TheTechGuide Forum

General Category => Tech Clinic => Topic started by: smashjc on January 23, 2008, 02:23:49 AM

Title: Slooow PC
Post by: smashjc on January 23, 2008, 02:23:49 AM

Hi there,

This is my first post, so I hope I do it right .. My PC runs XP and is just taking forever to boot up and open new programs, it also freezes often, and I can't "lock" the computer overnight, as in the morning when I unlock, the desktop and taskbar are gone and nothing works, so it must be restarted. Here is the Hijackthis log, please let me know if any further info is required and thanks in advance /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:38 PM, on 23/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VisualTaskTips\VisualTaskTips.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Sizer\sizer.exe
C:\Apps\VB6ScrollwheelFix.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\EditPlus 2\editplus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Virtual PC\Virtual PC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pulse (http://\"http://pulse\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pulse (http://\"http://pulse\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DLGPSR
O1 - Hosts: 147.132.240.10 galah
O1 - Hosts: 147.132.240.10 galah.env.qld.gov.au
O1 - Hosts: 147.132.240.11 kite
O1 - Hosts: 147.132.240.11 kite.env.qld.gov.au
O1 - Hosts: 147.132.240.59 frogmouth
O1 - Hosts: 147.132.240.59 frogmouth.env.qld.gov.au
O1 - Hosts: 161.143.239.209 csinet.caa.qld.gov.au
O1 - Hosts: 161.143.239.210 webapps.arts.qld.gov.au
O1 - Hosts: 131.242.87.28 oasis
O1 - Hosts: 131.242.87.20 CITECUJ
O1 - Hosts: 161.143.253.2 aubdev01
O1 - Hosts: 131.242.228.114 weaver
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TRIMAutoDeploy] "C:\Program Files\TRIM Context\TRIMAutoDeploy.exe" /S
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Firewall Client Management.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Sizer.lnk = C:\Program Files\Sizer\sizer.exe
O4 - Global Startup: VB6ScrollwheelFix.lnk = C:\Apps\VB6ScrollwheelFix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://pulse
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lgpsr.qld.gov.au
O17 - HKLM\Software\..\Telephony: DomainName = lgpsr.qld.gov.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lgpsr.qld.gov.au
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10543 bytes

Title: Slooow PC
Post by: guestolo on January 23, 2008, 01:25:21 PM

Download [color=\"#008000\"]Deckard's System Scanner (dss.exe)[/color] (http://\"http://deckard.geekstogo.com/dss.exe\") to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post back just the Whole contents of Main.txt and Extra.txt

Title: Slooow PC
Post by: smashjc on January 23, 2008, 06:50:31 PM

[quote name=\'guestolo\' post=\'419641\' date=\'Jan 24 2008, 04:25 AM\']Post back just the Whole contents of Main.txt and Extra.txt[/quote]

Hi and thanks for the reply ... here is the main.txt content:

Deckard's System Scanner v20071014.68
Run by cassonj on 2008-01-24 09:25:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
19: 2008-01-23 23:26:16 UTC - RP809 - Deckard's System Scanner Restore Point
18: 2008-01-23 06:22:36 UTC - RP808 - Installed Microsoft Virtual PC 2004
17: 2008-01-21 00:21:29 UTC - RP807 - System Checkpoint
16: 2008-01-18 01:31:46 UTC - RP806 - System Checkpoint
15: 2008-01-16 07:55:13 UTC - RP805 - System Checkpoint


-- First Restore Point --
1: 2007-12-08 03:40:45 UTC - RP791 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as cassonj.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:01 AM, on 24/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Sizer\sizer.exe
C:\Apps\VB6ScrollwheelFix.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\cidaemon.exe
\bnefile3\cassonj$\desktop\dss.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\cassonj.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pulse (http://\"http://pulse\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pulse (http://\"http://pulse\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DLGPSR
O1 - Hosts: 147.132.240.10 galah
O1 - Hosts: 147.132.240.10 galah.env.qld.gov.au
O1 - Hosts: 147.132.240.11 kite
O1 - Hosts: 147.132.240.11 kite.env.qld.gov.au
O1 - Hosts: 147.132.240.59 frogmouth
O1 - Hosts: 147.132.240.59 frogmouth.env.qld.gov.au
O1 - Hosts: 161.143.239.209 csinet.caa.qld.gov.au
O1 - Hosts: 161.143.239.210 webapps.arts.qld.gov.au
O1 - Hosts: 131.242.87.28 oasis
O1 - Hosts: 131.242.87.20 CITECUJ
O1 - Hosts: 161.143.253.2 aubdev01
O1 - Hosts: 131.242.228.114 weaver
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TRIMAutoDeploy] "C:\Program Files\TRIM Context\TRIMAutoDeploy.exe" /S
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Firewall Client Management.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Sizer.lnk = C:\Program Files\Sizer\sizer.exe
O4 - Global Startup: VB6ScrollwheelFix.lnk = C:\Apps\VB6ScrollwheelFix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://pulse
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lgpsr.qld.gov.au
O17 - HKLM\Software\..\Telephony: DomainName = lgpsr.qld.gov.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lgpsr.qld.gov.au
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9965 bytes

-- File Associations -----------------------------------------------------------

[color=\"red\"].bat - batfile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,-153[/color]
[color=\"red\"].hlp - hlpfile - DefaultIcon - C:\WINDOWS\hh.exe,0[/color]
[color=\"red\"].inf - inffile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,-151[/color]
[color=\"red\"].ini - inifile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,-151[/color]
[color=\"red\"].js - JSFile - DefaultIcon - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2[/color]
[color=\"red\"].reg - regfile - DefaultIcon - C:\WINDOWS\regedit.exe,1[/color]
[color=\"red\"].txt - txtfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,-152[/color]


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 idisw2km - c:\windows\system32\drivers\idisw2km.sys (file missing)
S3 kbstuff (SMS Virtual Keyboard) - c:\windows\system32\drivers\kbstuff5.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-12-24 and 2008-01-24 -----------------------------

