I've been to hell and back with this stuff.. Help me please

Also now it tells me that my windows memory is infected. windows explorer keeps ending and starting every 5 seconds…I tried moving/deleting the files but then usually my windows won’t run at all and then I have to reinstall it…HELP ME PLEASE!

Ok well I don’t think I’ve ever been so frustrated in my life. For the past 3 months, the internet on the 2 computers here at the house have worked for about 2-3 weeks. We had alot of problems, sent the router to Net gear and had it tested, couldn’t figure it out. I knew my computer here had spyware and has had it now for almost aslong as I can remember. And one day, my friend reccomended avast. Fortunately, Avast was able to remove most of the viruses, but the computer still has some problems(I can get online most of the time) He also told me about lots of the windows XP bugs (Sasser virus, etc).I had tried Spybot, then Adaware, then CWshredder, all in conjuntion, but they would work only temporarily. And then, it got real bad (About 3 months ago). I’ve tried searching, talking to dell, cox communications, and netgear, among 1000 different things. At times I had better sucess by simply unplugging the computer and then plugging back in. None of the above stated companies (nor Microsoft) was able to help, infact, Net gear charged me for it! (At the time everyone was telling us it was the router, since neither computer worked). Dell tried selling us Anti Virus stuff, but we refused to give in.(What a surprise ::slight_smile: ::slight_smile: , it’s in their better interest to PROMOTE this spyware stuff, since it puts people in a bind with their computers).

Anyways, here’s a hijack this scan. I’m about 99% sure these virus’s are scripting, as a few programs (Windows Media Player) doesn’t work. (And yes I’ve tried updating that stuff too). (There are some yahoo and other stuff, norton anti virus, etc).

I truly appreciate the help, as I have no other ideas, and I refuse to give in (and pay more money for a product that Manufacturers should stand behind). Thanks again
-Mike

Northern Virginia
USA

PS: My email is Illicon2003 @ hotmail . com just trying to prevent spam!!

Logfile of HijackThis v1.98.2
Scan saved at 4:13:35 PM, on 8/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Logfile of HijackThis v1.97.7
Scan saved at 3:50:44 PM, on 11/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\inetsrv\services.exe
C:\AIM95\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Config\Desktop\HijackThis.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onlygoodsearch.com/10022/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vwubx.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abosearch.com/sp.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
F1 - win.ini: run=C:\WINDOWS\inetsrv\services.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34445616-9EEE-FCBC-1F9E-CA0C63B82DDD} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {DC710D77-5A09-2FBF-A797-DCAE7E649FA3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM..\Run: [xp_system] C:\WINDOWS\inetsrv\services.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [AIM] C:\AIM95\aim.exe -cnetwait.odl
O4 - HKCU..\Run: [xp_system] C:\WINDOWS\inetsrv\services.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1096432297265
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37609.4224074074
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I didn’t go any further with your Hijack this log other than to note you have NAV and Avast running.

They will conflict with each other and cause problems.

If you search this forum you will find many posts about NAV and how to completely remove it.

Perhaps a boot-time scan with Avast afterwards and another Hijack this log file might help us to help you better.

Edit
Forgot to welcome you here, very remiss of me :o

illicon2003
Welcome to the Forums.
Please Click on the Shortcuts For ALL link in my signature. You’ll find many recources there to help you. Please post back here for any additional help you might need.

TTTTTTT

Ive tried everything I can

@ illicon2003

Hows the Honda going?

Oh! and the request for “help I need money for school”

:wink:

ever been googled?

You obviously haven’t followed any of the advice you received. Exactly what have you done?

yes that’s an old protect me log^^ I stopped the auto-updater and I no longer run norton anti virus…

and nah haven’t been googled before…where did you find the help I need money for school

Unless you completely un-install Norton according to the directions already provided, you’ll never solve this problem.

I’ve tried to uninstall norton numerous times. I don’t know if it’s off yet completely. this computer is so hard to use cause the tool bar on the bottom continuously loads and quits. but heres my newest log

Logfile of HijackThis v1.97.7
Scan saved at 3:50:44 PM, on 11/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\inetsrv\services.exe
C:\AIM95\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Config\Desktop\HijackThis.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onlygoodsearch.com/10022/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vwubx.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abosearch.com/sp.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
F1 - win.ini: run=C:\WINDOWS\inetsrv\services.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34445616-9EEE-FCBC-1F9E-CA0C63B82DDD} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {DC710D77-5A09-2FBF-A797-DCAE7E649FA3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM..\Run: [xp_system] C:\WINDOWS\inetsrv\services.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [AIM] C:\AIM95\aim.exe -cnetwait.odl
O4 - HKCU..\Run: [xp_system] C:\WINDOWS\inetsrv\services.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1096432297265
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37609.4224074074
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

the scan looks ok too me, except:
F1 - win.ini: run=C:\WINDOWS\inetsrv\services.exe

