Can someone please help

I got rid of a virus and two trojans. Then I got rid of sypware, etc. Now my pc is doing 2 things: it keeps looking for a floppy disk and something keeps writing to my hard drive while I'm doing nothing cuz the cursor changes to an hourglass often. I opened up Task Manager and under Processes here is what popped up when my pc was checking for a floppy disk: LUCOMS~1.EXE and a couple of other things popped up and went away but not at the precise time it was looking for a floppy disk : DSLog (didn't have time to get the extension), WMIPRVSE.EXE, and wuauclt.exe. With nothing else open except Task Manager, a couple of processes also keep changing the memory usage: LSASS and MsPMSPSv. Can someone help me please?

 

Hi Mindy Read about Lucoms.exe here and WMIPRVSE.EXE here and LSASS here and MsPMSPSv here

 

Thanks Bill but have few more questions. First of all, I don't have Norton set to automatically update but why in the world would it cause my pc to check for a floppy disk? I did a search for that file and it came up in Windows\Prefetch\LUCOMS~1.EXE - 1DF6F3E9.pf and I don't even know what Prefetch is. Can you help?
Thanks

 

Thank you so much for the info. I seem to learn more everyday but I know there are 500 trillion more things I could learn. Anyway to the point, I deleted everything in the Prefetch file, rebooted my pc, and I'll be darned if that LUCOMS~1.EXE didn't come back up for a few seconds in the processes of Task Manager and search for a floppy disk. What else can I do????

 

Ooh, one more thing (or two), research says that when that file name comes up like that then my pc has lost its ability to show long file names. Also, wuauclt.exe runs and research said it is an automatic update for Win ME and I have XP...Any ideas?

 

Hmmm . . . have you downloaded and run any of the trojan, worm or hijacker removal tools like CoolWebserach or CWshredder? As found by clicking here . The ME update seems strange to me also.

 

Yes, I downloaded and ran CW Shredder about a month ago and ran it and it said my system was clean. However, since then, I have tried to update it and run and cannot update it. It would just say unable to retrieve update or something. Last night I tried to update it again and I got a message saying that I may have a variant of a trojan like CoolWebSearch (CWS.Smartsearch.2) and that it was trying to close CWShredder. I couldn't update it but I did run a scan and it found nothing.
Have you ever heard of some processes popping up in Task Manager for just a few seconds (while you're doing nothing but staring at it) and then going away?
And how do you fix a pc to show the long file names?
Thank you.

 

Thanks for clearing up the Win update file. Yeh, I found out the LUCOMS was Norton automatic update but I don't have it set to automatic update!? A couple of things have changed today, maybe yesterday, : (1) my pc only checks for a floppy upon boot up and when I log off to switch users (2) On my other logon screen, if it sits idle for 5 minutes it goes into the Welcome Screen and I have checked the Display config and it is NOT set to do that, nor is there a screensaver set. I really do appreciate your help.

 

I just figured something out. My cursor changes to an hourglass every 45 to 60 seconds. This has been going on for about a month. I was watching the processes and just caught it: msmsgs moves from one spot in the processes section of Task Manager from one place to another. I knew that msmgs was a problems becuz I have set everywhere to not start up on its own and not run in the background but it keeps coming back checked in msconfig and stays in the processes. I cannot get rid of it.

 

go to your "run" box and type in

RunDll advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove

then enter. That will get rid of windows messenger

 

OK, I typed it in exactly as you said and got a message that Windows cannot find RunDll - what is goin on?

 

Whoops - I think I mistyped. Copy and paste this into run:

RunDll32 advpack.dll,LaunchINFSection %windir%\inf\msmsgs.inf,BLC.Remove

 

Hello Barnburner,
I would like to keep Messenger, but I want to stop it from automatically running in the background. I've tried everything. The command you gave me, would that uninstall it? Can I get it back if I do that? Also, any idea why Norton is trying to read my floppy (seems to do it now when I manually enable the autoprotect and when I log off.????

 

Yes - that would completely get rid of messenger.
You might try this program - I've been told that it allows you to turn messenger on and off. Here is there home page.
http://grc.com/stm/ShootTheMessenger.htm

As far as why Norton is trying to read your floppy? I dunno - I used to be a big Norton fan, but seems like the last few years I found it to be creating more problems than it was worth.

Good luck.

 

Ok, I downloaded the Shoot the messenger and ran it. It said Windows Messenger was disabled. But msmsgs.exe still shows up in the processes of Task Manager, not in systray, so it is still running in background. And msmsgs pops around in the processes list and that's when my cursor changes to an hourglass. Have u ever heard of that?