2008-01-24 09:25:05         0 d-------- H:\Deckard
2008-01-24 09:01:53         0 d-------- C:\WINDOWS\ms
2008-01-23 17:08:07         0 d-------- C:\Program Files\Trend Micro
2008-01-23 16:34:36         0 d-------- H:\My Virtual Machines
2008-01-23 16:22:39         0 d-------- C:\Program Files\Microsoft Virtual PC
2008-01-18 12:51:48         0 d-------- C:\Documents and Settings\cassonj\Application Data\CoreFTP
2008-01-18 12:50:35         0 d-------- C:\Program Files\CoreFTP
2008-01-15 08:48:54         0 d-------- C:\WINDOWS\MVUNINST
2008-01-15 08:48:54         0 d-------- C:\Program Files\cdstomp


-- Find3M Report ---------------------------------------------------------------

2008-01-24 08:56:19         0 d-------- C:\Program Files\Symantec AntiVirus
2008-01-08 09:30:33         0 d-------- C:\Documents and Settings\cassonj\Application Data\Netscape
2007-12-18 14:00:19         0 d-------- C:\Documents and Settings\cassonj\Application Data\Hamachi
2007-12-18 13:55:13         0 d-------- C:\Program Files\Hamachi
2007-12-18 08:57:15         0 d-------- C:\Program Files\Lavasoft
2007-12-18 08:54:46         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-13 10:21:19         0 d-------- C:\Documents and Settings\cassonj\Application Data\Adobe
2007-12-06 10:21:47         0 d-------- C:\Program Files\Free FTP Manager
2007-12-06 10:21:16         0 d-------- C:\Program Files\MultipleIEs
2007-12-06 10:19:53         0 d-------- C:\Program Files\SurfOffline
2007-12-06 09:37:34         0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-27 14:26:23         0 d-------- C:\Program Files\WinHTTrack
2007-11-27 09:28:03         0 d-------- C:\Documents and Settings\cassonj\Application Data\Ahead


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [29/02/2004 04:44 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [12/03/2004 03:18 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [13/07/2004 09:10 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28/10/2005 10:56 AM]
"NWEReboot"="" []
"TRIMAutoDeploy"="C:\Program Files\TRIM Context\TRIMAutoDeploy.exe" [29/08/2006 03:29 PM]
"@"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Firewall Client Management.lnk - C:\WINDOWS\Installer\{199B7F78-69B7-47C5-8D4B-A3ED1391FB6B}\NewShortcut1_8C7A59A89ABE459A9A9308C281A4A264.exe [16/01/2007 2:41:42 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [6/08/2000 1:03:20 AM]
Sizer.lnk - C:\Program Files\Sizer\sizer.exe [9/12/2002 12:41:00 AM]
VB6ScrollwheelFix.lnk - C:\Apps\VB6ScrollwheelFix.exe [6/07/2005 11:08:45 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"=1 (0x1)
"HideLogonScripts"=1 (0x1)
"HideLogoffScripts"=1 (0x1)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoSMMyPictures"=01000000
"NoNetworkConnections"=01000000
"NoActiveDesktop"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"DisallowRun"=1 (0x1)
"DisablePersonalDirChange"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"=msnmsgr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [24/04/2006 01:13 PM 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=SMSClient.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-10004\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-10004\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-13535\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-13535\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-13614\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-13614\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2320\Scripts\Logon\0\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2320\Scripts\Logon\0\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2320\Scripts\Logon\0\2]
"Script"=LGPSR-Regional-Printer-Migrations.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2320\Scripts\Logon\1\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2320\Scripts\Logon\1\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2320\Scripts\Logon\1\2]
"Script"=LGPSR-Regional-Printer-Migrations.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2321\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2321\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2324\Scripts\Logon\0\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2324\Scripts\Logon\0\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2324\Scripts\Logon\1\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2324\Scripts\Logon\1\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2330\Scripts\Logon\0\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2330\Scripts\Logon\0\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2330\Scripts\Logon\0\2]
"Script"=LGPSR-Regional-Printer-Migrations.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2330\Scripts\Logon\1\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2330\Scripts\Logon\1\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2330\Scripts\Logon\1\2]
"Script"=LGPSR-Regional-Printer-Migrations.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2333\Scripts\Logon\0\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2333\Scripts\Logon\0\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2333\Scripts\Logon\1\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2333\Scripts\Logon\1\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2649\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2649\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-3837\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-3837\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4510\Scripts\Logon\0\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4510\Scripts\Logon\0\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4510\Scripts\Logon\0\2]
"Script"=LGPSR-Regional-Printer-Migrations.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4510\Scripts\Logon\1\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4510\Scripts\Logon\1\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4510\Scripts\Logon\1\2]
"Script"=LGPSR-Regional-Printer-Migrations.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4560\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4560\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-9513\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-9513\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VisualTaskTips]
C:\Program Files\VisualTaskTips\VisualTaskTips.exe




-- Hosts -----------------------------------------------------------------------

147.132.240.10    galah
147.132.240.10    galah.env.qld.gov.au
147.132.240.11    kite
147.132.240.11    kite.env.qld.gov.au
147.132.240.59    frogmouth
147.132.240.59    frogmouth.env.qld.gov.au
161.143.239.209 csinet.caa.qld.gov.au
161.143.239.210 webapps.arts.qld.gov.au
131.242.87.28    oasis
131.242.87.20    CITECUJ

2 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-01-24 09:37:47 ------------

And the extra.txt content:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.20GHz
CPU 1: Intel® Pentium® 4 CPU 3.20GHz
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 1022.07 MiB / 401.85 MiB
Pagefile Memory (total/avail): 2460.13 MiB / 1935.13 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1918.52 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.24 GiB total, 6.55 GiB free.
G: is Network (NTFS)
H: is Network (NTFS)
R: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400BD-75JMC0 - 37.25 GiB - 1 partition
  \PARTITION0 (bootable) - Installable File System - 37.24 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is not configured.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\Free FTP Manager\\FreeFTPManager.exe"="C:\\Program Files\\Free FTP Manager\\FreeFTPManager.exe:*:Enabled:Free FTP Manager"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\cassonj\Application Data
BuildDate=1/7/2005
BuildTime=10:52
CI_HOLOS_CLI=C:\Program Files\Seagate Software\Open Olap\
CLASSPATH=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=H4SRF1S
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=H:
HOMEPATH=\
HOMESHARE=\\bnefile3\CassonJ$
INCLUDE=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\include\
LIB=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Lib\
LOGONSERVER=\\BNEDC2
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Seagate Software\NOTES\;C:\Program Files\Seagate Software\NOTES\DATA\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Progra~1\TRIM;C:\Program Files\Microsoft SQL Server\80\Tools\BINN;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\ATI Technologies\ATI Control Panel;C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\cassonj\LOCALS~1\Temp
TMP=C:\DOCUME~1\cassonj\LOCALS~1\Temp
USERDNSDOMAIN=LGPSR.QLD.GOV.AU
USERDOMAIN=LGPSR
USERNAME=cassonj
USERPROFILE=C:\Documents and Settings\cassonj
VS71COMNTOOLS=C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\Tools\
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

