pages contain unknown ip addresses sometimes which i have never gone thru or never opened.I am not sure wether they are spyware or something like that.But it causes lot of irritation while working.Sometimes my mouse pointer gets stuck and when i move pointer here and there it moves in an abnormal way and just like as moving in a slow motion.I have scanned it thru cc cleaner,combofix and antispyware as suggested in the first post of this forum.Pl help me resolve the issue.Pl find the hjt,superantispyware and combofix logs below.

hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 10:50:36 AM, on 9/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wgp.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ipmsg.exe
C:\WINDOWS\HPLiteSaver.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\TEMP\XDB90E.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hse.jg.ril.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.4.146.204:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ril.com;<local>
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\system32\wgp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [5879994a] rundll32.exe "C:\WINDOWS\system32\okjhfaxd.dll",b
O4 - HKCU\..\Run: [FlyAway] Y:\EN\Fly.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: ipmsg.exe
O4 - Global Startup: HPLiteSaver.lnk = C:\WINDOWS\HPLiteSaver.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} (Cnsweb3d Control) - http://www.partserver.de/partserver/viewer/cnsweb3d/cnsweb3d.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pdc_rpl2.jg.ril.com
O17 - HKLM\Software\..\Telephony: DomainName = pdc_rpl2.jg.ril.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pdc_rpl2.jg.ril.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pdc_rpl2.jg.ril.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = pdc_rpl2.jg.ril.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Oracle%ORACLE_HOME_SERVICE%ClientCache80 - Unknown owner - D:\ORANT\BIN\ONRSD80.EXE
O23 - Service: SAAZSecAnalyzer - Zenith InfoTech Ltd. - C:\WINDOWS\System32\PatchScan\DataCollector.exe
O23 - Service: SaazTool - Unknown owner - C:\WINDOWS\System32\AdminProData\DataCollector.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

SUPERAntiSpyware Scan Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/09/2008 at 10:32 AM

Application Version : 4.21.1004

Core Rules Database Version : 3555
Trace Rules Database Version: 1543

Scan type : Complete Scan
Total Scan Time : 00:23:14

Memory items scanned      : 403
Memory threats detected   : 1
Registry items scanned    : 6755
Registry threats detected : 15
File items scanned        : 21265
File threats detected     : 3

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\ETWMSC.DLL
C:\WINDOWS\SYSTEM32\ETWMSC.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{C14E6230-757D-4246-81CE-B34E2940C722}
HKCR\CLSID\{C14E6230-757D-4246-81CE-B34E2940C722}
HKCR\CLSID\{C14E6230-757D-4246-81CE-B34E2940C722}\InprocServer32
HKCR\CLSID\{C14E6230-757D-4246-81CE-B34E2940C722}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\QOMKDCUT.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C14E6230-757D-4246-81CE-B34E2940C722}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{C14E6230-757D-4246-81CE-B34E2940C722}
HKCR\CLSID\{C14E6230-757D-4246-81CE-B34E2940C722}

Trojan.Vundo-Variant/NextGen-Six
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55579c9d-320b-4232-83ac-0a4deb2e40a3}
HKCR\CLSID\{55579C9D-320B-4232-83AC-0A4DEB2E40A3}
HKCR\CLSID\{55579C9D-320B-4232-83AC-0A4DEB2E40A3}\InprocServer32
HKCR\CLSID\{55579C9D-320B-4232-83AC-0A4DEB2E40A3}\InprocServer32#ThreadingModel

Adware.WsnPoem
C:\WINDOWS\system32\wsnpoem

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKU\S-1-5-21-84504263-1885415760-1555438652-14829\Software\Microsoft\rdfa

ComboFix 08-08-30.01 - SHATRUGHNAJ 2008-09-09 10:42:59.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.23 [GMT 5.5:30]
Running from: E:\Downloads\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-09 to 2008-09-09 )))))))))))))))))))))))))))))))
.

