Privacy in danger!

My son downloaded this and I can't seem to get rid of it! I have run a HJT Log and combo fix log as well. HJT:

Logfile of HijackThis v1.99.1
Scan saved at 8:21:13 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
D:\Reader\Reader_sl.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Killer Bees\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {49CF52D7-8D58-4E22-A874-AAD721F5B523} - C:\WINDOWS\ddesupport.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176949925859
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: msole - {BE60F41C-D252-4E69-8704-1B2D51C8BB98} - C:\WINDOWS\msole.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


combofix log:

ComboFix 07-06-18.2 - C:\Documents and Settings\Ron\Desktop\ComboFix.exe
"Ron" - 2007-07-02 20:05:17 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-03 to 2007-07-03 )))))))))))))))))))))))))))))))


2007-07-02 20:05 <DIR> d-------- C:\WINDOWS\privacy_danger
2007-07-02 20:00 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-07-02 19:55 <DIR> d-------- C:\Killer Bees
2007-06-30 23:43 12,288 --a------ C:\WINDOWS\mgrs.exe
2007-06-30 23:37 524,288 --ah----- C:\DOCUME~1\ADMINI~1.000\NTUSER.DAT
2007-06-30 23:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1.RBB\APPLIC~1\Lavasoft
2007-06-30 22:58 524,288 --ah----- C:\DOCUME~1\ADMINI~1.RBB\NTUSER.DAT
2007-06-30 22:51 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-30 22:51 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-30 15:10 74,752 --a------ C:\WINDOWS\msdde.dll
2007-06-30 15:10 53,760 --a------ C:\WINDOWS\msole.dll
2007-06-30 15:10 22,016 --a------ C:\WINDOWS\main_uninstaller.exe
2007-06-30 15:10 217,088 --a------ C:\WINDOWS\ddesupport.dll
2007-06-20 20:33 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-12 21:02 1,716,297 --------- C:\WINDOWS\system32\InetClnt.dll
2007-06-12 21:02 <DIR> d-------- C:\Program Files\Common Files\Intuit
2007-06-12 21:02 <DIR> d-------- C:\DOCUME~1\Ron\APPLIC~1\Intuit
2007-06-12 21:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Intuit


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-01 01:11:01 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-19 00:16:31 0 --sha-r C:\MSDOS.SYS
2007-04-19 00:16:31 0 --sha-r C:\IO.SYS
2007-04-19 00:16:31 0 ----a-w C:\CONFIG.SYS
2007-04-19 00:16:31 0 ----a-w C:\AUTOEXEC.BAT
2007-04-19 00:13:43 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{49CF52D7-8D58-4E22-A874-AAD721F5B523}=C:\WINDOWS\ddesupport.dll [2007-06-30 03:29]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 10:42]
"COMODO Firewall Pro "= "C:\Program Files\Comodo\Firewall\CPF.exe" [2007-04-18 19:42]
"nwiz "= "nwiz.exe" []
"Adobe Reader Speed Launcher "= "D:\Reader\Reader_sl.exe" [2007-05-11 03:06]
"smgr "= "mgrs.exe" [2007-07-02 20:01 C:\WINDOWS\mgrs.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{BE60F41C-D252-4E69-8704-1B2D51C8BB98} "= "C:\WINDOWS\msole.dll" [2007-06-30 03:29]


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-02 20:05:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...


Someone please help I have school work to do and discovered this when I turned on my computer this evening after work!

 

privacy in danger

While in Safe Mode: Adaware SE runs finds and cleans a few things nothing major, Spybot will begin but before the scan completes will either lock up the pc or totally restart it.

I am running Avast AV which is current and Comodo firewall pro, an app by the name of "mgrs.exe tries to get out on the internet constantly I deny it over and over. have removed it from my windows folder but keeps coming back, searched in registry and deleted the location but still comes back has to be coming from somewhere. Any suggestions?

 

Hi cpumedic

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log and a new combofix log.