ASPNET (admin)
APDC_H4SRF1S (new local, admin)
Administrator (admin)
boerdaml (update central, admin)
montgomerien (update central, admin)
bitar (new local, net ready)
jenkinsa (new local, update central, admin)
rochema (new local, update central, admin)
pullellam (new local, admin, net ready)
bridgesb (admin)
grantm (new local, update central, admin)
freemanja (admin)
BurgessA-A (admin)
bischofr (new local, net ready)
schelbachk (new local, update central, admin)
cassonj (admin)
GannerG.LGPSR (update central, admin)
GannerG (update central, admin)


-- Add/Remove Programs ---------------------------------------------------------

 --> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
 --> C:\WINDOWS\UNRecode.exe /UNINSTALL
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
A-Prompt --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\A-Prompt\Uninst.isu"
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 8.1.1 Professional --> msiexec /I {AC76BA86-1033-0000-7760-000000000003}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe PageMaker 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\PageMaker 7.0 Tryout\Uninst.isu" -c"C:\Program Files\Adobe\PageMaker 7.0 Tryout\Uninst.dll"
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}
Adobe SVG Viewer 3.0 --> MsiExec.exe /I{318ACD29-6F20-4A48-86D8-275D01EEB3A7}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
CD Stomper 32 bit --> C:\WINDOWS\MVUNINST\App1\unwise.exe C:\WINDOWS\MVUNINST\APP1\INSTALL.LOG "CD Stomper Uninstall"
CDex extraction audio --> "C:\Program Files\CDex_150\uninstall.exe"
Compare It! --> "C:\Program Files\Compare It!\unins000.exe"
Core FTP LE 2.0 --> C:\PROGRA~1\CoreFTP\UNWISE.EXE C:\PROGRA~1\CoreFTP\INSTALL.LOG
Crystal Reports --> MsiExec.exe /I{7699B723-9718-41DE-8C18-549F341C02CE}
DIIESRQ internal core apps --> MsiExec.exe /I{880E3893-541C-4AE6-AD42-BF33ED96D8BA}
DLGPSR Core Applications Installation --> MsiExec.exe /X{76E5EB5E-2E4B-4743-AA6C-843B06F0943A}
EditPlus 2 --> C:\Program Files\EditPlus 2\remove.exe
G2 --> MsiExec.exe /X{8BADC4C0-0B08-4838-9FA8-8920A516E956}
Hamachi 1.0.2.5 --> C:\Program Files\Hamachi\uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
ieSpell 2.2.0 (build 647) --> "C:\Program Files\ieSpell\uninst.exe"
IIS6 Manager --> MsiExec.exe /X{3FBC5FCA-F989-4D5D-93F6-B185EEE1EC76}
Infragistics NetAdvantage 2003 Vol. 2 --> MsiExec.exe /I{C857C0C5-E0B3-4350-ADF9-B648A73D05E5}
Internet Explorer Developer Toolbar --> MsiExec.exe /I{15C9AAEF-20D4-4416-A1BE-7D75FB5F2FE9}
Java 2 Runtime Environment, SE v1.4.0_01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7CF31609-270B-11D6-9445-000102308676}\Setup.exe" Anytext
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Lotus NotesSQL 2.06 driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NotesSQL\UnInN206.isu" -c"C:\Program Files\NotesSQL\\UninDrv.DLL"
Mach5 Analyzer --> C:\PROGRA~1\MACH5D~1\MACH5A~1\UNWISE.EXE C:\PROGRA~1\MACH5D~1\MACH5A~1\INSTALL.LOG
Macromedia Captivate --> MsiExec.exe /X{A7651FB4-AC2E-4020-90E2-B71C8C379F48}
Macromedia Dreamweaver 8 --> MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash Player 8 --> MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
MetaFrame Presentation Server Client --> MsiExec.exe /I{76E4A642-BC3E-438A-8450-0C15A36B5B18}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Firewall Client --> MsiExec.exe /I{199B7F78-69B7-47C5-8D4B-A3ED1391FB6B}
Microsoft Firewall Client KB903940 --> msiexec /i {199B7F78-69B7-47C5-8D4B-A3ED1391FB6B} MSIPATCHREMOVE={F64F1216-D762-4AE9-886C-7F69B2F4BBC2} /qb
Microsoft Firewall Client Service Pack 1 --> msiexec /i {199B7F78-69B7-47C5-8D4B-A3ED1391FB6B} MSIPATCHREMOVE={363A9930-9AFF-4A14-A320-6F14EDE20FB0} /qb
Microsoft Office InfoPath 2003 --> MsiExec.exe /I{90440409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Outlook 2003 --> MsiExec.exe /I{901A0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Viewer 2003 (English) --> MsiExec.exe /I{90520409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight --> MsiExec.exe /I{0F545F0A-8127-48B1-9906-45659872EC2E}
Microsoft SQL Server 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft SQL Server\80\Tools\Uninst.isu" -c"C:\Program Files\Microsoft SQL Server\80\Tools\sqlsun.dll" -msql.mif
Microsoft SQL Server Desktop Engine --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Virtual PC 2004 --> MsiExec.exe /X{CCCAFDDE-ECEC-4AE4-BD97-047076BBD4A9}
Microsoft Visual Basic 6.0 Enterprise Edition --> "C:\Program Files\Microsoft Visual Studio\VB98\Setup\1033\Setup.exe"
Microsoft Visual J# .NET Redistributable Package 1.1 --> MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Microsoft Visual Studio .NET Enterprise Developer 2003 - English --> "C:\Program Files\Microsoft Visual Studio .NET 2003\Setup\Visual Studio .NET Enterprise Developer 2003 - English\setup.exe" /MaintMode
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSDN Library - Visual Studio 6.0a --> "C:\Program Files\Microsoft Visual Studio\MSDN98\98VSa\1033\Setup\Setup.exe"
MSDN Library for Visual Studio .NET 2003 --> MsiExec.exe /I{5757AE1A-1DB4-4898-9806-09F77FBD5E57}
Nero 7 Premium --> MsiExec.exe /I{7A66C7E3-5212-1A19-70A7-1F0FBA691033}
Package Installation Manager --> MsiExec.exe /X{73F1BDB7-11E1-11D5-9DC6-00C04F2FC33B}
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083} /l1033
Remote Desktop Connection --> MsiExec.exe /X{35D027A4-57BA-4E59-94DB-DFB36FFFDC1E}
Remove DivX Codec --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\DivX Codec\UninstalDivXCodec.log
Shadow Copy Client --> MsiExec.exe /I{23E5032B-56CA-4C19-A72E-B50161DB82CA}
Sizer (remove only) --> C:\Program Files\Sizer\Uninstall.exe
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec AntiVirus --> MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
Symantec Update --> MsiExec.exe /I{AC5947DF-AC22-438C-B006-82DB04339B55}
Taskbar Shuffle version 2.0 --> "C:\Program Files\Taskbar Shuffle\unins000.exe"
Tower Software TRIM_4.3 --> MsiExec.exe /I{59279515-592F-4B9C-97A6-4DBA3CB91700}
TRIM Context --> MsiExec.exe /I{A2D7CADC-3875-40BA-B243-0D97D9E1E203}
Tweak UI --> "C:\WINDOWS\System32\mshta.exe" "res://C:\WINDOWS\System32\TweakUI.exe/uninstall.hta"
UpdateQASPhotos --> MsiExec.exe /I{6AD04DE0-38CB-45C0-9503-51A66EA01A6D}
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Visual Task Tips 2.3 --> C:\Program Files\VisualTaskTips\uninst.exe
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Desktop Search --> "C:\WINDOWS\$NtUninstallKB917013$\spuninst\spuninst.exe"
Windows Server 2003 Service Pack 1 Administration Tools Pack --> MsiExec.exe /I{27B3563C-561C-4924-8C0E-EA102264873F}
WinHTTrack Website Copier 3.42 --> "C:\Program Files\WinHTTrack\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type32356 / Warning
Event Submitted/Written: 01/24/2008 09:05:35 AM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, root\ccm\Policy\S_1_5_21_929471695_2359424055_106389375_4560, to use the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Record #/Type32355 / Warning
Event Submitted/Written: 01/24/2008 09:05:35 AM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, root\ccm\Policy\S_1_5_21_929471695_2359424055_106389375_4560, to use the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Record #/Type32354 / Warning
Event Submitted/Written: 01/24/2008 09:05:35 AM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, root\ccm\Policy\S_1_5_21_929471695_2359424055_106389375_4560, to use the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Record #/Type32353 / Warning
Event Submitted/Written: 01/24/2008 09:05:32 AM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, root\ccm\Policy\S_1_5_21_929471695_2359424055_106389375_2649, to use the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Record #/Type32352 / Warning
Event Submitted/Written: 01/24/2008 09:05:32 AM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, root\ccm\Policy\S_1_5_21_929471695_2359424055_106389375_2649, to use the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6068 / Error
Event Submitted/Written: 01/24/2008 09:30:54 AM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 5.76.195.65 on the
Network Card with network address 7A79054CC341.