 

That is for MSN Messenger, an IM program, not Windows Messenger. Read this: http://www.liutilities.com/products/wintaskspro/processlibrary/msmsgs/ This a AdAware plugin that will stop it from loading with Outlook Express, if you don't want it: http://www.majorgeeks.com/download.php?det=4045

 

Mindy,

Have a look here, http://support.microsoft.com/default.aspx?scid=kb;en-us;302089&Product=WinMsgr#appliesto

See if this solves your messenger problem.

Steve

 

This is from Symantec Support,

Make sure that you have set NAV to scan floppy disks on access and at shutdown. Please see your User's Guide for information on how to do this in your version of NAV.

See if you have somewhere in options how to disable this function. It may help your problem with the floppy drive.

Steve

 

I finally got rid of msmsgs from running in the background. I had to get rid of the add-on MSN in Messenger which allowed me to access my hotmail account automatically. And nothing is configured in Norton to check floppy disks on its own when I log off or switch users. None of these problems began until I got rid of the viruses and spyware stuff. What should I do? (BTW my husband got 2 trojans by trying to download a Heidi Klum screensaver!!!)
I want to continue to do online banking but afraid. What do you guys think? Do you think anyone has control of my pc or can copy my passwords, etc? I just don't know enuf about this crappy stuff. 4 AVG's have pronounced me clean about 75 times since I found them. Overkill I guess, but I'm scared. Please tell me if I should be that concerned.

 

Hey again Mindy Let the good folks at trend micro have a looksee and, while you're at it, give pest patrol a shot also.

 

Definite second on a2. It's a great proggie. I use it every week or so to back check my other spyware proggies.

 

Bazooka is a very low profile scumware dectector also. Can be found here .

 

I'm sorry but I have no clue what a2 is or where you get it. Have run Trend, Panda, AVG & NAV about 50 times and they all say I'm clean. It was after I got rid of all the nasty stuff that my pc started acting funky. Ran Filemon yesterday, said some Windows files were missing, had some failures and System 4 even "wrote" to my Config\System.Log . I know the date when my sweet hubby first got the Citifraud virus and the Downloader Comet.B & C were after that. What do you guys think of me doing a Restore before the first virus??? Thanks for everything.

 

***bump*** Maybe if we bump your post to the top Adryn or Wiz or some of the other good guys can take a look. There's gotta be a way to stop Norton from doing the "check the floppy" boogie it's doing now. a2 can be found here on MG. As to doing anything involving stuff you don't want made public -- like banking -- I'd hold off until some of the big brains around here can take a gander at your symptoms.

 

I've never used forums, chats, etc. so this is all new to me. I don't know how to "bump" my thread (I guess that's right) to the top. Now, when I Log on (after my pc has booted up) something checks for a floppy AND when I log off or switch users my floppy is accessed. Man, I'm telling you I got so used to the ease of paying bills online, it's like going back to the stone age to take care of them manually. I really need to get back to the space age....

 

No, it didn't work, tried to make some changes in my profile.

 

Mindy,

Try this,

Click on Start > Control Panel. Double click on Folder Options. Click on the View tab. Scroll down to just below "Hidden files and folders"; the third box down is "Launch files and folders in a separate process." If it is checked, click on it to uncheck the box. Click Apply > OK and then restart your computer.

Steve

 

Hi Steve,
I checked the folder options as you suggested and it was already unchecked. Any other suggestions more than welcome.

 

One more suggestion. I came across an article where the user was having the same problem, they tried most of the things you have but didn't work. They finally nailed it down to the (WMI) Windows Management Instrumentation Service in Windows running in the background, that was the exe file that billH gave you info on (WMIPRVSE.EXE).

Here is some of the article,

Using WinXP's MSConfig, by process of elimination, involving umpteen restarts with forever less services going, I finally nailed the bas....d!
It was the WMI-service (Windows Management Instrumentation) that caused my PC to access the floppy-drive. After checking it out on the web, I found that I can disable both WMI-services.

I do not know that much about this service or how to disable the two WMI-services. I found this below and will be looking for info on the other, or maybe one of the other members can help with finding and disabling.

To verify that Windows Management Instrumentation Service is running:

1.
Click Start, Control Panel, then Performance and Maintenance

2.
Click Administrative Tools, Computer Management, then expand Services and Applications.

3.
Click Services (not WMI Control), then click Windows Management Instrumentation (be sure you select this service and not the WMI driver extensions). Ensure the service is set to Automatic and the status is 'started'.

