XP-System Restore not working

Hi Guys

I am helping a friend and she says her surfing is at a crawl - in fact so slow that she is told to refresh the page. I have had her run spybot and have helped her remove Bargain Buddy and MySearch. This has not helped. I suggested a system restore and she is being prevented from restoring.

She has Norton firewall and antivirus

I had her run Hijack This ( it was too long to include in this post so I will post in two separate posts)
Logfile of HijackThis v1.97.7
Scan saved at 4:38:45 PM, on 6/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Winamp\Winampa.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\WinXPLoad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Desktop\FreeRAM XP Pro 1.40.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Webshots\WebshotsTray.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\41638XY3\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.delphiforums.com/sigcountry/myforums
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref( "aim.internal.buddy.MaxBuddies ", 160);
user_pref( "aim.session.finishedwizard ", true);
user_pref( "aim.session.firsttime ", false);
user_pref( "aim.session.screenname ", " ");
user_pref( "browser.cache.directory ", "C:\\Documents and Settings\\Application Data\\Mozilla\\Profiles\\default\\s3cakl7g.slt\\Cache ");
user_pref( "browser.history.last_page_visited ", "http://www.marquel.com/store/R280d.html ");
user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src ");
user_pref( "browser.startup.homepage_override.1 ", false);
user_pref( ".aim.im.playall ", true);
user_pref( ".aim.session.autologin ", false);
user_pref( ".aim.session.firstsignon ", false);
user_pref( ".aim.session.password ", "0Ymxlc3NlZA== ");
user_pref( ".aim.session.storepassword ", true);
user_pref( "mail.account.account1.identities ", "id1 ");
us
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-AB2D-8D32436313D9} - C:\WINDOWS\bsx5.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\bs3.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe "
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinXPLoad] Rundll32 LoadDll,LoadExe WinXPLoad.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe "
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe /c
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\bs3.dll,DllRun
O4 - HKLM\..\Run: [bxsx5] RunDLL32.EXE C:\WINDOWS\bsx5.dll,DllRun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe "
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Desktop\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe "
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: Forget Me Not.lnk = C:\Program Files\Mindscape\AGCraft\PMREMIND.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Trillian.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: ipalm Monitor 1.0.lnk = F:\Panasonic\Driver\Setup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Pocket TV Manager.lnk = C:\Program Files\Pocket TV Browser\PTVManager.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE


She is will to do whatever it takes
What do you think????

 

Hijack Log Part 2

O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .asx: C:\Program Files\Compaq\Netscape Custom NA XP\PLUGINS\npdsplay.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wvx: C:\Program Files\Compaq\Netscape Custom NA XP\PLUGINS\npdsplay.dll
O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet/backgammon/backgammon-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://crib.pogo.com/applet/cribbage/cribbage-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://temp37.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: Pebble Beach Golf by pogo - http://pebble.pogo.com/applet/pebble/pebble-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: SciFi Slots by pogo - http://temp91.pogo.com/applet/slots/scifi-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://temp36.pogo.com/applet/sweettooth/sweettooth-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://turbo07.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet/worldclass/worldclass-ob-assets.cab
O16 - DPF: Yahoo! PagerLite - http://jpager.yahoo.com/m6/msgr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1250/ftp.coupons.com/v6/brix6ie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print ActiveX Plug-in) - http://www.aol.americangreetings.com/cnp/Install/AxCtp.cab
O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} (CMV4 Class) - http://www116.coolsavings.com/download/cscmv4X.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {5242A5A1-EF1E-11D5-B3EE-0050DAC5EBD0} (printQuick Browser Add In (Ver4)) - http://216.65.221.30/plugin/axversion/1400/printQuick1400.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www108.coolsavings.com/ltc/download/cscmv5X.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/18ffa626f434da958a02/netzip/RdxIE2.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.149/code/PWActiveXImgCtl.CAB
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.58-deleon/GoogleNav.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://download.iwon.com/ct/pm3/iwonpm1,0,2,5.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - http://www.solitaire.com/download/solitaire.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3122/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37253.6482638889
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {B33CCD56-0909-42C9-8A88-8976F66B8BF2} (AOL YGP Picture Finder Tool) - http://pak02.pictures.aol.com/ygp/aol/plugin/upload/YGPPicFinder.1.0.9.9.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/tilecity/tilecity.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4003/ftp.coupons.com/r3120/cpbrxpie.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.1.0.9.13.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw4fd.law4.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F8DCFE8E-7B2B-4FF8-B8A7-A52B6C4B0170} (AvzPrintingComponent Class) - http://ivillage.nesteggz.com/NEUtility/PrintingComponents/AvzPrintingActiveX1600.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/arcadegames/fallingstars/wtinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03B9B983-BF29-4542-B73B-A03C97C9BC05}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{03B9B983-BF29-4542-B73B-A03C97C9BC05}: NameServer = 205.188.146.146