Event Record #/Type6067 / Warning
Event Submitted/Written: 01/24/2008 09:30:54 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 7A79054CC341.  The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type6065 / Error
Event Submitted/Written: 01/24/2008 08:53:29 AM
Event ID/Source: 4102 / Schannel
Event Description:
A fatal error occurred when attempting to access the SSL server credential private key.
The error code returned from the cryptographic module is 0x80090009.

Event Record #/Type6042 / Warning
Event Submitted/Written: 01/23/2008 04:26:00 PM
Event ID/Source: 11050 / dnscache
Event Description:
The DNS Client service could not contact any DNS servers for
a repeated number of attempts. For the next 30 seconds the
DNS Client service will not use the network to avoid further
network performance problems. It will resume its normal behavior
after that. If this problem persists, verify your TCP/IP
configuration, specifically check that you have a preferred
(and possibly an alternate) DNS server configured. If the problem
continues, verify network conditions to these DNS servers or contact
your network administrator.

Event Record #/Type6041 / Warning
Event Submitted/Written: 01/23/2008 04:25:54 PM
Event ID/Source: 11197 / DnsApi
Event Description:
The system failed to update and remove host (A) resource records (RRs)
for network adapter
with settings:


  Adapter Name : {3E6C6C74-C59F-41FB-B050-2C72FE134133}

  Host Name : H4SRF1S

  Primary Domain Suffix : lgpsr.qld.gov.au

  DNS server list :

        147.132.48.1, 147.132.48.2

  Sent update to server : 147.1.1.1

  IP Address(es) :

    147.132.38.253


The reason the update request failed was because of a system problem.
For specific error code, see the record data displayed below.



-- End of Deckard's System Scanner: finished at 2008-01-24 09:37:47 ------------


Thanks again /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: Slooow PC
Post by: smashjc on January 28, 2008, 06:40:03 PM

Hi does any of this mean anything to anyone? PC still very slow to start up and shut down and apps like Word crash randomly. Please let me know if you require further information.

Thanks /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

[quote name='smashjc' date='Jan 24 2008, 09:50 AM' post='419675']
Hi and thanks for the reply ... here is the main.txt content:

Title: Slooow PC
Post by: smashjc on January 29, 2008, 07:13:14 PM

Hi can anyone help with this please? Every time I run Spybot or Ad Aware it always find the same things, which I remove, but they keep coming back. Another anomaly is that my folder windows (like if I double click on My Computer) has lost all it's navigation and menu items - there's nothing there except the list of folder/files! I can't go back or forward (unless I use alt-arrow) and can't do folder list or searches (unless I specifically open Windows Explorer).