2008-09-09 10:07 . 2008-09-09 10:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-09 10:07 . 2008-09-09 10:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-09 10:07 . 2008-09-09 10:07 <DIR> d-------- C:\Documents and Settings\shatrughnaj\Application Data\SUPERAntiSpyware.com
2008-09-09 10:07 . 2008-09-09 10:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-09 08:42 . 2008-09-09 08:42 <DIR> d-------- C:\Program Files\CCleaner
2008-09-05 08:46 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-09-05 08:46 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-09-04 16:54 . 2008-09-04 16:54 <DIR> d-------- C:\Program Files\Panda Security
2008-09-04 16:54 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-27 10:15 . 2008-08-27 10:15 260 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-08-25 11:39 . 2008-08-25 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-08-25 08:21 . 2008-08-25 08:21 <DIR> d--hs---- C:\FOUND.004
2008-08-23 15:21 . 2008-08-23 15:21 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-23 15:21 . 2008-08-23 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-16 12:45 . 2008-08-16 12:45 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SolidDocuments
2008-08-15 11:30 . 2008-08-25 15:16 1,514,013 ---hs---- C:\WINDOWS\system32\dxafhjko.ini
2008-08-15 11:30 . 2008-08-15 11:30 111,616 --a------ C:\WINDOWS\system32\mkphaiuk.dll
2008-08-15 11:30 . 2008-08-15 11:30 95,232 --a------ C:\WINDOWS\system32\okjhfaxd.VIR
2008-08-15 11:18 . 2008-08-25 14:35 2,023 --ahs---- C:\WINDOWS\system32\UwGiOUvw.ini2
2008-08-15 11:18 . 2008-08-25 14:38 2,023 --ahs---- C:\WINDOWS\system32\UwGiOUvw.ini
2008-08-15 11:15 . 2008-08-15 11:18 279,552 --a------ C:\WINDOWS\system32\wvUOiGwU.VIR
2008-08-09 16:05 . 2005-09-23 10:41 89,088 --a------ C:\WINDOWS\system32\atl71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 04:32 --------- d-----w C:\Documents and Settings\shatrughnaj\Application Data\ZTE_CDMA_1X
2008-08-08 04:23 --------- d-----w C:\Program Files\ZTE CDMA1X MODEM
2008-07-28 04:44 --------- d-----w C:\Documents and Settings\shatrughnaj\Application Data\cadenas
2008-07-23 06:39 --------- d-----w C:\Program Files\FMA 2
2008-07-23 05:45 --------- d-----w C:\Program Files\MyPhoneExplorer
2008-07-23 05:45 --------- d-----w C:\Documents and Settings\shatrughnaj\Application Data\MyPhoneExplorer
2008-07-23 05:45 --------- d-----w C:\Documents and Settings\shatrughnaj\Application Data\AD ON Multimedia
2008-04-09 06:15 508 ----a-w C:\Documents and Settings\shatrughnaj\Application Data\dcpini.dat
2008-01-30 08:43 723 ----a-w C:\Program Files\INSTALL.LOG
.
[code]<pre>
----a-w 1,683,456 2003-01-24 03:03:28 C:\Program Files\Applications\Mech Engr Guide .exe
</pre>[/code]

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FlyAway"="Y:\EN\Fly.exe" [N/A]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [N/A]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:26 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 14:07 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-31 08:37 180269]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-03 19:26 143360]
"WinGuard Pro"="C:\WINDOWS\system32\wgp.exe" [2006-10-18 17:24 282624]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-05-05 15:30 356429]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [N/A]
"RAM Idle Professional"="C:\Program Files\RAM Idle LE\RAM_XP.exe" [N/A]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"5879994a"="C:\WINDOWS\system32\okjhfaxd.dll" [N/A]
"SoundMan"="SOUNDMAN.EXE" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\Documents and Settings\shatrughnaj\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-12-07 12:35:44 19968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ipmsg.exe [2006-03-27 16:44:48 157184]
HPLiteSaver.lnk - C:\WINDOWS\HPLiteSaver.exe [2007-12-25 12:23:07 65536]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-05-31 12:05:32 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\wvUOiGwU

