GDay,

Well I had some issues and removed some viruses and spamware using Sophos. Understanably i didnt trust it, so downloaded the newest Ad Aware 2008 and updated it, and then ran it, and it causes a STOP BSOD:

STOP: 0x0000008E (0xC0000005, 0x80540A24, 0xA65F4CF0, 0X00000000)

So I did some research and that issue is usually fixed via working RAM and/or updated BIOS/Drivers/etc etc etc.

Now because i only get that error when i try to run ad aware i am not going to bother trying to do any of that, so ran Hijack This.

Now I would greatly appreciate someones help, who knows what they are looking at go over it and alert me to anything that needs to be mopped up please?

Thank you in advance!
Cyrus

EDIT OK my apologies, just read the pre-thread:

main.txt:

Deckard's System Scanner v20071014.68
Run by bhardac on 2008-06-26 16:56:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as bhardac.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:59:28 PM, on 26/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\bhardac\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\bhardac.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Welcome to CQUniversity
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Google
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Welcome to CQUniversity
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Welcome to CQUniversity
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Internet Explorer - CQU
O4 - HKLM\..\Run: [soundmaxpnp] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [aticcc] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [aclntusr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [backgroundswitcher] C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.cqu.edu.au
O16 - DPF: {4DB31565-5D2F-11DC-874F-001217564746} (NolijWeb.NolijWeb_Logon) - file://C:\Program Files\Nolij Corporation\Nolij Web\NolijWeb.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1194563073951
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://mqc.cqu.edu.au:8080/qcbin/Spider90.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = staff.ad.cqu.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = staff.ad.cqu.edu.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = staff.ad.cqu.edu.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = staff.ad.cqu.edu.au,cqu.edu.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = staff.ad.cqu.edu.au,cqu.edu.au
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FAH@C:+Documents and Settings+bhardac+Desktop+FAH504-Console.exe - Unknown owner - C:\Documents and Settings\bhardac\Desktop\FAH504-Console.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: OracleAxaptaClientCache - Unknown owner - c:\oracle.axapta\BIN\ONRSD.EXE
O23 - Service: OracleORANTClientCache - Unknown owner - C:\ORANT\BIN\ONRSD.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

--
End of file - 7675 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080626-163715-105 O4 - HKLM\..\Run: [phime2002async] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
backup-20080626-163715-106 O4 - HKCU\..\Run: [indxstoresvr_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
backup-20080626-163715-261 O4 - HKCU\..\Run: [msmsgs] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20080626-163715-308 O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\bhardac\LOCALS~1\Temp\winlogan.exe
backup-20080626-163715-503 O4 - HKCU\..\Run: [jnskdfmf9eldfd] C:\DOCUME~1\bhardac\LOCALS~1\Temp\csrssc.exe
backup-20080626-163715-545 O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\bhardac\Desktop\RRT.exe auto
backup-20080626-163715-571 O4 - HKLM\..\Run: [nbkeyscan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
backup-20080626-163715-639 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201522886B092C BD44BD8689220221DD3257
backup-20080626-163715-749 O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.v bs" (User 'SYSTEM')
backup-20080626-163715-765 O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
backup-20080626-163715-770 O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
backup-20080626-163715-774 O4 - HKLM\..\Run: [phime2002a] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
backup-20080626-163715-813 O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.v bs" (User 'Default user')
backup-20080626-163715-817 O4 - HKLM\..\Run: [sunjavaupdatesched] "C:\Program Files\Java\jre6\bin\jusched.exe"
backup-20080626-163715-831 O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe"
backup-20080626-163715-892 O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
backup-20080626-163715-907 O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
backup-20080626-163716-324 O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
backup-20080626-163716-478 O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
backup-20080626-163716-619 O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
backup-20080626-163716-629 O23 - Service: OracleOraHome90ClientCache - Unknown owner - D:\oracle\ora90\BIN\ONRSD.EXE
backup-20080626-163716-677 O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
backup-20080626-163716-678 O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080626-163716-844 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080626-163716-950 O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/bhardac/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 AlKernel (Altiris Kernel Driver) - c:\windows\system32\drivers\alkernel.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AClient (Altiris Client Service) - c:\program files\altiris\aclient\aclient.exe -service <Not Verified; Altiris, Inc.; Altiris Client Agent for Windows>
R2 JavaQuickStarterService (Java Quick Starter) - "c:\program files\java\jre6\bin\jqs.exe" -service -config "c:\program files\java\jre6\lib\deploy\jqs\jqs.conf" <Not Verified; Sun Microsystems, Inc.; Java(TM) Platform SE 6 U10>
R2 SAVAdminService (Sophos Anti-Virus status reporter) - "c:\program files\sophos\sophos anti-virus\savadminservice.exe" <Not Verified; Sophos Plc; Sophos Anti-Virus>
R2 SAVService (Sophos Anti-Virus) - "c:\program files\sophos\sophos anti-virus\savservice.exe" <Not Verified; Sophos Plc; Sophos Anti-Virus>
R2 Sophos Agent - "c:\program files\sophos\remote management system\managementagentnt.exe" -service -name agent <Not Verified; Sophos Plc; Sophos Messaging System>
R2 Sophos AutoUpdate Service - "c:\program files\sophos\autoupdate\alsvc.exe" <Not Verified; Sophos Plc; Sophos AutoUpdate>
R2 Sophos Message Router - "c:\program files\sophos\remote management system\routernt.exe" -service -name router -orblistenendpoints iiop://:8193/ssl_port=8194 <Not Verified; Sophos Plc; Sophos Messaging System>

