Sluggish computer, possible hijacker, programs slow to start Options

[Guest_BTTrillium_*]

Logfile of HijackThis v1.99.1
Scan saved at 3:53:57 PM, on 12/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\My Documents\Computer Help\Virus Fixings\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {03A89EFD-E023-7700-A22D-45F77558EB4C} (ILINCInstall77 Class) - http://lm-learnlinc.ilinc.com/download/ilinci77.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {611CF77F-F7F5-4EA1-B979-667671326B4C} (MarketTrader - ETrade v243a) - http://etrade.bridge.com/etgmt_prd/java/gmtb_etrade_i.cab
O16 - DPF: {6F07CA40-1983-11D6-B8FA-00C04F5E375A} (Global MarketTrade - ETrade package) - http://etrade.bridge.com/etgmt_backup/java/gmt_etrade_i.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C0288443-26C2-11D6-B8FA-00C04F5E375A} (Global MarketTrader - Bridge package) - http://etrade.bridge.com/etgmt_backup/java/gmt_bridge_i.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {E93A06EF-ABD8-4FA5-96BF-968614B08531} (MarketTrader - Reuters v243b) - http://etrade.bridge.com/etgmt_prd/java/gmtb_bridge_i.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

[LoPhatPhuud]

Nothing glaring shows in the HJT log.

For sluggish performance, clean all the temp files and folders (instructions follow), run check disk (chkdsk /f) and then defrag.

First:
Download: Clear the Cache (freeware) http://www.ccleaner.com/ Once installed, run CCleaner click the Windows [tab] Select the following options: (not all are available for Win98/ME)
Next: click Options click Advanced
Uncheck: "Only delete files older than 48 hrs", click Ok Then click Run Cleaner (bottom right) then Exit

CCleaner should be run with the above settings for each user!


Second:
chkdsk C: /f
defrag


Last:
Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it.
If you get any kind of warning message about scripts, please choose to allow the script to run.
When the scan is finished, a message will pop up and a logfile will have been created on the desktop.
Please post the entire contents of this logfile for me to see.

[Guest_BTTrillium_*]

Thank you for you help with our computer. We ran CCleaner on both users, then the chkdsk, and here is the log from Silent Runner. The computer is really running even more slowly, and our Norton AV has been trying to scan something but seems to get stuck.

I will check back tomorrow.

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PopUpStopperFreeEdition" = ""C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"" ["Panicware, Inc."]
"Microsoft Works Update Detection" = "C:\Program Files\Microsoft Works\WkDetect.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online Included"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{8af37f72-e87e-471c-b5be-15f07e6d61b9}" = "AolHook"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\Coach\AolHook.dll" ["GTek"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\System32\ssstars.scr" [MS]


Enabled Scheduled Tasks:
------------------------

"ISP signup reminder 1" -> launches: "C:\WINNT\System32\OOBE\oobebaln.exe /sys /i /n:1" [MS]
"ISP signup reminder 2" -> launches: "C:\WINNT\System32\OOBE\oobebaln.exe /sys /i /n:2" [MS]
"ISP signup reminder 3" -> launches: "C:\WINNT\System32\OOBE\oobebaln.exe /sys /i /n:3" [MS]
"Norton AntiVirus - Scan my computer - Owner" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.EXE /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"PCHealth Scheduler for Upload Library" -> launches: "C:\WINNT\PCHealth\UploadLB\Binaries\UploadM.exe -WakeUp" [MS]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}\ = "MoneySide" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{28D44DAD-D1FC-4D4F-BB1B-ADF037C8DDBC}\
"ButtonText" = "Control Pad"
"MenuText" = "Control Pad"
"Exec" = "C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe" ["Verizon Internet Solutions"]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{301DA1EE-F65C-4188-A417-9E915CC8FBFA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
SAVScan, SAVScan, "C:\Program Files\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, ""C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINNT\wanmpsvc.exe"" ["America Online, Inc."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON V4 Monitor3SA\Driver = "EBPMON3.DLL" ["SEIKO EPSON CORPORATION"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 57 seconds, including 13 seconds for message boxes)

[LoPhatPhuud]

You have some unnecessary task running from the scheduler that can be removed.

Start -> Control Panels -> Scheduled Tasks

Remove the following scheduled tasks:
"ISP signup reminder 1" -> launches: "C:\WINNT\System32\OOBE\oobebaln.exe /sys /i /n:1" [MS]
"ISP signup reminder 2" -> launches: "C:\WINNT\System32\OOBE\oobebaln.exe /sys /i /n:2" [MS]
"ISP signup reminder 3" -> launches: "C:\WINNT\System32\OOBE\oobebaln.exe /sys /i /n:3" [MS]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"PCHealth Scheduler for Upload Library" -> launches: "C:\WINNT\PCHealth\UploadLB\Binaries\UploadM.exe -WakeUp" [MS]


Then lets check for a rootkit...

Please download RootKitRevealer from here:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.

[Guest_BTTrillium_*]

Hello, Here is the RootKit log. Our computer is still running so very slowly, and Norton still shows that it is trying to scan things like "Avenge$201.5$2micro..." Sometimes there are 5 or more little Norton notices like that after starting the computer.

