Problems with the computer

[TrongaMonga]

When I start the computer, the first thing that shows up is a window with cmd.exe, the dos window, and then a error window saying that iel.exe is not a valid Win32 application. Anyone know what the hell this is?

On a side note, Spybot keeps asking me if I want to change a registy value that, after I made a search, I discovered to be in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchBar, and would lead to this:

http://www.gyyoifuccviszpcntbuhwysar...OIAvmzkj0S.htm

Obviously some stupid spyware toolbar that can't get removed neither by spybot nor by hand... I tried deleting the registy, it comes back. I changed it to no, it comes back. Heck, I even changed it to BattleForums.com, it changes back. I don't know what to do, specially because it keeps changing every 30 seconds, and I don't want to turn the option down...

On a side note, there are some icons in my desktop that do not appear there if I go trough windows explorer... They too are of spyware and whatnot (Casino, Travel, Shopping, etc). They did not go away with Spybot, as well. And I'm tired of it. Getting a good firewall is out of question, unfortunately.

[Sly]

on spybot, how many spyware/adware apps is it searching for?(like the number at the bottom such as 1/23000) bc i thought mine was up to date bc it said it was up to date, but actually wasnt when i downloaded it again for my moms computer. so i downloaded another one for mine and removed all the spyware that i believed wasnt possible to remove.

though this may not solve ur problem, you never know.

but if there isnt any other way u may need to reboot it...which sucks if u have valuable info on it that u cant back up

[Dragnskull]

before u format always try everything under the sun. although spyware and adaware are gawdly of gawdly. try dl'n some new ones. its possible that they MIGHT catch soemthing adaware/spyware missed...

also try going to www.housecall.antivirus.com ...ive used it before, it picks up some spyware...if ur fortunant itll pick up urs...let it installw hen u use it (ull knwo what i mean when u do it)

also try going to start/run and type msconfig...search for things that startup that u dont need...other then that if ur deleting from the regestry and its reapearing, im not sure what to do...

also google the .exe program...see what it is...any error messege that shows up google it (write it down) thats how i fix alot of problems for the first time.

[TrongaMonga]

It was a new version of spybot, I had just install it...

One other thing, check these images.

In the first one, there's my normal desktop, with those Casino and whatnot stupid icons. In the second image, it is the desktop trough the Windows Explorer, and those Casino icons are not there. I can't even delete them, nor even select properties or showing up the menu by right clicking it, nothing at all...

[Lwek]

Have you tried the defragmenter and cleanup from system tools?

[Theroy]

Go into safe mode and scan with adaware then with spybot then remove everything it finds then do a hijack this scan and post the log file . Make sure to use adaware SE.

[Dragnskull]

oh yeah,f orgot abotu safe mode =/

[TrongaMonga]

Ok, so I ran Spybot and adware in safe mode, then I ran Hijackthis in safe mode, too, after deleting everything the other two showed.

This is what I got:

Quote:

Logfile of HijackThis v1.99.0
Scan saved at 23:08:40, on 31-12-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Joao Nascimento\Ambiente de trabalho\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oikcgkeztuqlis.uk/TAQNqby...OIAvmzkj0S.jpg
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BE50D83E-6379-C261-B7B5-C14A713CC21C} - C:\DOCUME~1\JOAONA~1\APPLIC~1\DebugBat\Vga cool.exe
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Programas\Winamp\winampa.exe
O4 - HKLM\..\Run: [Itchlocksmanagerhtm] C:\Documents and Settings\All Users\Application Data\Win Meow Itch Locks\CreativeInter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programas\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programas\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [exittime] C:\DOCUME~1\JOAONA~1\APPLIC~1\CLOSEG~1\Defy meal vc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programas\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab

After that, I restarted in normal windows, and made another hijack this.

Quote:

Logfile of HijackThis v1.99.0
Scan saved at 23:15:27, on 31-12-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\Mixer.exe
C:\Programas\Winamp\winampa.exe
C:\Programas\Java\jre1.5.0\bin\jusched.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programas\Yahoo!\Messenger\ymsgr_tray.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wpabaln.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Joao Nascimento\Ambiente de trabalho\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.elhnexpdtbtzefwjotdq.net/...OIAvmzkj0S.jpg
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BE50D83E-6379-C261-B7B5-C14A713CC21C} - C:\DOCUME~1\JOAONA~1\APPLIC~1\DebugBat\Vga cool.exe
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Programas\Winamp\winampa.exe
O4 - HKLM\..\Run: [Itchlocksmanagerhtm] C:\Documents and Settings\All Users\Application Data\Win Meow Itch Locks\CreativeInter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programas\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programas\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programas\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab

--Edit--

Quote:

Originally Posted by Lwek

Have you tried the defragmenter and cleanup from system tools?

The computer was formated very recently.

[Theroy]

Explorer.exe is a trojan I am sure of.

http://securityresponse.symantec.com...c.flood.g.html Remove that key or do a virus scan because you're infected trend micro link posted earlier.

I'd remove

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oikcgkeztuqlis.uk/TAQNqb...IAvmzkj0S.j pg

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

??