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 19:26 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\flockbox]
--a------ 2007-12-14 16:59 1071472 C:\Program Files\My Lockbox\flockbox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-08-24 11:47 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-08-24 11:51 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-08-24 11:50 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 14:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
--a------ 2008-05-05 15:30 356429 C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
-ra------ 2005-12-21 14:30 98304 C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-06-18 15:10 271360 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
C:\Program Files\TightVNC\WinVNC.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
S0 MPRIFL;MPRIFL;C:\WINDOWS\system32\DRIVERS\MPRIFL.SYS []
S3 HPFXBULK;HPFXBULK;C:\WINDOWS\system32\drivers\hpfxbulk.sys [2006-06-12 16:06]
S3 SAAZSecAnalyzer;SAAZSecAnalyzer;C:\WINDOWS\System32\PatchScan\DataCollector.exe [2005-06-29 16:56]
S3 SaazTool;SaazTool;C:\WINDOWS\System32\AdminProData\DataCollector.exe [2003-04-17 05:57]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;C:\WINDOWS\system32\DRIVERS\zteusbser.sys [2008-01-07 18:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.105.76#c$]
\Shell\AutoRun\command - Z:\188qsm.bat
\Shell\explore\Command - Z:\188qsm.bat
\Shell\open\Command - Z:\188qsm.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.105.76#d$]
\Shell\AutoRun\command - Y:\188qsm.bat
\Shell\explore\Command - Y:\188qsm.bat
\Shell\open\Command - Y:\188qsm.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.105.76#e$]
\Shell\AutoRun\command - X:\188qsm.bat
\Shell\explore\Command - X:\188qsm.bat
\Shell\open\Command - X:\188qsm.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.141.215#c$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\Recycled\ctfmon.exe
\Shell\Open(O)\command - Recycled\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.141.215#e$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.141.215#f$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.173.39#f$]
\Shell\AutoRun\command - W:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.173.80#e$]
\Shell\AutoRun\command - Y:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.215.89#f$]
\Shell\AutoRun\command - Y:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.217.58#c$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.217.58#e$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.219.157#d$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe IISDLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.219.157#e$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe IISDLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.219.38#c$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe IISDLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.219.38#d$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe IISDLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.219.38#e$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe IISDLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.219.42#c$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.219.42#d$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.219.42#e$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.219.50#d$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe IISDLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.219.50#e$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe IISDLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.4.51.60#software_s]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.60.46.107#c$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.60.46.107#d$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.60.46.107#e$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.60.46.107#f$]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\3wcxx91.cmd
\Shell\explore\Command - J:\3wcxx91.cmd
\Shell\open\Command - J:\3wcxx91.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{446a8007-ac6c-11dc-ac84-001485fd897b}]
\Shell\AutoRun\command - L:\ntde1ect.com
\Shell\explore\Command - L:\ntde1ect.com
\Shell\open\Command - L:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6b0cdee-9beb-11dc-ac6d-001485fd897b}]
\Shell\Auto\command - H:\AdobeR.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{daf43c36-e416-11dc-acb9-001485fd897b}]
\Shell\AutoRun\command - H:\3wcxx91.cmd
\Shell\explore\Command - H:\3wcxx91.cmd
\Shell\open\Command - H:\3wcxx91.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{daf43c37-e416-11dc-acb9-001485fd897b}]
\Shell\AutoRun\command - I:\3wcxx91.cmd
\Shell\explore\Command - I:\3wcxx91.cmd
\Shell\open\Command - I:\3wcxx91.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{daf43c38-e416-11dc-acb9-001485fd897b}]
\Shell\AutoRun\command - J:\3wcxx91.cmd
\Shell\explore\Command - J:\3wcxx91.cmd
\Shell\open\Command - J:\3wcxx91.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{daf43c39-e416-11dc-acb9-001485fd897b}]
\Shell\AutoRun\command - K:\3wcxx91.cmd
\Shell\explore\Command - K:\3wcxx91.cmd
\Shell\open\Command - K:\3wcxx91.cmd

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

BHO-{3FAB24E7-9CEE-4B67-B8ED-E52D914A2524} - C:\WINDOWS\system32\wvUOiGwU.dll
Notify-qomKdCuT - qomKdCuT.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\shatrughnaj\Application Data\Mozilla\Firefox\Profiles\grcgcwlz.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 10:43:19
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\sccfg.sys 8192 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-09-09 10:44:16
ComboFix-quarantined-files.txt 2008-09-09 05:14:14

Pre-Run: 5,041,709,056 bytes free
Post-Run: 5,234,352,128 bytes free

257

Post Edited (sj) : 09-09-2008 06:16:57 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 9-9-2008 7:14 (GMT +1)

Hello

Please download Malwarebytes' Anti-Malware:

http://www.spywarefri.dk/downloads1/mbam-setup.exe

Or here:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968

to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location.