I would really appreciate any help with this, I've downloaded HiJackThis but have no idea what to do with it. Is there a registry problem causing my windows to lose their nav? I also have to shut down at least once a day (a slow process in itself) as locking or logging out and then in again simply crashes Windows - I'm left with no taskbar and just a background without any desktop icons until I manually reboot.

Any help is greatly appreciated, thanks /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: Slooow PC
Post by: guestolo on January 29, 2008, 07:41:48 PM

What is Ad-Aware and Spybot finding??

Also, can you do the following
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log from Combofix along with a fresh hijackthis log
The default location for the combofix log is C:\Combofix.txt

Title: Slooow PC
Post by: smashjc on January 29, 2008, 10:53:47 PM

hi and thanks for your reply ... Spybot and Adaware are finding mostly tracking cookies each time (Ad revolver, burstmedia, casale media, clickbank, doubleclick, fastclick, zoda, statcounter etc). Let me know if you need more info ...

Here is Combofix's log:

ComboFix 08-01-30.1 - cassonj 2008-01-30 12:52:47.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.240 [GMT 10:00]
Running from: \\bnefile3\cassonj$\desktop\ComboFix.exe
 * Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\Cache

----- BITS: Possible infected sites -----

hxxp://BNESMS1:80
.
(((((((((((((((((((((((((   Files Created from 2007-12-28 to 2008-01-30  )))))))))))))))))))))))))))))))
.

2008-01-30 09:14 . 2008-01-30 11:25    <DIR>    d--------    C:\WINDOWS\system32\NtmsData
2008-01-30 09:08 . 2008-01-30 09:08    54,156    --ah-----    C:\WINDOWS\QTFont.qfn
2008-01-30 09:08 . 2008-01-30 09:08    1,409    --a------    C:\WINDOWS\QTFont.for
2008-01-30 09:02 . 2008-01-30 09:02    <DIR>    d--------    C:\WINDOWS\ms
2008-01-24 09:54 . 2008-01-24 09:55    <DIR>    d--------    C:\Program Files\Internet Explorer 6
2008-01-23 17:08 . 2008-01-23 17:08    <DIR>    d--------    C:\Program Files\Trend Micro
2008-01-23 16:22 . 2008-01-23 16:23    <DIR>    d--------    C:\Program Files\Microsoft Virtual PC
2008-01-18 12:51 . 2008-01-18 12:56    <DIR>    d--------    C:\Documents and Settings\cassonj\Application Data\CoreFTP
2008-01-18 12:50 . 2008-01-18 12:50    <DIR>    d--------    C:\Program Files\CoreFTP
2008-01-15 08:48 . 2008-01-15 08:48    <DIR>    d--------    C:\WINDOWS\MVUNINST
2008-01-15 08:48 . 2008-01-15 08:48    <DIR>    d--------    C:\Program Files\cdstomp
2007-12-18 13:55 . 2007-12-18 14:00    <DIR>    d--------    C:\Documents and Settings\cassonj\Application Data\Hamachi
2007-12-18 13:54 . 2007-12-18 13:55    <DIR>    d--------    C:\Program Files\Hamachi
2007-12-18 13:54 . 2007-12-18 13:54    25,280    --a------    C:\WINDOWS\system32\drivers\hamachi.sys
2007-12-18 08:57 . 2007-12-18 08:57    <DIR>    d--------    C:\Program Files\Lavasoft
2007-12-18 08:57 . 2007-12-18 08:57    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Lavasoft

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 22:56    ---------    d-----w    C:\Program Files\Symantec AntiVirus
2008-01-07 23:30    ---------    d-----w    C:\Documents and Settings\cassonj\Application Data\Netscape
2007-12-17 22:54    ---------    d-----w    C:\Program Files\Common Files\Wise Installation Wizard
2007-12-06 00:21    ---------    d-----w    C:\Program Files\MultipleIEs
2007-12-06 00:21    ---------    d-----w    C:\Program Files\Free FTP Manager
2007-12-06 00:19    ---------    d-----w    C:\Program Files\SurfOffline
2007-12-05 23:37    ---------    d--h--w    C:\Program Files\InstallShield Installation Information
2007-09-07 06:48    88,576    -c-ha-w    C:\Documents and Settings\cassonj\Application Data\rbap550.dll
2007-08-22 05:55    66,472    -c--a-w    C:\Documents and Settings\cassonj\Application Data\GDIPFONTCACHEV1.DAT
2007-06-20 23:13    65,408    -c--a-w    C:\Documents and Settings\rochema\Application Data\GDIPFONTCACHEV1.DAT
2007-04-26 01:39    63,344    -c--a-w    C:\Documents and Settings\GannerG.LGPSR\Application Data\GDIPFONTCACHEV1.DAT
2007-03-13 02:37    61,712    -c--a-w    C:\Documents and Settings\GannerG\Application Data\GDIPFONTCACHEV1.DAT
2007-02-07 22:51    64,336    -c--a-w    C:\Documents and Settings\boerdaml\Application Data\GDIPFONTCACHEV1.DAT
2006-02-16 23:18    61,712    -c--a-w    C:\Documents and Settings\jenkinsa\Application Data\GDIPFONTCACHEV1.DAT
2006-02-13 06:39    61,712    -c--a-w    C:\Documents and Settings\schelbachk\Application Data\GDIPFONTCACHEV1.DAT
2006-02-06 04:12    65,112    -c--a-w    C:\Documents and Settings\grantm\Application Data\GDIPFONTCACHEV1.DAT
2005-07-04 08:26    19    -c--a-w    C:\Program Files\TrimTRIM.INI
2005-01-24 00:42    1,601,536    -c--a-w    C:\Documents and Settings\grantm\Application Data\SecureTraveler.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-13 21:10 339968]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-28 10:56 155648]
"NWEReboot"="" []
"TRIMAutoDeploy"="C:\Program Files\TRIM Context\TRIMAutoDeploy.exe" [2006-08-29 15:29 129540]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Firewall Client Management.lnk - C:\WINDOWS\Installer\{199B7F78-69B7-47C5-8D4B-A3ED1391FB6B}\NewShortcut1_8C7A59A89ABE459A9A9308C281A4A264.exe [2007-01-16 14:41:42 53248]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2000-08-06 01:03:20 69632]
Sizer.lnk - C:\Program Files\Sizer\sizer.exe [2002-12-09 00:41:00 18944]
VB6ScrollwheelFix.lnk - C:\Apps\VB6ScrollwheelFix.exe [2005-07-06 11:08:45 49152]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"= 1 (0x1)
"HideLogonScripts"= 1 (0x1)
"HideLogoffScripts"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
"NoWelcomeScreen"= 1 (0x1)
"DisallowRun"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= msnmsgr.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-04-24 13:13 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=SMSClient.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-10004\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-10004\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-13535\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-13535\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-13614\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-13614\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2320\Scripts\Logon\0\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2320\Scripts\Logon\0\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2320\Scripts\Logon\0\2]
"Script"=LGPSR-Regional-Printer-Migrations.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2320\Scripts\Logon\1\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2320\Scripts\Logon\1\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2320\Scripts\Logon\1\2]
"Script"=LGPSR-Regional-Printer-Migrations.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2321\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2321\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2324\Scripts\Logon\0\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2324\Scripts\Logon\0\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2324\Scripts\Logon\1\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2324\Scripts\Logon\1\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2330\Scripts\Logon\0\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2330\Scripts\Logon\0\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2330\Scripts\Logon\0\2]
"Script"=LGPSR-Regional-Printer-Migrations.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2330\Scripts\Logon\1\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2330\Scripts\Logon\1\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2330\Scripts\Logon\1\2]
"Script"=LGPSR-Regional-Printer-Migrations.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2333\Scripts\Logon\0\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2333\Scripts\Logon\0\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2333\Scripts\Logon\1\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2333\Scripts\Logon\1\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2649\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-2649\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-3837\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-3837\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4510\Scripts\Logon\0\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4510\Scripts\Logon\0\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4510\Scripts\Logon\0\2]
"Script"=LGPSR-Regional-Printer-Migrations.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4510\Scripts\Logon\1\0]
"Script"=LGPSR-AUP-Warning.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4510\Scripts\Logon\1\1]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4510\Scripts\Logon\1\2]
"Script"=LGPSR-Regional-Printer-Migrations.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4560\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-4560\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-9513\Scripts\Logon\0\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-929471695-2359424055-106389375-9513\Scripts\Logon\1\0]
"Script"=LGPSR-Domain-Logon.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a--c--- 2007-05-10 22:46 624248 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 15:40 155648 C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VisualTaskTips]
--a--c--- 2007-09-06 03:20 36352 C:\Program Files\VisualTaskTips\VisualTaskTips.exe

