Hi FLYN,

You do have at least one infection (a worm), as indicated by this HJT log entry:

O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINNT\lsass.exe (file missing)

However, you need to take care of something first:

C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

-----------------------------------------------------------------------------------------
Once you've moved HJT to a safe folder, please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

2. Download and install the CCleaner utility, but don't run it yet.

3. Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "lsass" or "Local Security Authority System Service" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

4. Run HijackTHis again, put a check mark next to the following entry, and then click the "Fix checked" button:

O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINNT\lsass.exe (file missing)

- Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

lsass

Close HijackThis after that.

5. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).


6. Run CCleaner. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.

7. Run Norton, ewido, and MS Antispyware beta consecutively; have the programs fix all malicious items they find.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.

8. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Delete the following file if it still exists:
C:\WINNT\lsass.exe


9. Empty your Recycle Bin and reboot normally.

10. Run HijackThis again, and post the new log. Also post the log that ewido generated.

I just installed ewido and have not even run it yet per your instruction when suddenly a window popped and said,

" infected object found...

Unfortunately, you can get infected within minutes if you do any Web surfing before all of your anti-spyware/anti-virus protections are in place. Judging from your log, that's what has happened in your case. Your new infection is different from the last one, so I've modified my previous instructions to target the current infection:You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

2. Download and install the CCleaner utility, but don't run it yet.

3. Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "MsLX32" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

4. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button:

O4 - HKLM\..\Run: [wlsass] C:\WINNT\System32\wlsass.exe
O4 - HKLM\..\Run: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - HKLM\..\Run: [win32] C:\WINNT\System32\win32.exe
O4 - HKLM\..\RunServices: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - HKCU\..\Run: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - HKCU\..\RunServices: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O23 - Service: MsLX32 - Unknown owner - C:\WINNT\MsLX32.exe

- Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

MsLX32

Close HijackThis after that.

5. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).


6. Run CCleaner. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.

7. Run Norton, ewido, and MS Antispyware beta consecutively; have the programs fix all malicious items they find.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.

8. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Delete the following files if they still exist:

C:\WINNT\System32\wlsass.exe
C:\WINNT\System32\win32.exe
C:\WINNT\MsLX32.exe


9. Empty your Recycle Bin and reboot normally.

10. Run HijackThis again, and post the new log. Also post the log that ewido generated.

What exact errors do you encounter when trying to install Norton?

What did the last hijack scan report?

The last HJT log you posted was totally clean. Do we still have issues to work on?

You can:

A) Open the Event Viewer utility in your Administrative Tools control panel. Look through the Application and System logs for "Error" or "Warning" entries; double-clicking on the entries will open a properties window with more details. If you see any entries whose details look like they might relate to the problem, post the full and complete contents of the details window(s) here. Here's the easiest way to post those details:

- In the Properties window, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard.
- Paste the details into your next post in the same way that you paste your HijackThis log- by choosing "Paste" from the "File" menu or by hitting CTRL+V.

B) Run another set of scans with ewido and MS antispyware. Post the new log from ewido, as well as a new HJT log.

Not good; those errors could indicate a hardware problem with the drive or motherboard electronics; they could also indicate a problem with the motherboard's IDE driver. Here are some things to try:

* Reinstall/upgrade your motherboard's IDE controller driver software.
* Check the data and power cables. Make sure they are seated firmly, and that there is no physical damage (nick, cuts, etc.) to them. Try different cables if possible.
* Remove the drive and physically inspect the circuitry on the drive's controller card. Check for burned/cracked/discolored components. Use your nose- sniff around for that distinctive, telltale smell of overheated silicon.
* Install the drive as a slave drive and see if it still exhibits problems. Make sure to pay attention to Master/Slave/Cable Select jumper settings on the drives.

Ok, I see. Are there any other kinds of error or warning messages in the Event Viewer?