VGA cool I'm pretty sure is virus too but I'm unsure.

http://securityresponse.symantec.com...lw.donk.b.html


O4 - HKCU\..\Run: [exittime] C:\DOCUME~1\JOAONA~1\APPLIC~1\CLOSEG~1\Defy meal vc.exe

I'd look into this one probably remove it do a google search on it.

smss.exe

http://securityresponse.symantec.com...c.flood.f.html

lsass.exe

http://securityresponse.symantec.com....ratsou.b.html

Out of time. I'll look at it later feel free to AIM me. But defentaly do a virus scan. and the adaware scan in safe mode. Make sure to use housecall or pandasoft for the scan and not something like AVG.

Good luck

[TrongaMonga]

Well, I suppose the easiest thing to do, seeing that I formated the computer soon this week, is to reformat it again.

The problem is that I did not have the time to install any kind of anti-virus and firewall, as well as anti-spyware stuff, firefox included, before my brothers destroyed the computer.

It'd be easier that way

Any recomendation of a free good anti-virus and firewall?

--Edit--

Quote:

Explorer.exe is a trojan I am sure of.

http://securityresponse.symantec.co...rc.flood.g.html Remove that key or do a virus scan because you're infected trend micro link posted earlier.

I'd remove

I can't find the key. I did exactly as it said there, but it isn't there.

I couldn't find the file they say there, either

Quote:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oikcgkeztuqlis.uk/TAQNqb...IAvmzkj0S.j pg

That's the one I said in the first post:

Quote:

On a side note, Spybot keeps asking me if I want to change a registy value that, after I made a search, I discovered to be in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchBar, and would lead to this:

http://www.gyyoifuccviszpcntbuhwysa...IAvmzkj0S.h tm

Obviously some stupid spyware toolbar that can't get removed neither by spybot nor by hand... I tried deleting the registy, it comes back. I changed it to no, it comes back. Heck, I even changed it to BattleForums.com, it changes back. I don't know what to do, specially because it keeps changing every 30 seconds, and I don't want to turn the option down...

So, can't do anything about that one

Quote:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

Uh, what's wrong with this one? Hiperligações is portuguese for Hyperlinks

Quote:

VGA cool I'm pretty sure is virus too but I'm unsure.

http://securityresponse.symantec.co...llw.donk.b.html

Same as first, was unable to find anything whatsoever... And the same as the others, except the last... That one requires an Anti-Virus, which I do not possess, yet.

--2nd Edit--

After looking better, in this one,

Quote:

O4 - HKCU\..\Run: [exittime] C:\DOCUME~1\JOAONA~1\APPLIC~1\CLOSEG~1\Defy meal vc.exe

I searched on Current User rather than in Local Machine, and it worked, hopefully. That one is gone, I do believe. Deleted both registry and file.

[x42bn6]

Anti-Virus: http://www.grisoft.com/

It's a good time to get it, as it has a yearly license.

Run the program and run HijackThis again.*

[TrongaMonga]

I had to format the computer.

I'll explain later, seeing that that lsass.exe is forcing my comp to reboot. I barely have time to post.

[TrongaMonga]

I got problems with MsBlaster (it's the one that keeps rebooting the comp, correct?). I need help, fast. I can't download the windows updates, and don't bloody ask me why.

[x42bn6]

Immediately as lsass.exe is terminated, go to Start > Run > shutdown -a

Link info on the blaster worm: http://www.pchell.com/virus/msblast.shtml

*

[TrongaMonga]

Well, that does not work... If I write shutdown -a, the computer won't restart after I install the patch, no matter what I do after that. I try ctrl alt del plenty of times, does not work. Normal way does not work either, leads me to change user, then it just stays there doing nothing. The only way is using the reset button, but then it won't do jack shit... Not even if I write shutdown +a or only shutdown.

--Edit--

Is there any problem with installing the AVG, Spybot, Adware and a good firewall (please recommend, free) before fixing it?

[Theroy]

If you're into warez I can upload Mcafee v 9.0 and Zone alarm pro and om you the link to them, along with their corosponding serials.

[TrongaMonga]

I still want to know how am I supposed to fix blaster before doing it.

--Edit--

Ok, so I reinstalled windows, then installed AdWare, Spybot and AVG Free edition, scanned with them all. Spybot and AdWare found somethings, AVG found nothing.

I then made a new hijackthis scan:

Quote:

Logfile of HijackThis v1.99.0
Scan saved at 16:46:39, on 01-01-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\manager32c.exe
C:\Programas\QuickTime\qttask.exe
C:\Programas\Trillian\trillian.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Programas\Grisoft\AVG Free\avgcc.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MS Manager32c Startup] manager32c.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [MS Manager32c Startup] manager32c.exe
O4 - HKCU\..\Run: [MS Manager32c Startup] manager32c.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104558843148
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

I still can't remove Explorer.exe...

[Wing Zero]

i thought u cant remove exploror

[Theroy]

Wing explorer.exe and Explorer.exe are diff . Don't use AVG it's the worst of worst scanners. manager32c Don't know what that is. But to me every thing else looks good.

Here's a blaster removal tool

http://securityresponse.symantec.com...oval.tool.html

[TrongaMonga]

AVG's the only one I have.

That thing said it could not find blaster. I did both in normal and safe mode. If this isn't blaster, then what is it?