R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2007-04-13 02:50]
R2 FwcAgent;Firewall Client Agent;"C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe" [2005-02-10 22:43]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 00:56]
R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2007-04-13 02:50]

*Newly Created Service* - NTMSSVC
*Newly Created Service* - SYSMONLOG
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-01-30 12:56:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-30 13:00:05
ComboFix-quarantined-files.txt  2008-01-30 03:00:01

And the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:53, on 2008-01-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Sizer\sizer.exe
C:\Apps\VB6ScrollwheelFix.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pulse (http://\"http://pulse\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pulse (http://\"http://pulse\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
O1 - Hosts: 147.132.240.10 galah
O1 - Hosts: 147.132.240.10 galah.env.qld.gov.au
O1 - Hosts: 147.132.240.11 kite
O1 - Hosts: 147.132.240.11 kite.env.qld.gov.au
O1 - Hosts: 147.132.240.59 frogmouth
O1 - Hosts: 147.132.240.59 frogmouth.env.qld.gov.au
O1 - Hosts: 161.143.239.209 csinet.caa.qld.gov.au
O1 - Hosts: 161.143.239.210 webapps.arts.qld.gov.au
O1 - Hosts: 131.242.87.28 oasis
O1 - Hosts: 131.242.87.20 CITECUJ
O1 - Hosts: 161.143.253.2 aubdev01
O1 - Hosts: 131.242.228.114 weaver
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TRIMAutoDeploy] "C:\Program Files\TRIM Context\TRIMAutoDeploy.exe" /S
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Firewall Client Management.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Sizer.lnk = C:\Program Files\Sizer\sizer.exe
O4 - Global Startup: VB6ScrollwheelFix.lnk = C:\Apps\VB6ScrollwheelFix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://pulse
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lgpsr.qld.gov.au
O17 - HKLM\Software\..\Telephony: DomainName = lgpsr.qld.gov.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lgpsr.qld.gov.au
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9460 bytes



[quote name=\'guestolo\' post=\'420388\' date=\'Jan 30 2008, 10:41 AM\']What is Ad-Aware and Spybot finding??

Also, can you do the following
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log from Combofix along with a fresh hijackthis log
The default location for the combofix log is C:\Combofix.txt[/quote]

Title: Slooow PC
Post by: guestolo on January 29, 2008, 11:34:38 PM

Are any other users on this computer having problems?
How is everything running?

did you manually add these entries to your Hosts file?
Or any other user on your computer add them?
they look legit, I just want to be sure
O1 - Hosts: 147.132.240.10 galah
O1 - Hosts: 147.132.240.10 galah.env.qld.gov.au
O1 - Hosts: 147.132.240.11 kite
O1 - Hosts: 147.132.240.11 kite.env.qld.gov.au
O1 - Hosts: 147.132.240.59 frogmouth
O1 - Hosts: 147.132.240.59 frogmouth.env.qld.gov.au
O1 - Hosts: 161.143.239.209 csinet.caa.qld.gov.au
O1 - Hosts: 161.143.239.210 webapps.arts.qld.gov.au
O1 - Hosts: 131.242.87.28 oasis
O1 - Hosts: 131.242.87.20 CITECUJ
O1 - Hosts: 161.143.253.2 aubdev01
O1 - Hosts: 131.242.228.114 weaver

Title: Slooow PC
Post by: smashjc on January 29, 2008, 11:39:38 PM

No one else uses this computer, but I could get someone to log in and see if there's any differences, if you think I should?

It actually seems to be running faster right now, since running Combofix. I had to reboot and that still took a long time, but so far, nothing is crashing. I still haven't got any nav items in my windows (e.g. my computer or control panel). Weird!