S2 FAH@C:+Documents and Settings+bhardac+Desktop+FAH504-Console.exe - c:\documents and settings\bhardac\desktop\fah504-console.exe -svcstart (file missing)
S3 OracleAxaptaClientCache - c:\oracle.axapta\bin\onrsd.exe
S3 OracleORANTClientCache - c:\orant\bin\onrsd.exe
S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 DynDNS_Updater_Service (DynDNS Updater Service) - c:\program files\dyndns updater\dyndns.exe <Not Verified; Kana Solution; DynDNS Updater>
S4 OracleOraHome90ClientCache - d:\oracle\ora90\bin\onrsd.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-25 22:00:01 530 --a------ C:\WINDOWS\Tasks\Daily.job
2008-06-19 18:15:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-26 and 2008-06-26 -----------------------------

2008-06-26 16:56:08 0 d-------- U:\Deckard
2008-06-26 16:20:27 0 d-------- C:\Program Files\Trend Micro
2008-06-26 11:06:46 0 d-------- C:\Program Files\Lavasoft
2008-06-26 11:06:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-26 11:03:08 0 d-------- C:\Documents and Settings\bhardac\Application Data\Nero
2008-06-26 10:59:23 0 d-------- C:\Program Files\Common Files\Nero
2008-06-26 10:59:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-06-26 10:57:25 63920 --a------ C:\WINDOWS\system32\drivers\c6bc6737.sys
2008-06-26 10:57:02 32256 --a------ C:\WINDOWS\system32\bsndcom.dll <Not Verified; Gorosoft inc.; Asdam>
2008-06-23 10:03:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-18 09:21:03 0 d-------- C:\Documents and Settings\bhardac\.jake2
2008-06-18 09:21:03 0 d-------- C:\Documents and Settings\All Users\Application Data\WorldWindData
2008-06-18 09:20:11 0 d-------- C:\WINDOWS\Sun
2008-06-18 09:18:06 0 d-------- C:\Documents and Settings\bhardac\Application Data\Sun
2008-06-16 12:59:18 0 d-------- C:\Program Files\BudgetSwift
2008-06-16 12:44:27 0 d-------- C:\Program Files\Personal Finance Wizard
2008-05-30 10:00:54 0 d-------- C:\Program Files\iDump
2008-05-30 08:46:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-05-28 15:12:40 176235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2008-05-28 15:12:37 0 d-------- C:\WINDOWS\PrimoPDF4
2008-05-28 15:12:37 0 d-------- C:\Program Files\activePDF
2008-05-28 12:57:52 0 d-------- C:\Program Files\Solveig Multimedia


