Unable to virus scan....Pls HELP!!!!!

[ap78]

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 33,982 bytes
Report generated in 0.361 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only



I will now give you the HJT log

[ap78]

Logfile of HijackThis v1.99.1
Scan saved at 12:47:04 AM, on 06/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IEEE 802.11g USB Wireless LAN\Wireless LAN\WlanUtil.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\anushka\Desktop\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [Drammm] lolla.exe
O4 - HKLM\..\Run: [oSecurity] "C:\Program Files\Smartfix2007\osecurity.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\IEEE 802.11g USB Wireless LAN\Wireless LAN\WlanUtil.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169264208430
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - (no file)
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - Unknown owner - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe (file missing)

[ap78]

O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: McAfee HackerWatch Service - Unknown owner - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - C:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee\MSC\Updates\Installs\1\vso\%VSINS~1\mcods.exe (file missing)
O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4979\SAService.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)



That all for now.  Thanks again for the help and let me know if you need anything else.

[oddjob]

Hi again

Please print this out to help you follow the advice.

The startup log looks fine for the most part.

However, I see you still have Symantec, AVG, McAfee and Windows firewall all in the log. It indicates that, somehow, your system is starting all these up. As has already been mentioned ... if you haver multiple antivirus and multiple firewalls you will get problems.

Please ensure only ONE antivirus and ONE firewall is operating on the computer. Disable the Windows firewall, if you're not using it, and uninstall any others not in use. This will avoid conflicts.

****************

One more question ... can you open Registry Editor? NOTE >>> I DO NOT WANT YOU TO USE THIS.  I only want to see if you can open it.

If you don't know how then do this .....

Clikc on Start > Run then type "regedit" in the dialogue box (without the quote makrs) and click on OK. Does the Registry Editor open up for you now?

Like I say DO NOT do anything with the Registry Editor at the moment. Just let me know whether or not it opened for you.

If it did open succesfully just close it immediately by clicking on the usual "X" in the top right corner.

Let me know what happened.

****************

It seems that your copy of Internet Explorer may be malfunctioning or corrupt in some way. I recommend you try a repair but avoid IE7 for the moment.

A number of XP users have reported situations with Internet Explorer 6 becoming corrupted and reporting a number of different errors. While there is certainly no guarantee the two procedures listed below have restored functionality to IE6 for many users experiencing problems.

Note: Both methods listed require that the Microsoft Windows XP CD-ROM be in the machine.

Method 1

    * From the Start menu, select Run.
    * In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
    * Select the OK button.
    * Follow the prompts throughout the System File Checker process.
    * Reboot the computer when System File Checker completes.

Method 2

    * From the Start menu, select Search, select All Files and Folders.
    * Select More Advanced Options and place a checkmark beside Search Hidden Files and Folders option.
    * Ensure that Search System Folders and Search Subfolders are also checked.
    * In the "All or Part of the File Name" box type ie.inf
    * In the Look In drop-down menu, select C: or the letter of the hard drive that contains the Windows folder.
    * Click the Search button.
    * In the search results pane, find the ie.inf file located in Windows\Inf folder.
    * Right click the ie.inf file and click Install on the context menu.
    * Reboot the computer when the file copy process is complete.

****************

If you can't repair IE6 try reinstalling ...

http://www.microsoft.com/downloads/details.aspx?FamilyID=1E1550CB-5E5D-48F5-B02B-20B602228DE6&displaylang=en

****************

Now download Superantispyware from here ...

http://www.superantispyware.com/

Install it and try to scan your system with it. Let it fix anything it wants to.


When done please post a fresh HJT log and an update in how your computer is behaving now.


OJ

[ap78]

Hi there,
  Before I start following the new instructions I just wanted to let you know a few things.  Concerning my anti-virus/firewall etc programs:  I uninstalled Symantec and McAfee a long time ago.  I do not have them on my computer anymore.  I have been having issues where whe I uninstall a security software, it does not uninstall everything.  I usually have to manually go through every file and folder and delete what's left. Right now the only programs that are installed on my computer and the AVG programs and the windows firewall.  

As for the registry editor, I am able to open it.  It seems to function for now.  