[quote name=\'guestolo\' post=\'420422\' date=\'Jan 30 2008, 02:34 PM\']Are any other users on this computer having problems?
How is everything running?[/quote]

Title: Slooow PC
Post by: guestolo on January 29, 2008, 11:42:29 PM

Quote

I still haven't got any nav items in my windows (e.g. my computer or control panel)

Not sure what you mean by that, are they both usually located on desktop?

Title: Slooow PC
Post by: smashjc on January 30, 2008, 12:00:38 AM

Sorry ... what I mean is that when I open "My Computer" or "Control Panel", or any folder from the desktop, the opening window does not contain the usual menu (file/edit/view/etc) and nav buttons (back/forward/up/search/foders/etc).

I can open Windows Explorerer directly and it works fine; but if I double-click on a folder that is on the desktop, or open My Computer/Control Panel type windows, they open without the above mentioned menu/nav functionality.

Does that make sense? I thought this might be some sort of registry corruption? I've searched high and love on the Internet without any success

[quote name=\'guestolo\' post=\'420424\' date=\'Jan 30 2008, 02:42 PM\']Not sure what you mean by that, are they both usually located on desktop?[/quote]

Title: Slooow PC
Post by: guestolo on January 30, 2008, 12:23:15 AM

Try the following, close down any open Explorer windows
Go to START>>All Programs>>Control Panel>>Folder Options
Click the VIEW tab
Then Select "RESET ALL FOLDERS"

Apply it, does that help?

Title: Slooow PC
Post by: smashjc on January 30, 2008, 12:33:11 AM

Unfortunately, no /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

I've attached a screenshot of my control panel so that you can see what I mean ...

[quote name=\'guestolo\' post=\'420428\' date=\'Jan 30 2008, 03:23 PM\']Try the following, close down any open Explorer windows
Go to START>>All Programs>>Control Panel>>Folder Options
Click the VIEW tab
Then Select "RESET ALL FOLDERS"

Apply it, does that help?[/quote]

Title: Slooow PC
Post by: guestolo on January 30, 2008, 12:48:21 AM

Can you do the following
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as export.bat

Save this file on the desktop

 

Code: [Select]

regedit /e export.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar"
export.txt

double click on export.bat, a text file will open, can you copy>>paste back here the contents

Title: Slooow PC
Post by: smashjc on January 30, 2008, 12:56:30 AM

OK cool did all that:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
"LinksFolderName"="Links"
"Locked"=dword:00000001
"ShowDiscussionButton"="Yes"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Explorer]
"ITBarLayout"=hex:11,00,00,00,4c,00,00,00,00,00,00,00,34,00,00,00,1b,00,00,00,\
  52,00,00,00,01,00,00,00,20,07,00,00,a0,0f,00,00,05,00,00,00,62,05,00,00,26,\
  00,00,00,02,00,00,00,21,07,00,00,a0,0f,00,00,04,00,00,00,21,01,00,00,a0,0f,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"=hex:81,45,e0,01,ee,4e,d0,11,bf,e9,00,\
  aa,00,5b,43,83,10,00,00,00,00,00,00,00,01,e0,32,f4,01,00,00,00
"ITBarLayout"=hex:11,00,00,00,4c,00,00,00,00,00,00,00,20,00,00,00,1b,00,00,00,\
  56,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"=hex:81,45,e0,01,ee,4e,d0,11,bf,e9,00,\
  aa,00,5b,43,83,10,00,00,00,00,00,00,00,01,e0,32,f4,01,00,00,00
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"=hex:21,bf,5c,0e,5f,d1,d0,11,83,01,00,\
  aa,00,5b,43,83,22,00,1c,00,08,00,00,00,06,00,00,00,01,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,4c,00,00,00,01,14,02,00,00,00,00,00,c0,00,00,00,00,\
  00,00,46,81,00,00,00,10,00,00,00,0c,8b,80,d0,41,5a,c7,01,0c,8b,80,d0,41,5a,\
  c7,01,0c,8b,80,d0,41,5a,c7,01,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,53,01,14,00,1f,50,e0,4f,d0,20,ea,3a,69,10,a2,d8,\
  08,00,2b,30,30,9d,19,00,2f,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,5c,00,31,00,00,00,00,00,2b,37,db,0a,10,00,44,4f,43,55,4d,\
  45,7e,31,00,00,44,00,03,00,04,00,ef,be,e1,32,6a,4b,2b,37,db,0a,14,00,00,00,\
  44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,\
  00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,00,00,18,00,3c,00,\
  31,00,00,00,00,00,37,38,ce,3b,10,00,63,61,73,73,6f,6e,6a,00,26,00,03,00,04,\
  00,ef,be,5b,36,5b,3c,37,38,ce,3b,14,00,00,00,63,00,61,00,73,00,73,00,6f,00,\
  6e,00,6a,00,00,00,16,00,56,00,31,00,00,00,00,00,52,37,20,bf,11,00,46,41,56,\
  4f,52,49,7e,31,00,00,3e,00,03,00,04,00,ef,be,5b,36,5c,3c,52,37,20,bf,14,00,\
  28,00,46,00,61,00,76,00,6f,00,72,00,69,00,74,00,65,00,73,00,00,00,40,73,68,\
  65,6c,6c,33,32,2e,64,6c,6c,2c,2d,31,32,36,39,33,00,18,00,36,00,31,00,00,00,\
  00,00,5b,36,67,3c,10,00,4c,69,6e,6b,73,00,22,00,03,00,04,00,ef,be,5b,36,67,\
  3c,5b,36,67,3c,14,00,00,00,4c,00,69,00,6e,00,6b,00,73,00,00,00,14,00,00,00,\
  60,00,00,00,03,00,00,a0,58,00,00,00,00,00,00,00,68,34,73,72,66,31,73,00,00,\
  00,00,00,00,00,00,00,88,0a,c5,5f,3f,3c,cb,4a,a0,d2,54,fe,fd,27,91,40,df,d0,\
  66,58,34,c6,db,11,99,8b,00,12,3f,83,4d,f8,88,0a,c5,5f,3f,3c,cb,4a,a0,d2,54,\
  fe,fd,27,91,40,df,d0,66,58,34,c6,db,11,99,8b,00,12,3f,83,4d,f8,00,00,00,00
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:b1,c2,18,23,65,49,d4,11,9b,18,00,\
  90,27,a5,cd,4f
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"=hex:39,35,83,47,c5,d0,25,41,9f,a8,08,\
  19,e2,ea,ac,93
"ITBar7Layout"=hex:13,00,00,00,00,00,00,00,00,00,00,00,30,00,00,00,10,00,00,00,\
  00,00,00,00,01,00,00,00,00,07,00,00,5e,01,00,00,07,00,00,00,49,05,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,39,35,83,\
  47,c5,d0,25,41,9f,a8,08,19,e2,ea,ac,93,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"ITBarLayout"=hex:11,00,00,00,4c,00,00,00,00,00,00,00,34,00,00,00,1f,00,01,00,\
  53,00,00,00,01,00,00,00,20,07,00,00,a0,0f,00,00,05,00,00,00,62,05,00,00,26,\
  00,00,00,02,00,00,00,21,07,00,00,a0,0f,00,00,04,00,00,00,21,01,00,00,a0,0f,\
  00,00,03,00,00,00,20,03,00,00,00,00,00,00,06,00,00,00,60,05,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,39,35,83,47,c5,d0,25,41,9f,a8,08,19,e2,ea,ac,93,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00




