HiJackThis Log - Almost Clean Please Help [CLOSED]

Welcome to GTG.

Please do not post duplicate topics here. I closed your other topic.

How did you remove Aurora? I just want to know if you removed it properly.

Download and install CleanUp http://cleanup.stevengould.org/
Download KillBox http://www.atribune....ads/KillBox.exe (or at http://www.greyknigh...spy/KillBox.exe if the main link doesn't work)
Download rkfiles http://skads.org/special/rkfiles.zip and unzip the contents to a new folder on your desktop.

Download the remv3.zip at http://forums.skads....hp?showtopic=80 (look for the attachment to download). Make a new folder on the root drive C:\ and unzip remv3.zip files into it.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Run CleanUp program now and logoff.

REBOOT TO SAFE MODE. These tools MUST be run in Safe Mode!
Once in safe mode, double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt.

Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

**Note** Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t.

Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post.

log1.txt:
C:\Documents and Settings\ross cunningham\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\mc-58-12-0000079.exe: UPX!
C:\WINDOWS\system32\pgzingo.dll: UPX!
C:\WINDOWS\system32\qvpag.dat: UPX!
C:\WINDOWS\system32\rnvkln.exe: UPX!
C:\WINDOWS\system32\supdate.dll: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\dtnk.exe: UPX!
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\ru.exe: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\wupdsnff.exe: UPX!
C:\WINDOWS\xhrgcsgrp.exe: UPX!
Finished
bye


log.txt:
The batch is run from -- C:\rem3

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 900F-A149

Directory of C:\WINDOWS\system32

msi.dll
Finished

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://empnads.com/s...L?zone=enternet
O2 - BHO: SDWin32 Class - {0C9C1361-3A69-488B-B23D-5346CB007B68} - C:\WINDOWS\System32\kthzy.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\System32\guarnset.exe
O4 - HKLM\..\Run: [kthzyc] C:\WINDOWS\System32\kthzyc.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [redcfy] c:\windows\system32\kydofqt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rnvkln.exe reg_run
O23 - Service: hpafyap - Unknown owner - C:\WINDOWS\system32\hpafyap.exe (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\mc-58-12-0000079.exe
C:\WINDOWS\system32\pgzingo.dll
C:\WINDOWS\system32\qvpag.dat
C:\WINDOWS\system32\rnvkln.exe
C:\WINDOWS\system32\supdate.dll
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\dtnk.exe
C:\WINDOWS\ru.exe:
C:\WINDOWS\wupdsnff.exe
C:\WINDOWS\xhrgcsgrp.exe
C:\Program Files\sder\
C:\WINDOWS\System32\kthzy.dll
C:\WINDOWS\System32\vbrundll.dll
C:\WINDOWS\System32\guarnset.exe
C:\WINDOWS\System32\kthzyc.exe
D0CE0C16B1
C:\WINDOWS\System32\ps1.exe
C:\WINDOWS\System32\regsync.exe
C:\WINDOWS\VCMnet11.exe
c:\windows\system32\kydofqt.exe

Restart and run a new HijackThis scan. Save the log file and post it here.

Thanks for your help again. Here is the log you requested:

Logfile of HijackThis v1.99.1
Scan saved at 4:42:34 PM, on 6/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\sder\dees.exe
C:\Documents and Settings\ross cunningham\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://empnads.com/s...L?zone=enternet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\Spyware_Removal\ewido security suite\ewidoctrl.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://empnads.com/s...L?zone=enternet
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\sder\ - unless you know what it's for, delete it - it's bad from what I'm finding about it

Restart and run a new HijackThis scan. Save the log file and post it here.

The 2 - R1 items that you told me to remove do not show up in safe mode. Just so you know.

Thanks!!

Logfile of HijackThis v1.99.1
Scan saved at 10:29:34 AM, on 6/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\sder\dees.exe
C:\Documents and Settings\ross cunningham\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://empnads.com/s...L?zone=enternet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\Spyware_Removal\ewido security suite\ewidoctrl.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Been meaning to ask you earlier about that. I assume you don't know what that R1 entry for empnads.com is for right? Fix them both in normal mode.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. If you have trouble updating, you may do it manually at http://www.ewido.net...wnload/updates/ Do NOT the Ewido scan yet.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Next run a full scan in Ewido. Save the log from the Ewido scan so that you can post it later.

Restart your computer.

Then upload this file (C:\Program Files\sder\dees.exe) to this site and submit it. Post back the report for that file along with a new HijackThis log. Also give me that Ewido log.

The file C:\Program Files\sder\dees.exe is nowhere to be found. I see that it is running but there is nothing in the sder folder other than another folder called htdr. I do not have a search feature with Windows as it gives me the following error:
"A file that is required to run Search Companion cannot be found. You may need to run setup."