Thank you...


C:\Documents and Settings\Owner\Cookies\owner@ehg-comcast.hitbox[1].txt 12/17/2005 4:46 PM 220 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Cookies\owner@ehg-comcast.hitbox[2].txt 12/17/2005 5:19 PM 220 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Cookies\owner@microsoft[1].txt 12/17/2005 5:20 PM 127 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Cookies\owner@support.microsoft[2].txt 12/17/2005 5:20 PM 181 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temp\JETFCAA.tmp 12/17/2005 5:19 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BDUF0HEZ\clouds[1].gif 12/17/2005 5:08 PM 11.10 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BDUF0HEZ\common[2].js 12/17/2005 5:20 PM 36.21 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BDUF0HEZ\f_norm_no_dot[1].gif 12/17/2005 5:08 PM 174 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BDUF0HEZ\index[1].php 12/17/2005 4:47 PM 17.59 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BDUF0HEZ\langicon[1].gif 12/17/2005 5:20 PM 1007 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BDUF0HEZ\logo_sm[1].gif 12/17/2005 5:19 PM 4.60 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BDUF0HEZ\nav_first[1].gif 12/17/2005 5:19 PM 1.01 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BDUF0HEZ\onepix[1].gif 12/17/2005 5:20 PM 43 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BDUF0HEZ\override[1].css 12/17/2005 5:20 PM 570 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BDUF0HEZ\saveicon[1].gif 12/17/2005 5:20 PM 364 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BDUF0HEZ\surveysubmit[1].htm 12/17/2005 5:20 PM 1.47 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BDUF0HEZ\surveytrigger[2].js 12/17/2005 5:20 PM 5.17 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KHMRO9IF\138187746@Left[1].htm 12/17/2005 5:19 PM 1.22 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KHMRO9IF\b433593aS[1].css 12/17/2005 5:20 PM 2.48 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KHMRO9IF\default[2].css 12/17/2005 5:20 PM 20.40 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KHMRO9IF\document[1].css 12/17/2005 5:08 PM 3.54 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KHMRO9IF\emailicon[1].gif 12/17/2005 5:20 PM 546 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KHMRO9IF\explore[1].htm 12/17/2005 4:46 PM 22.47 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KHMRO9IF\gotoicon[1].gif 12/17/2005 5:20 PM 237 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KHMRO9IF\search[1].htm 12/17/2005 5:19 PM 21.06 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KHMRO9IF\uparrow[1].gif 12/17/2005 5:20 PM 827 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQZ85ER\catalog[1].css 12/17/2005 5:08 PM 14.72 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQZ85ER\explore[1].htm 12/17/2005 5:19 PM 22.47 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQZ85ER\GSSSM_rltlngRelatedlanguages[1].gif 12/17/2005 5:20 PM 418 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQZ85ER\logo[1].gif 12/17/2005 5:19 PM 8.36 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQZ85ER\nav_next[1].gif 12/17/2005 5:19 PM 1.48 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQZ85ER\nav_page[1].gif 12/17/2005 5:19 PM 373 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQZ85ER\printicon[1].gif 12/17/2005 5:20 PM 349 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQZ85ER\signin[1].gif 12/17/2005 5:20 PM 1.53 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQZ85ER\survey[2].js 12/17/2005 5:20 PM 16.06 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQZ85ER\t3_en[1].gif 12/17/2005 5:19 PM 3.54 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQZ85ER\xmlContent[1].css 12/17/2005 5:20 PM 5.95 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTY7S9UB\4101ccf1S[1].gif 12/17/2005 5:20 PM 7.40 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTY7S9UB\99b166acS[1].gif 12/17/2005 5:20 PM 2.59 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTY7S9UB\d3e6e07eS[2].css 12/17/2005 5:20 PM 27 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTY7S9UB\google[1].htm 12/17/2005 5:19 PM 3.38 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTY7S9UB\ms_masthead_ltr[1].gif 12/17/2005 5:20 PM 947 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTY7S9UB\nav_current[1].gif 12/17/2005 5:19 PM 376 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTY7S9UB\sendicon[1].gif 12/17/2005 5:20 PM 561 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTY7S9UB\support.microsoft[1].htm 12/17/2005 5:20 PM 26.97 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WTY7S9UB\Symc_logo[1].gif 12/17/2005 5:08 PM 2.15 KB Hidden from Windows API.
C:\Program Files\Norton AntiVirus\NAVOPTS.BAK 12/17/2005 5:05 PM 6.32 KB Hidden from Windows API.
C:\WINNT\Prefetch\CCLGVIEW.EXE-084E7031.pf 12/17/2005 5:00 PM 19.40 KB Hidden from Windows API.

[LoPhatPhuud]

Check you task manager and look for processes that are consistently using over 10% of your CPU. System Idle does not count since it should normally be over 90%. IF there are any, post the process here.

On the Norton Scan, if you can provide a full file path to the items it alerts, it would help.


The Rootkit was negative although cleaning your temp files and folders would help.


I'll wait for your response but I am beginning to think the issue is with Norton itself.