[quote name=\'guestolo\' post=\'420431\' date=\'Jan 30 2008, 03:48 PM\']Can you do the following
Open Notepad (START>>>RUN>>>type in notepad)

Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as export.bat

Save this file on the desktop

 

Code: [Select]

regedit /e export.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar"
 export.txt

double click on export.bat, a text file will open, can you copy>>paste back here the contents[/quote]

Title: Slooow PC
Post by: guestolo on January 30, 2008, 01:06:17 AM

Now try the following
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy all the contents in blue

[color=\"#0000FF\"]Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Explorer]
"ITBarLayout"=-[/color]

Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
CLOSE down any Explorer and Internet Explorer windows open

Double click on fix.reg and allow to add/merge to the registry at the prompt

Does that help
If not, try it again but this time reboot the computer
Any help?

Title: Slooow PC
Post by: smashjc on January 30, 2008, 01:32:06 AM

Hmm .. no I'm the only one who uses this computer and I've never touched the host file. Checking now, it says file was created 2005 and last modified 2002 ...



[quote name=\'guestolo\' post=\'420422\' date=\'Jan 30 2008, 02:34 PM\']Are any other users on this computer having problems?
How is everything running?

did you manually add these entries to your Hosts file?
Or any other user on your computer add them?
they look legit, I just want to be sure
O1 - Hosts: 147.132.240.10 galah
O1 - Hosts: 147.132.240.10 galah.env.qld.gov.au
O1 - Hosts: 147.132.240.11 kite
O1 - Hosts: 147.132.240.11 kite.env.qld.gov.au
O1 - Hosts: 147.132.240.59 frogmouth
O1 - Hosts: 147.132.240.59 frogmouth.env.qld.gov.au
O1 - Hosts: 161.143.239.209 csinet.caa.qld.gov.au
O1 - Hosts: 161.143.239.210 webapps.arts.qld.gov.au
O1 - Hosts: 131.242.87.28 oasis
O1 - Hosts: 131.242.87.20 CITECUJ
O1 - Hosts: 161.143.253.2 aubdev01
O1 - Hosts: 131.242.228.114 weaver[/quote]

Title: Slooow PC
Post by: guestolo on January 30, 2008, 01:38:37 AM

Well, I'm off to bed
What happened to the last set of instructions?? >>Post#16
Any help?

Title: Slooow PC
Post by: smashjc on January 30, 2008, 02:09:45 AM

hi again, sorry - I missed that post (#16)! I ran the reg fix though and nothing has changed /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> I rebooted as well. When you say "everything in blue", you also mean the text "Windows Registry Editor Version 5.00"?

Thanks for all your help today (well, tonight for you), I hope you have a good sleep /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

If you can think of anything else that might help, I would greatly appreciate it!

[quote name=\'guestolo\' post=\'420439\' date=\'Jan 30 2008, 04:38 PM\']Well, I'm off to bed
What happened to the last set of instructions?? >>Post#16
Any help?[/quote]

Title: Slooow PC
Post by: guestolo on January 30, 2008, 09:46:53 AM

I could try another reg. fix
But try the following and let me know how it goes
Remember, when running the fix, don't have any open IE or Explorer windows
http://www.dougknox.com/xp/utils/xp_toolbarfix.htm (http://\"http://www.dougknox.com/xp/utils/xp_toolbarfix.htm\")

Title: Slooow PC
Post by: smashjc on January 30, 2008, 06:37:52 PM

Hi again, how are you today? Thanks for the info, sounds like a great little tool - no luck unfortunately.

On the plus side, I didn't restart last night, just logged out and then back in again this morning, and it didn't take too long at all (problem before was that I was basically forced to restart every day when logging in just stalled on a blank desktop). So Windows is running much better, it's just that stupid menu-less window bug .. it started a few months ago, and I've no idea why. I think, if I remember correctly, it initially happened periodically, like if I restarted it was normal again. But now it's permanent.

[quote name=\'guestolo\' post=\'420453\' date=\'Jan 31 2008, 12:46 AM\']I could try another reg. fix
But try the following and let me know how it goes
Remember, when running the fix, don't have any open IE or Explorer windows
http://www.dougknox.com/xp/utils/xp_toolbarfix.htm (http://\"http://www.dougknox.com/xp/utils/xp_toolbarfix.htm\")[/quote]

Title: Slooow PC
Post by: guestolo on January 31, 2008, 01:01:25 AM

You can just choose the add/ reply instead of using the reply button beneath my response
No need to quote me

Try the following please

Download [color=\"red\"]SmitfraudFix[/color] (http://\"http://siri.urz.free.fr/Fix/SmitfraudFix.zip\")[/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.
Don't do nothing with it yet

 reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

In safe mode

Open the SmitfraudFix folder again and double-click smitfraudfix.cmd

=============================================================
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't
Boot to Normal Windows
I'll need to see the log it generates later, by default it is located at
C:\rapport.txt
=============================================================

Back in Windows

1. Post the log from Smitfraudfix
2. Post a fresh hijackthis log

don't forget to remind me how things are going