-- Find3M Report ---------------------------------------------------------------

2008-06-26 15:47:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 10:59:23 0 d-------- C:\Program Files\Common Files
2008-06-26 09:39:03 0 d-------- C:\Program Files\Windows Live Safety Center
2008-06-26 08:16:54 0 d-------- C:\Program Files\Folding@Home
2008-06-24 15:42:40 0 d-------- C:\Program Files\ComponentSoftware
2008-06-23 11:11:54 6127 --a------ C:\Documents and Settings\bhardac\Application Data\PrimoPDFSet.xml
2008-06-23 11:11:03 310 --a------ C:\Documents and Settings\bhardac\Application Data\APUSet.xml
2008-06-19 10:17:14 0 d-------- C:\Program Files\Google
2008-06-18 09:19:02 0 d-------- C:\Program Files\Java
2008-06-18 08:35:22 0 d-------- C:\Documents and Settings\bhardac\Application Data\Mozilla
2008-06-10 15:46:43 0 d-------- C:\Program Files\Picasa2
2008-06-10 15:46:00 76208 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-06 10:38:16 0 d-------- C:\Program Files\seRapid
2008-06-02 14:51:44 0 d-------- C:\Program Files\SQLTools 1.42
2008-06-02 14:50:22 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-30 09:54:33 0 d-------- C:\Documents and Settings\bhardac\Application Data\Apple Computer
2008-05-29 12:40:41 0 d-------- C:\Program Files\AR System
2008-05-29 12:40:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-26 14:53:45 0 d-------- C:\Program Files\Common Files\Quest Shared
2008-05-23 12:09:40 0 d-------- C:\Documents and Settings\bhardac\Application Data\Adobe
2008-05-21 11:50:21 0 d-------- C:\Program Files\ICOA Inc
2008-05-13 15:10:25 0 d-------- C:\Program Files\sqrun4pro
2008-04-29 16:34:55 0 d-------- C:\Documents and Settings\bhardac\Application Data\VMware


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"soundmaxpnp"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [14/10/2004 02:42 PM]
"aticcc"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [25/09/2006 09:12 AM]
"aclntusr"="C:\Program Files\Altiris\AClient\AClntUsr.EXE" [26/06/2008 04:38 PM]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [04/08/2004 10:00 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [05/03/2008 08:01 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 10:00 PM]
"backgroundswitcher"="C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe" [15/06/2008 08:35 AM]

C:\Documents and Settings\bhardac\Start Menu\Programs\Startup\
Folding@Home 5.03.lnk - C:\Program Files\Folding@Home\winFAH.exe [16/04/2008 09:47:24 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [08/08/2007 10:02:00 PM]
MultiMon Taskbar.lnk - C:\Program Files\MMTaskbar\MultiMon.exe [04/12/2007 10:02:57 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"LogonType"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"MaxGPOScriptWait"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"HideLogonScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"DisablePersonalDirChange"=1 (0x1)
"GreyMSIAds"=1 (0x1)
"NoSMBalloonTip"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoFolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~ 1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=details.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\staff.ad.cqu.edu.au\netlogon\MOE\Office 2007\STAFF-Office2007-deployment.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=CheckLocalAdmins.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=CheckLocalAdmins.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\4\0]
"Script"=localadmins.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SAVService]
@="service"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmactedp.inf,PerUserStub