Geri

 

SDFix Report 1

SDFix: Version 1.89

Run by Ron on Wed 07/04/2007 at 10:52 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Documents and Settings\Ron\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Ron\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Ron\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\mgrs.exe - Deleted
C:\WINDOWS\rs.txt - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\Belinda\Local Settings\Temp\BIT3.tmp

Finished

 

Hjt3

Logfile of HijackThis v1.99.1
Scan saved at 11:00:31 AM, on 7/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
D:\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Killer Bees\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176949925859
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

combo fix 3

ComboFix 07-06-18.2 - C:\Documents and Settings\Ron\Desktop\ComboFix.exe
"Ron" - 2007-07-04 10:57:42 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 )))))))))))))))))))))))))))))))


2007-07-04 10:51 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-02 22:15 2,294 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-02 22:14 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-02 22:14 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-02 22:14 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-02 20:58 524,288 --ah----- C:\DOCUME~1\ADMINI~1.003\NTUSER.DAT
2007-07-02 20:43 524,288 --ah----- C:\DOCUME~1\ADMINI~1.002\NTUSER.DAT
2007-07-02 20:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1.002\APPLIC~1\Lavasoft
2007-07-02 20:15 262,144 --ah----- C:\DOCUME~1\ADMINI~1.001\NTUSER.DAT
2007-07-02 20:00 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-07-02 19:55 <DIR> d-------- C:\Killer Bees
2007-06-30 23:37 524,288 --ah----- C:\DOCUME~1\ADMINI~1.000\NTUSER.DAT
2007-06-30 23:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1.RBB\APPLIC~1\Lavasoft
2007-06-30 22:58 524,288 --ah----- C:\DOCUME~1\ADMINI~1.RBB\NTUSER.DAT
2007-06-30 22:51 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-30 22:51 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-20 20:33 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-12 21:02 1,716,297 --------- C:\WINDOWS\system32\InetClnt.dll
2007-06-12 21:02 <DIR> d-------- C:\Program Files\Common Files\Intuit
2007-06-12 21:02 <DIR> d-------- C:\DOCUME~1\Ron\APPLIC~1\Intuit
2007-06-12 21:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Intuit


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-01 01:11:01 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-19 00:16:31 0 --sha-r C:\MSDOS.SYS
2007-04-19 00:16:31 0 --sha-r C:\IO.SYS
2007-04-19 00:16:31 0 ----a-w C:\CONFIG.SYS
2007-04-19 00:16:31 0 ----a-w C:\AUTOEXEC.BAT
2007-04-19 00:13:43 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 10:42]
"COMODO Firewall Pro "= "C:\Program Files\Comodo\Firewall\CPF.exe" [2007-04-18 19:42]
"nwiz "= "nwiz.exe" []
"Adobe Reader Speed Launcher "= "D:\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-04 10:58:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-04 10:58:30
C:\ComboFix-quarantined-files.txt ... 2007-07-04 10:58
C:\ComboFix2.txt ... 2007-07-02 20:05
C:\ComboFix3.txt ... 2007-07-02 20:02

--- E O F ---


The red background does not come up any more! Nor does mgrs.exe try to get out to the internet any more! Let me know if you see anything I might have missed!

 

Question?

Do I need to run these under each user or will they all be clean in one sweep?

 

Hi
Run SDFix while logged into all accounts.

Do you know what this is?

C:\Killer Bees

How are things, any more problems with mgrs.exe?

Geri

 

Re: Whats this?

Killer Bees is my HJT Folder keeps it hidden from most malware haters of HJT!

No more probs with mgrs.exe, SDFIX stopped my bluescreens also I gues when restoring registry it fixed that as well. I had a few BSODs after this stuff was D/L Hope my son has learned a lesson.

Thank you for always being here for us tell TEMERC cpumedic was back again!

 

Hi cpumedic

Glad to hear things are better.

You can delete SDFix, There will be newer versions if ever needed again anyway.

Surf Safely
Geri