Thnx guys
Beamuse

 

Hello beamuse,

Looking at the log, don't see anything bad - just a lot of startups which may not be necessary. One of the people that analyze HijackThis logs will give you a better take on it.

Some sites to lookup info on startups:

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

http://www.liutilities.com/products/wintaskspro/processlibrary/system/ Windows

http://www.windowsstartup.com/wso/search.php

Can't tell what version of NIS/NPF running. Have been a lot of problems with NIS since a May 12th Redirector update - something to look into:
http://www.windowsbbs.com/showthread.php?t=31160

The System Restore problem may be a seperate problem entirely. Could you give more details on that issue: what does the system say?

Regards - Charles

 

Wow. I'm surprised that computer even boots. Dave, turning it over to you! LOL

While you're waiting, download, install and update Spybot & AdAware (links are all over this forum) and run them. Let them clean whatever they find. Does she use AOL, or has AOL just attacked her computer? Do the usual clean up- delete all temp files, cookies, defrag. Someone will be with you soon!

Johanna

 

The SSD resident is running - hard to spot

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

Regards - Charles

 

the message was: "Restoration incomplete Your computer cannot be restarted to April 28th (or any of the other dates) No changes have been made to your computer. To choose another restore point, restart system restore.....to restart click Home OK

I have had her update and run spybot, adaware, cwshredder, she has defragged, and is in the process of removing all the programs she is not using. We have already cleaned out mysearch and bargainbuddy...

This problem of running slow happened a week ago - she cannot remember installing anything at that point. I suggested the system restore which she was unable to do.

Hmmmm
beamuse

 

Did you look into the NIS problem? Looking at the log

O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

came from that May 12 LiveUpate Redirector update. That day's Symantec update has been giving NIS2002 users especially, among other symptoms, slow internet access. Huge thread at the ComputerCops Symantec forum, for which I gave the url in the NIS thread I posted. From what I've read, the problem has a solution. I don't use NIS/NPF, so can't advise you further on that.

When you get this problem resolved, shut SR down and then re-enable it. That will give an initial SR point. I'm assuming that restore points are being created every day. One way to test the restore: SR "watches" executables - an app setup execute for example. Download one from the net - Spybot for instance (you already have it so can be played with) - to the downloads folder, then leave there for a few days for SR to make part of it's restore files, than remove from that folder and do a restore. SR should replace the missing SSD executable setup.

Hope I've made the logic clear

Regards -Charles

 

Please wait to see if any of our other forum members have anything to add or otherwise suggest.

First, you either need to redownload HijackThis, clicking 'save' and place in a permanent folder (I create a new folder in C:\ named HJT) or cut and paste the one you currently have from here....C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\41638XY3. Other wise you will lose the program a little later on when I tell you to empty TIF's.

Scan with HJT again, place a check next to the following entries and close all other windows, then click fix.


O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-AB2D-8D32436313D9} - C:\WINDOWS\bsx5.dll
O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\bs3.dll
O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\bs3.dll,DllRun
O4 - HKLM\..\Run: [bxsx5] RunDLL32.EXE C:\WINDOWS\bsx5.dll,DllRun
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1.../v6/brix6ie.cab
O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} (CMV4 Class) - http://www116.coolsavings.com/download/cscmv4X.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www108.coolsavings.com/ltc/download/cscmv5X.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/18ffa626f434da...tzip/RdxIE2.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.149/code/PWActiveXImgCtl.CAB
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://download.iwon.com/ct/pm3/iwonpm1,0,2,5.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1...22/cpbrkpie.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/...bin/actxcab.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4...20/cpbrxpie.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/...tars/wtinst.cab

Reboot.