-- End of Deckard's System Scanner: finished at 2008-06-26 17:02:12 ------------

extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) D CPU 3.20GHz
CPU 1: Intel(R) Pentium(R) D CPU 3.20GHz
Percentage of Memory in Use: 25%
Physical Memory (total/avail): 2046.07 MiB / 1518.83 MiB
Pagefile Memory (total/avail): 3939.06 MiB / 3555.48 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1924.92 MiB

C: is Fixed (NTFS) - 39.06 GiB total, 16.43 GiB free.
D: is Fixed (NTFS) - 193.77 GiB total, 164.83 GiB free.
F: is Network (NTFS)
G: is Network (NTFS)
N: is Network (NTFS)
O: is Network (NTFS)
P: is Network (NTFS)
U: is Network (NTFS)
W: is Network (NTFS)
X: is CDROM (Unformatted)
Z: is Network (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD2500JS-75MHB0 - 232.83 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 39.06 GiB - C:
\PARTITION1 - Installable File System - 193.77 GiB - D:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Sophos Anti-Virus v ()

[HKLM\System\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\DomainProfile\Authoriz edApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"="C:\\Progra m Files\\Altiris\\AClient\\AClntUsr.EXE:*:Enabled:AC lntUsr - AClient Interactive User Service"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKLM\System\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\StandardProfile\Author izedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"="C:\\Progra m Files\\Altiris\\AClient\\AClntUsr.EXE:*:Enabled:AC lntUsr - AClient Interactive User Service"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\bhardac\Application Data
APR_ICONV_PATH=C:\Program Files\Subversion\iconv
CLASSPATH=.;C:\Program Files\Java\j2re1.4.1_02\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ITDROKT11604
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=U:
HOMEPATH=\
HOMESHARE=\\rokstaff.staff.ad.cqu.edu.au\bhardac$
LOGONSERVER=\\ROKSTAFFDC01
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=c:\oracle.axapta\bin;C:\Program Files\Oracle\jre\1.1.7\bin;C:\WINDOWS\system32;C:\ WINDOWS;C:\ORANT\BIN;C:\Program Files\Oracle\jre\1.3.1\bin;C:\Program Files\Oracle\jre\1.1.8\bin;D:\oracle\ora90\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0404
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.1_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\bhardac\LOCALS~1\Temp
TMP=C:\DOCUME~1\bhardac\LOCALS~1\Temp
USERDNSDOMAIN=STAFF.AD.CQU.EDU.AU
USERDOMAIN=CQU
USERNAME=bhardac
USERPROFILE=C:\Documents and Settings\bhardac
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