Concerning IE:  I'm not not 100% sure on what you want me to do.  At the moment I have IE7 on the computer.  Do you want me to remove that and work only with IE6?  Could you please elaborate for me?  Also, my outlook is just as corrupt as my IE.  Should I be doing something for that?  As for the methods of repair, I would only be able to do # 1 seeing as i am unable to use the search function on the computer.  Also, If i am to re-install IE, do I need to remove the version that is already on my computer or does the install just amalgamate with the old stuff?

Thanks again.

[ap78]

Oh yeah,  I forgot to tell you (i'm sure  you'll want to know) that when I uninstall anything I DO use the add/remove option as opposed to deleting it or using the program uninstall.

[oddjob]

I have been having issues where whe I uninstall a security software, it does not uninstall everything.  I usually have to manually go through every file and folder and delete what's left.

Not unusual. Security programs leave your computer littered with "stuff". It's just that your startup log shows these things trying to load.

Please look through your MSConfig and remove any tick/check marks for programs you do NOT want to load at startup.

Right now the only programs that are installed on my computer and the AVG programs and the windows firewall.

You'll have to use something else other than the Windoze firewall. It's not that good. Use a third party firewall like one of these ...

Zone Alarm > http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za

Sygate > http://www.simtel.net/product.download.mirrors.php?id=53687

Kerio Firewall > http://www.sunbelt-software.com/Kerio.cfm

Agnitum > http://www.agnitum.com/products/outpost/

As for the registry editor, I am able to open it.  It seems to function for now.

That's good. One entry in the startup log gave me a little concern that RE might be corrupted.  



On IE I thought you might have trouble with one of the repair versions.

The thing is I see many people complaining that IE7 gives them problems so they are reverting to IE6.

However, in view if your troubles. I recommend you stop using IE for the time being and use Firefox as your default browser. This may help improve things.

We can return to IE problems later.

In Firefox, download/install/run/scan with Superantispyware using the procedure as in my last post.

Post a fresh HJT log and an update on how the compter is operating now.


OJ

[ap78]

Hi again,
  Well so far this is where I am.  I have downloaded and installed Zonelab, it seems to be doing great.  I stopped using IE quite a while ago.  The problems with IE are why i downloaded and started to use Firefox and thunderbird.  My computer is still in the same position, it is slow to start (faster then before since I removed items from start up), my search function is still void (except for the little doggie).  When I went through the MSConfig I found a bunch of symantec, Mcafee and lolla.exe items.  I don't know how to remove them so I just unchecked them for now.  I also scanned with the Superantivirus you recommended and it didn't come up with much, 1 or 2 files.  I let the program do what it needed to do.  Other then that, I'm not sure what else to mention.  So here is the new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 10:25:24 PM, on 14/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\IEEE 802.11g USB Wireless LAN\Wireless LAN\WlanUtil.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\anushka\Desktop\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\IEEE 802.11g USB Wireless LAN\Wireless LAN\WlanUtil.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*

[ap78]

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169264208430
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Looking forward to hearing the next steps, thanks again for your help.

[oddjob]

Thanks for those reports.

Please print this out to help you follow everything.

***********************

Make sure you have exposed all Hidden Files & Folders.

To enable the viewing of Hidden files follow these steps:

   1. Close all programs so that you are at your desktop.
   2. Double-click on the My Computer icon.
   3. Select the Tools menu and click Folder Options.
   4. After the new window appears select the View tab.
   5. Put a checkmark in the checkbox labeled Display the contents of system folders.
   6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
   7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
   8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
   9. Press the Apply button and then the OK button and close My Computer.

***********************

You have McAfee left-overs everywhere. If you definitely don’t want McAfee any more do this …

>> uninstall all McAfee programs through "add/Remove Programs" in Windows "Control Panel", incl. Security Centre.

>> Use the MCPR tool from here …..

http://ts.mcafeehelp.com/faq3.asp?docid=408302

This will remove all McAfee remnants from your computer. This tool works with Windows XP SP2 or W2K Pro SP4 or Vista.

>> Launch Windows Explorer and delete all McAfee files in "Program Files" but especially in "C:\Document and Settings\<user>\Application Data".
 
Just delete the McAfee folders in all the "Application Data" folders even if they are empty. There could be more than one. Don’t miss any.

***********************

Try this repair for your search facility.

Go here …

http://www.kellys-korner-xp.com/xp_s.htm

Scroll down to the topic “Search - Doesn’t work” and act on the advice.

Has this fixed your search function work now?