I don’t think service.exe should be loaded by win.ini (unless required by your ISP ?). You can try to test the file at http://virusscan.jotti.dhs.org/

and C:\AIM95\aim.exe is related too AOL?

illicon2003

  1. Your using an old version of HJT
  2. This isn’t a complete log
    [b]Did you use the uninstall utility from Symantec to uninstall NAV according to their instuctions?
    If not, please click on the link in my signature and do the following:
    1.Download and use the NAV removal tool following all intructions.
  3. Download - install- run the latest HJThis program and post the full results.
    You might also want to download Eddy’s program HJT logfile analyzer.
    Follow the instructions i’ve outlined and then use the program.

This is the result of my HijackThis Log Analyzer (with the latest beta databases):


CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:

You are using a old version of Hijackthis, please update.
You are using the latest version of Internet Explorer.
Your Operating System is not up-to-date. (Latest service pack not installed)
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.


THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

\windows\inetsrv\services.exe
\windows\system32\imapi.exe
r1 - hklm\software\microsoft\internet explorer\main,search bar = res://c:\windows\system32\vwubx.dll/sp.html#29126
r0 - hklm\software\microsoft\internet explorer\search,searchassistant = http://abosearch.com/sp.html
f1 - win.ini: run=c:\windows\inetsrv\services.exe
o2 - bho: (no name) - {34445616-9eee-fcbc-1f9e-ca0c63b82ddd} - (no file)
o2 - bho: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
o2 - bho: (no name) - {dc710d77-5a09-2fbf-a797-dcae7e649fa3} - (no file)
o4 - hklm..\run: [xp_system] c:\windows\inetsrv\services.exe
o4 - hkcu..\run: [xp_system] c:\windows\inetsrv\services.exe
o16 - dpf: {02bf25d5-8c17-4b23-bc80-d3488abddc6b} (quicktime object) - http://www.apple.com/qtactivex/qtplugin.cab
o16 - dpf: {166b1bca-3f9c-11cf-8075-444553540000} (shockwave activex control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
o16 - dpf: {19e28afc-eae3-4ce5-ac83-2407b42f57c9} (mssecurityadvisor class) - http://protect.microsoft.com/security/protect/wsa/shared/cab/x86/mssecadv.cab?1096432297265
o16 - dpf: {3334504d-9980-0010-8000-00aa00389b71} - http://download.microsoft.com/download/0/c/8/0c8edfab-30bc-4792-898e-2dabe27b2c4d/mp43dmo.cab
o16 - dpf: {33564d57-0000-0010-8000-00aa00389b71} - http://download.microsoft.com/download/f/6/e/f6e491a6-77e1-4e20-9f5f-94901338c922/wmv9vcm.cab
o16 - dpf: {597c45c2-2d39-11d5-8d53-0050048383fe} (opucatalog class) - http://office.microsoft.com/productupdates/content/opuc.cab
o16 - dpf: {9f1c11aa-197b-4942-ba54-47a8489bb47f} - http://v4.windowsupdate.microsoft.com/cab/x86/unicode/iuctl.cab?37609.4224074074
o16 - dpf: {9fc5238f-12c4-454f-b1b5-74599a21de47} (webshots photo uploader) - http://community.webshots.com/html/wsphotouploader.cab
o16 - dpf: {d27cdb6e-ae6d-11cf-96b8-444553540000} (shockwave flash object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:

o4 - hkcu..\run: [msmsgs] “c:\program files\messenger\msmsgs.exe” /background
o4 - hkcu..\run: [aim] c:\aim95\aim.exe -cnetwait.odl

ok great I did that. I also did a boot time and safe mode scans w/ uptodate avast. I’m still having the issues with windows explorer, it appearas to be quitting and then restarting over and over and over again. the toolbar just dissapears and then reappears. over and over

windows memory is not infected according to avast…

the windows explorer is sooooo crazy though and it makes doing anything on this computer frustrating, and time consuming

Time to do a google search on the Explorer symptoms and see if it brings up any thing. Also worth a search of the MS support site.

Click on the link in my signature, than choose “malware removal instructions”. Don’t rush anything, but take your time to read that page and do as explained there.

When finished, come back here and let us know if it solved anything.

Ok thanks. I’m gonna try to do that. I also get this message here about Windows explorer trying to close.

AppName: explorer.exe AppVer: 6.0.2800.1106 ModName: kernel32.dll
ModVer: 5.1.2600.1106 Offset: 00013887