Disable system restore.
Open C:\Program Files and delete any of the following folders if present.

Wildtangent
BargainBuddy
nCase
eBates
adp
180Solutions

Locate and delete each of the following files in bold, if present. Make VERY sure of the name before deleting.

C:\Windows\bs2.dll
C:\Windows\bs3.dll
C:\Windows\bsx5.dll
C:\Windows\bxxs5.dll
C:\Windows\oo4.dll
C:\Windows\system32\bs2.dll
C:\Windows\system32\bs3.dll
C:\Windows\system32\bsx5.dll
C:\Windows\system32\bxsx5.dll
C:\Windows\system32\bxxs5.dll
C:\Windows\system32\oo4.dll
C:\Windows\system32\rem00001.dll


If this were my machine, I would at the least go to start>control panel>internet options, click settings under the TIF section, then view objects, and delete anything damaged, corrupted or not installed. Personally, I would delete them all. They will be rebuilt as needed.
Open C:\Windows\Prefetch, select all and delete.
Open My Computer, right click Local Disk C: and select properties, then disk cleanup. Check all boxes except compress old files and OK.
Reboot.
Re-enable system restore.

Download Ad-aware from my signature and install. Open and immediately update, configure for a full scan, run and delete all it finds.
Reboot.
Scan with HJT again and post a new log.

The following entries may be fixed with HJT, or unchecked in msconfig, to prevent running at startup. **Optional**

O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe "


If all of these are fixed, after reboot, open C:\Program Files\Common Files\Real\Update_OB and rename realsched.exe to realsched.old


EDIT-Just saw your last post. If you already configured Ad-aware for a full scan, disregard that.

 

Yeah, do all that Dave said. Dave, very well done.

Some of the programs that Dave suggested can be disabled from the Windows start up within the software. Do that instead of msconfig. Or use Mike Lin's StartUpCPL, which will put a new entry called "Startup" in the Control Panel. The reason Dave suggested taking them out of the start up was that they are not needed (those programs, plus a few others there) do NOT need to load at boot. I imagine that computer works very hard when turned on!

Also, go to Roxio and make sure the 2 patches for EasyCDCreator 5 are downloaded and installed.

HTH
Johanna

 

Thnx All!

The main problem was indeed Norton. She did the fix found here: http://www.dslreports.com/forum/remark,10386208~mode=flat and it worked.

She is has removed many of the programs she is not using and is going to follow Noahdfear's suggestions tomorrow. Then, she should be squeaky clean!

Have a great evening
Beamuse

 

beamuse,

Good to hear things are better all ready!

All of this cleanout/program removal is going to leave the registry very cluttered with invalid keys and entries, not to mention non-existent start menu items. My further advice is to download RegSeeker, and when completely done with everything else, reboot, open the program, maximize the window and click clean registry. When scan is complete,verify the backup box in lower left corner is checked and click the select all button. Then right click within the search results and select delete. Now do a quick check of the remaining program's functionality. I've never had RegSeeker remove anything vital that it wasn't supposed to, but you never know. If all is well, run it again and again until it comes up clean, again checking other programs between runs. Should something go wrong, click the backup button and restore last run, then rerun and exclude entries associated with whatever it broke. Click the histories button and there are choices to clean up the start menu, typed URLs, TIFs you thought were gone, stream MRU keys, etc. Use them too and do another clean registry. It probably wouldn't even be a bad idea to reboot between cleanings. Alot of work, but it does run relatively quickly so you're not looking at hours to do this, and believe me, the computer will respond with improved performance.

 

Good work guys. darn I missed another log.

beamuse One more Log to, if you want

 

Hi beamuse,

Out of curiousity, which version of NIS is being run? Was it 2002 or a later version?

Along with Lonny, I'd love to see another log.

Regards - Charles

 

What great work guys!

Who would have thought that it would be the May 12 Norton Update. She is running 2002. That is the only program that is affected apparently.

She also had soooo much garbage in her computer - She needed to get that cleaned out also. As someone said, it is the longest Hijack Log they had ever seen!

I will pass along the registry cleaning info - She is ready to get everything cleaned out! I will ask her if she will run Hijack again.

Have a Great Day
Belinda

 

Very seldom ever hear that. Certainly good to hear when one finds so many unnecessaries on a PC.