***********************

If Search is now working then search for the lolla.exe file and report back all the locations where it’s found.

If you can’t do this then go back to Msconfig and note down the lolla.exe  file location(s) shown.

>> Post the addresses back here.

***********************

You still have a bunch of Trojans hiding on your machine.

***********************

Download and install the fully working trial version of TrojanHunter from here …

http://www.misec.net/

Make sure it is updated it to the latest definitions (you may have to do this manually) but DO NOT USE IT YET.

***********************

Download SDFix http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Save it to your desktop.

DO NOT USE IT YET.

***********************

Root to safe mode. Here’s the usual “how to” if you’re not sure ..

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Log in to your usual account.

***********************

In Safe Mode run a full system scan with TrojanHunter. Let the program fix what it wants.

***********************

Still in safe mode right click the SDFix.zip folder and choose Extract All …

Open the extracted folder and double click RunThis.bat to start the script…

Type Y to begin the script.

It will remove any remaining Trojan Services then make some repairs to the registry.

It will prompt you to press any key to Reboot … Press any Key and it will restart the PC.

Your system will take longer that normal to restart as the Fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display Finished.

Press any key to end the script and load your desktop icons.

***********************

You should be in normal mode now but, if not, reboot to normal mode now.

***********************

Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back here with a new HijackThis log AND an update on how the machine is working now.


OJ

[ap78]

Hi there,
  I was unable to complete your instructions.  I got to the part for repairing the search companion but when I follow the instructions I am told to insert the XP SP2 CD.  When I insert the CD it won't run.  I tried it on another computer and it works there.  Therefore I was unable to complete a scan for lolla.exe.  I did not continue to follow the rest of the instructions as I was unsure if they had to be done in that specific order.  If not I will continue with the rest.  Please let me know what I should do.
Thanks again.

[oddjob]

I'm assuming that the CD won't run automatically.

With the CD in the drive can you go to Start > Run and type D: in the dialogue box ... click OK. (NOTE >> replace the "D" here with the drive letter for your disk drive).

***************

If this doesn't help skip that bit and carry on from where I say ..

If you can’t do this then go back to Msconfig and note down the lolla.exe  file location(s) shown.
 
>> Post the addresses back here.

Best of luck. You do seem to have a rather difficult problem here.


OJ

[ap78]

Actually Your assumption was wrong, I did try to run it manually.  The CD won't work in my computer   .  This is quite frustrating.  
Here is the pathway for the lolla.exe: SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[oddjob]

OK, thanks for the explanation. Just checking.

That address for lolla.exe ... is it complete? I think it would have started "HKLM" and somewhere on the end the lolla.exe would appear.

Can you post the complete address, please, and I'll see what can be done. Thanks.

Meantime ... go back to MSconfig, startup tab, and untick/uncheck the lolla.exe item(s) to stop them from loading when your system boots up.


Also .... are you able to move forward and do the rest of what I recommended in my earlier post #24? If so please go ahead and do it all.

Let me know if you can't do anything I advise.

Best wishes.


OJ

[ap78]

Hi OJ,
  I just completed the rest of your prior post.  Both programs found nothing. I will paste the results:


SDFix: Version 1.73

Run by anushka - 19/03/2007 - 16:09:27.74

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\Documents and Settings\anushka\Desktop\SDFix\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\Installer\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}\_SHCT_Sprint.exe.exe - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


                                 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\lxcecoms.exe"="C:\\WINDOWS\\system32\\lxcecoms.exe:*:Enabled:4300 Series Server"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcepswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcepswx.exe:*:Enabled:4300 Series Printer Status"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\anushka\Desktop\SDFix\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\WINDOWS\system32\bn.dll

                                 Finished


OK, so I believe that is all you asked me to do.   As for the lolla.exe file.  this is exactly what is there.  3 columns:  Under the startup item it says - lolla,  Under command it says - lolla and finally under location it says -  SOFTWARE\Microsoft\Windows\CurrentVersion\Run.  Lolla.exe and osecurity (which i have also unchecked) are the only ones that don't have some sort of HKLM or HKCU before the location.  I unchecked the osecurity because it is no longer on my computer.  Also,  I wanted to ask you how to get rid of the reminents of Symantec (Norton) which was uninstalled a while ago.  
Thank you so much for all your help and patience.  It is extremely appricated.