If searched worked I could possibly find the file. Just a note the file is also not there in safe mode.

Here is my ewido log...I did not fix any problems after the scan:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:58:58 PM, 6/7/2005
+ Report-Checksum: CED392BD

+ Date of database: 6/7/2005
+ Version of scan engine: v3.0

+ Duration: 61 min
+ Scanned Files: 58469
+ Speed: 15.92 Files/Second
+ Infected files: 20
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP30\A0004732.exe -> Spyware.Adstart -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP31\A0010776.exe -> Spyware.Adstart -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP33\snapshot\MFEX-1.DAT -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP34\snapshot\MFEX-1.DAT -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP35\snapshot\MFEX-1.DAT -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP36\snapshot\MFEX-1.DAT -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP37\snapshot\MFEX-1.DAT -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP38\A0012185.dll -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP38\A0013185.dll -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP38\snapshot\MFEX-1.DAT -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP47\A0015760.exe -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP51\A0026751.exe -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP51\A0026752.dll -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP51\A0026754.dll -> TrojanDownloader.Qoologic.p -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP51\A0026755.cpl -> TrojanDownloader.Qoologic.p -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP51\A0026758.exe -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP51\A0026759.dll -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{EA00B1D7-5162-4C9B-8E64-FE52F4116458}\RP52\A0027795.exe -> Spyware.Adstart -> Ignored
C:\WINDOWS\system32\adstartup.exe -> Spyware.Adstart -> Ignored
C:\WINDOWS\system32\CDM\lhlcwdpmsa.exe -> Spyware.SmartPops -> Ignored


::Report End

HIJACKTHIS Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:04:39 AM, on 6/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\sder\dees.exe
C:\Documents and Settings\ross cunningham\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\Spyware_Removal\ewido security suite\ewidoctrl.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

OK, try this:

Go to Start->Run and type in cmd and hit OK. Then type in:

rd c:\progra~1\sder\

and hit Enter. Then type in exit and hit Enter.

Delete these two files:

C:\WINDOWS\system32\adstartup.exe
C:\WINDOWS\system32\CDM\lhlcwdpmsa.exe

Restart your computer.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Update to Service Pack 1a as soon as possible. Hold off on Service Pack 2 until all your problems are cleared up.

Restart and post a new HijackThis log.

Okay heres the update. I am beginning to think this needs a complete format/reintstall. It is problem after problem after problem. I thought i got rid of the sder folder, but it appears it comes back after every restart even with system restore completely off.

I downloaded the standalone version of sp1a, because when I go to windows update through internet explorer it just goes to a white page and says done. When i went to install the sp1a I get this error:

"Setup could not verify the integrity of the file Update.inf. Make sure the Cyptographic service is running on this computer."

I went to turn this on and fix the problem in the Administative tools and when I go to open this I get the following error:

"MMC cannot open the file C:\WINDOWS\system32\compmgmt.msc.

This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file."

LOL - wow what a pain in the BUTT. For what its worth here is a hijackthis log let me know what you think:

Logfile of HijackThis v1.99.1
Scan saved at 10:20:36 PM, on 6/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\dees.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ross cunningham\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\Spyware_Removal\ewido security suite\ewidoctrl.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

It looks like it did get rid of that folder though. It's just the file now. Let's see if we can get rid of it.

Delete this file:

C:\WINDOWS\System32\dees.exe

If it gives you problems, try deleting it in Safe Mode.

Go to Start->Run and type in regsvr32 c:\windows\system32\msxml2.dll and hit OK. See if that fixes that MMC error.

Restart and post a new HijackThis log. See if that comes back now.

Not sure about formatting. What other problems are you experiencing now (if any at all)?

That file is no where to be found in Normal or in safe mode. I even tried to locate it via command prompt.

regsvr32 c:\windows\system32\msxml2.dll did not work either Same Error.


I have searched the registry and everytime I restart the dees.exe is readded to

HKEYUSERS/Software/Microsoft/Windows/Run

The reason I said do a complete reformat is because I cannot get into administrative tools, I cannot run windows update, and I cannot search with the Microsoft Search.

Let me know what you think. No HiJackThis Log as nothing has changed.

So that dees file is still in the system32 folder? Try this:

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_USERS/Software/Microsoft/Windows/Run and delete dees.exe

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\System32\dees.exe

How about if you go to Start->Run and type in regsvr32 msxml2.dll and hit OK?

One user mentioned that he did this and he got the windows function to work (like the problem you are having with the search and others). So I want to see if it would work for you also. OK, try getting that file here if you don't have it. Unzip it to the system32 folder. Try running that regsvr32 in the Run command box again.

Restart. Is that dees.exe still there?

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.