Copy and Paste that log into your next reply, along with combofix log.

NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

sj
New Member

Date Joined Aug 2008
Total Posts : 13

Posted 9-9-2008 7:54 (GMT +1)

Malwarebytes' Anti-Malware 1.24
Database version: 1012
Windows 5.1.2600 Service Pack 2

12:14:58 PM 9/9/2008
mbam-log-9-9-2008 (12-14-58).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 159828
Time elapsed: 21 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ComboFix 08-08-30.01 - SHATRUGHNAJ 2008-09-09 12:18:12.2 - [color=red][b]FAT32[/b][/color]x86
Running from: E:\Downloads\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-08-09 to 2008-09-09 )))))))))))))))))))))))))))))))
.

2008-09-09 11:49 . 2008-09-09 11:49 <DIR> d-------- C:\Documents and Settings\shatrughnaj\Application Data\Malwarebytes
2008-09-09 11:49 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 11:49 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-09 11:48 . 2008-09-09 11:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-09 11:48 . 2008-09-09 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-09 10:50 . 2008-09-09 10:50 <DIR> d-------- C:\HJT
2008-09-09 10:07 . 2008-09-09 10:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-09 10:07 . 2008-09-09 10:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-09 10:07 . 2008-09-09 10:07 <DIR> d-------- C:\Documents and Settings\shatrughnaj\Application Data\SUPERAntiSpyware.com
2008-09-09 10:07 . 2008-09-09 10:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-09 08:42 . 2008-09-09 08:42 <DIR> d-------- C:\Program Files\CCleaner
2008-09-05 08:46 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-09-05 08:46 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-09-04 16:54 . 2008-09-04 16:54 <DIR> d-------- C:\Program Files\Panda Security
2008-09-04 16:54 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-27 10:15 . 2008-08-27 10:15 260 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-08-25 11:39 . 2008-08-25 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-08-25 08:21 . 2008-08-25 08:21 <DIR> d--hs---- C:\FOUND.004
2008-08-23 15:21 . 2008-08-23 15:21 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-23 15:21 . 2008-08-23 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-16 12:45 . 2008-08-16 12:45 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SolidDocuments
2008-08-15 11:30 . 2008-08-25 15:16 1,514,013 ---hs---- C:\WINDOWS\system32\dxafhjko.ini
2008-08-15 11:30 . 2008-08-15 11:30 111,616 --a------ C:\WINDOWS\system32\mkphaiuk.dll
2008-08-15 11:30 . 2008-08-15 11:30 95,232 --a------ C:\WINDOWS\system32\okjhfaxd.VIR
2008-08-15 11:18 . 2008-08-25 14:35 2,023 --ahs---- C:\WINDOWS\system32\UwGiOUvw.ini2
2008-08-15 11:18 . 2008-08-25 14:38 2,023 --ahs---- C:\WINDOWS\system32\UwGiOUvw.ini
2008-08-15 11:15 . 2008-08-15 11:18 279,552 --a------ C:\WINDOWS\system32\wvUOiGwU.VIR
2008-08-09 16:05 . 2005-09-23 10:41 89,088 --a------ C:\WINDOWS\system32\atl71.dll

((((((((((((((((((((((((((((( snapshot@2008-09-09_10.43.49.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-05 09:55:36 176,195 ----a-w C:\WINDOWS\Temp\XDB90E.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-31 08:37 180269]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-03 19:26 143360]
"WinGuard Pro"="C:\WINDOWS\system32\wgp.exe" [2006-10-18 17:24 282624]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-05-05 15:30 356429]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [N/A]
"RAM Idle Professional"="C:\Program Files\RAM Idle LE\RAM_XP.exe" [N/A]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"5879994a"="C:\WINDOWS\system32\okjhfaxd.dll" [N/A]
"SoundMan"="SOUNDMAN.EXE" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\Documents and Settings\shatrughnaj\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-12-07 12:35:44 19968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\wvUOiGwU

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,