[Guest_BTTrillium_*]

Hello, there are no processes running at more than 20%, although once in a while several pop on, then pop off before I can see what they are. Is there a way to log the Norton alerts? The logs I could find are only for actual scans and viruses found (none recent).

It seems that after I've been on a while, things run more quickly, however at first it is still really slow, with those scan alerts which by the way are different every time. I will turn it on and off a few times and check back after cleaning the temp files and things that you suggested.

Thank you so much for such quick replies!

[Guest_BTTrillium_*]

Lets see... Still slow at start up, PopUpStopper first shows, then almost 4 minutes until everything is loaded, and then the alerts this time were wusetup.exe, and wuredir.cab.(something else). I could not see how to tell the path. Almost 40 seconds before even the task manager opened.

After opening the task manager right away, I wrote down all of the 37 tasks under processes, and there were 7 svchosts, and some that looked perhaps unusual?: wmiprvse.exe, alg.exe, SAVSCAN.exe, wuauclt.exe

Norton AV is up to date with virus definitions, and program, and system status is OK. Still all is just plain slow.

I really am glad you all are here to help with this.

[LoPhatPhuud]

It has been a while since I used Norton, so I can't remember all their loggin facilities. Perhaps the online help can shed dome light.

It seems strange to me that Norton is doing a scan at boot. That would definitely slow you down. Check the Norton settings and be sure you do not have a startup scan scheduled.

[Guest_BTTrillium_*]

Hello,

Your suggestion to check the Norton program was a good one, thanks. The LiveUpdate files were apparently damaged, causing some of the problems. NAV seems to be OK now, however the computer still has a very slow start up, and Norton takes over 2 minutes to load.

I noticed that there are still 5 or more svchost.exe files running under processes all the time. Also, Page File usage is at 195 MB (nearly 2/3 high on the bar graph); is that an indication of something I should attend to?

I have attached a recent log in case it shows anything. Thank you for your help.

Logfile of HijackThis v1.99.1
Scan saved at 12:14:50 AM, on 12/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\My Documents\Computer Help\Virus Fixings\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {03A89EFD-E023-7700-A22D-45F77558EB4C} (ILINCInstall77 Class) - http://lm-learnlinc.ilinc.com/download/ilinci77.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {611CF77F-F7F5-4EA1-B979-667671326B4C} (MarketTrader - ETrade v243a) - http://etrade.bridge.com/etgmt_prd/java/gmtb_etrade_i.cab
O16 - DPF: {6F07CA40-1983-11D6-B8FA-00C04F5E375A} (Global MarketTrade - ETrade package) - http://etrade.bridge.com/etgmt_backup/java/gmt_etrade_i.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C0288443-26C2-11D6-B8FA-00C04F5E375A} (Global MarketTrader - Bridge package) - http://etrade.bridge.com/etgmt_backup/java/gmt_bridge_i.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {E93A06EF-ABD8-4FA5-96BF-968614B08531} (MarketTrader - Reuters v243b) - http://etrade.bridge.com/etgmt_prd/java/gmtb_bridge_i.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

[LoPhatPhuud]

Svchost.exe is a commonly used system file. Having several instances running is not unusual. It is normal for me to have between five and eight instances running at any moment.

Next step will be to clean the temporary files and folders, then run check disk and finally defrag.

Virtual memory, page file, size shuold be left to the operating system and not fixed. The amount of physcial memory and the programs loaded will determine the size of the page file. A better guide is to check the performance tab on the Task Manager. That will show you pagefile size, but also total physical memory installed and the amount free.

As a reference point, I have 2gb of physical ram, with about 1.2gb free and a page file size of 664mb. That is normal and my system runs fine, with usual CPU usage at less than 5% under no laod conditions.

Disk size and the amount of free space will also affect system performance. The less fragmented the better, and there should alway be adequate free space.

I have 4x400gb drives so that is not a factor for me. But I keep by drives defragmented. I would suggest running weekly, or, if you use Diskeeper, then you 'set it and forget it'.

Hope this helps a bit...

Now for the tasks at hand.

Download: Clear the Cache (freeware) http://www.ccleaner.com/ Once installed, run CCleaner click the Windows [tab] Select the following options: (not all are available for Win98/ME)
Next: click Options click Advanced
Uncheck: "Only delete files older than 48 hrs", click Ok Then click Run Cleaner (bottom right) then Exit

CCleaner should be run with the above settings for each user!

[Guest_BTTrillium_*]

I really appreciate your help and patience. I followed your suggestions, and will try to see that the computer is checked at least monthly if not more. After researching, I really think that NAV 2004 may be the biggest part of the problem, and may consider upgrading or returning to version 2003.

Thanks to you and all who run this site for being here to help!

[LoPhatPhuud]

You may want to consider a different AV Product. I had been using Systemworks for several years. Lack of adequate unpacker coverage and increasing bloat led me to look elsewhere.

I now use Kspersky Personal Pro and run the extended databases. I also got TuneUp to replace the Systemworks functions. I run MS AntiSpyware for realtime coverage as well.

Cost is comparative, coverage is vastly superior.

You may also want to check NOD32.