Steve

 

I do believe it's a possibility that that process is giving me some problems but I didn't quite understand what to do about it from your post. I checked to see if it was automatic and started and it was. Was I supposed to do anything else? When Bill posted that about a virus placing that file wherever, I did read the article and checked everything it said to check and nothing showed that it was a "problem". Something else I'm going to try is to get an external firewall and disable NAV, then see how my pc behaves. Will post back.

 

Mindy,

Sorry if my post was a little confusing. I was in a hurry and trying to get as much information as I could to you about the WMI issue, that might be your problem.

Post back if NAV disable doesn't work for you.

Steve

 

Well, I disabled NAV from booting up in msconfig;however, even tho there are no icons of NAV in the systray, some of its processes are still running. Do I have to uninstall it?
Also, whoever has Zone Alarm, quick and stupid question: How do you get the control program to go away? I can minimize it but if I try to close it - it says I'll be shutting it down and won't be protected. Surely that can't be right. Why can't I (X) out of it?
Also, got a cable router. Do you think it's safe for me to shop and bank online now?

 

Before you try and uninstall NAV go here, http://service1.symantec.com/SUPPOR...5694500552355&dtype=&prod=&ver=&osv=&osv_lvl=

Uninstalling Norton products is tricky and this will show you the best and most complete method, the Rnav.exe removal tool listed at the bottom seems to do the job.

Are you still having trouble with your floppy drive or did NAV disable work?

Steve

 

Mindy,

Also, if you want to check the WMI settings. Windows XP Home has two,
WMI Performance Adapter Service and Windows Management Instrumentation Service.

Windows Management Instrumentation Service is the most important, it is probably the one you found earlier that is set on automatic, so it is right. See here, http://www.theeldergeek.com/windows_management_instrumentation.htm

The second, WMI Performance Adapter Service, default setting is manual, See here, http://www.theeldergeek.com/wmi_performance_adapter.htm that is the one I thought you might check to make sure it's default setting had not changed.

But, I can't find it to tell you how to check it. I have looked everywhere and can't seem to find it, if none of the other steps you are taking solve the problem maybe someone here can locate it so you can at least check the settings ( if any ).

Good luck, I know you are trying.

Steve

 

Thanks guys, I've really learned so much my head is spinning Not just my eyes.... anyway, something new. When I boot up, my toolbar where the Start button is and the clock, etc. turn navy blue for about 30 seconds then the right things come up. What's up with that?

 

All of my problems started when I found and got rid of some trojans and a virus, then some scumware. Here's the thing. In my msconfig it still shows the file "dmserver" that was infected with trojan downloader comet.A & B. Even though I supposed healed it and deleted the Comet program, it is still showing up in my msconfig. I can't find the comet program anywhere or dmserver but it is there in my msconfig (not checked though). So I got brave and went into Regedit. I looked for that program and couldn't find it. When I researched it, it said it was also called Orbiter or Xupiter. So, I did a search in Regedit for *comet* and about 12 things came up. Some of them clearly said the names I mentioned and I deleted them. But other things were listed too: pestpatrolcl*; winutil*; *.xml; filemon; *.pf; *launch*; and DSLog*. I just checked my msconfig and the dmserver of Comet programs is still listed. Can someone tell me what this means? Am I still infected? Should I deleted the rest of those items in the registry? How do I know if someone has hacked into my pc? Please help, I am worrrying myself cuckoo over this.

 

Mindy if you want to disable Messenger goto your Start/Run type gpedit.msc, under User Configuration / Windows Components, you will see Windows Messenger double click it and it will read 'do not allow messenger to be run' and 'do not let windows messenger start initially' click on both of those options and click enable and apply, there you go messenger gone for good - restart btw. Also

 

Hey, it's good to be back. I've had all kinds of problems. I had to re-install my OS and changed internet providers. Added a router and have a hard time trying to get everything straight. I think I still have a problem with my CD drive or driver. Using Sonic Record Now and got 2 BSOD but haven't used it lately and haven't gotten any BSOD so far. Oh yeh, after I installed my OS, I installed SP 2. This is what happened while my pc was idle, In Event Viewer I read this: Error: 12:16
Perfnet, Event 2004, User N/A: Unable to open the Server Service. Server performance data will not be returned. Error code returned is in data DWORD 0.
Does anyone know what that means?

 

I have a client who's had nothing but issues with the Sonic Software. I had to remove it , it was that bad.
She now uses
CD BurnerXP PRO (Free and the non-beta edition.)

-> this is beta http://www.majorgeeks.com/download4242.html

and no problems.