bhardac (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {9D04DD97-372B-46F6-940C-FC7052797E1A}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Adobe Captivate 2 --> MsiExec.exe /X{A1C6C807-EB9C-4B4D-A28B-BABE789A7DF1}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activ eX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugi n.exe
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{7B76034B-B3ED-46D5-8C66-DEB102CB830A}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallI NFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
BMC Remedy Administrator 7.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2ED57E6C-7276-4430-86DE-49D2007303B6}\setup.exe" -l0x9 Adminuninstall -removeonly
BMC Remedy User 7.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F695CFF-C3A2-4A06-8D40-2FC93BC4208A}\setup.exe" -l0x9 Useruninstall -removeonly
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{B7F54262-AB66-44B3-88BF-9FC69941B643}
CodeSite 3.0.1 Client Tools --> C:\PROGRA~1\Raize\CS3\UNWISE.EXE C:\PROGRA~1\Raize\CS3\CS3ClientTools_Install.log
CQU Fonts --> MsiExec.exe /I{E0980F58-2534-4FA6-AAB8-9B4E905A6188}
Crystal Reports for PeopleSoft --> C:\PROGRA~1\SEAGAT~2\UNCSTUB.EXE C:\PROGRA~1\SEAGAT~2\crwunins.tal
Crystal11_Redistributables --> MsiExec.exe /I{154A9EEB-05FC-45E6-B7BD-75D27ED02276}
CSDiff --> "C:\Program Files\ComponentSoftware\CSDiff\Uninstall.exe" "C:\Program Files\ComponentSoftware\CSDiff\install.log"
ExcelWUSetup --> MsiExec.exe /I{06B9607D-8C54-44E7-8F30-99D0EBCED2A8}
Folding@Home --> C:\WINDOWS\system32\GKSUI18.EXE C:\Program Files\Folding@Home\Uninstall3E6E.DAT
GoldWave v5.23 --> "C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.23" "C:\Program Files\GoldWave\unstall.log"
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuni nst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spunins t.exe"
iDump (Backing up your iPod) --> C:\Program Files\iDump\uninstall.exe
InfoRapid Search & Replace --> C:\PROGRA~1\seRapid\UNWISE.EXE C:\PROGRA~1\seRapid\INSTALL.LOG
Internet Explorer 6.0 --> MsiExec.exe /I{2B93C225-1FF3-448B-92B7-DA48E8C4690A}
iPuissance 4D --> C:\Program Files\iPuissance 4D\Uninst.exe
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java 2 Runtime Environment --> MsiExec.exe /I{AD445EB7-9370-4EB8-A819-66933CDF92FC}
Java 2 Runtime Environment Standard Edition v1.3.1_04 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_04\Uninst.isu"
Java(TM) 6 Update 10 --> MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
John's Background Switcher 3.4 --> C:\Program Files\johnsadventures.com\John's Background Switcher\uninst.exe
Knowledge Xpert --> c:\program files\quest software\Quest Installer\qi.exe
Knowledge Xpert --> MsiExec.exe /I{140d8f4d-e72b-47a6-b1fa-4884c4129dae}
Knowledge Xpert --> MsiExec.exe /I{5e3d3710-5e97-4069-b9ec-c8790a8edd83}
Knowledge Xpert --> MsiExec.exe /I{f7a1e55e-c01d-4935-a085-1ec5a734abee}
Knowledge Xpert --> MsiExec.exe /I{fcee19ee-1fca-4aae-9ac7-32138c9db630}
Knowledge Xpert for Oracle Administration V9.1.1 --> C:\PROGRA~1\QUESTS~1\KNOWLE~1\ORADM\UNWISE.EXE C:\PROGRA~1\QUESTS~1\KNOWLE~1\ORADM\INSTALL.LOG
Knowledge Xpert for PLSQL V9.0 --> C:\PROGRA~1\QUESTS~1\KNOWLE~1\PLSQL\UNWISE.EXE C:\PROGRA~1\QUESTS~1\KNOWLE~1\PLSQL\INSTALL.LOG
Knowledge Xpert for PLSQL V9.1.1 --> C:\PROGRA~1\QUESTS~1\KNOWLE~1\PLSQL\UNWISE.EXE C:\PROGRA~1\QUESTS~1\KNOWLE~1\PLSQL\INSTALL.LOG
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst .exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spu ninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spunin st.exe"
Microsoft Virtual PC 2007 --> MsiExec.exe /X{8A7CAA24-7B23-410B-A7C3-F994B0944160}
Microsoft Visual SourceSafe NetSetup --> "C:\Program Files\Microsoft Visual Studio\VSS\setup\win32\1033\Setup.exe"
Microsoft Visual Studio 2005 Tools for Office Runtime --> MsiExec.exe /X{388E4B09-3E71-4649-8921-F44A3A2954A7}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (en-US) --> MsiExec.exe /I{1E70FBE0-8D7F-4AB1-8F99-CFD481F406A2}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MultiMon TaskBar 2.1 --> "C:\Program Files\MMTaskbar\unins000.exe"
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Nolij Web --> MsiExec.exe /I{EC68C1A5-4046-4638-B2B4-3449EA00F9C6}
Nolij Web File Audit Utility --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Nolij Web File Audit Utility\ST6UNST.LOG"
OggSync for Outlook v3 --> MsiExec.exe /I{EAC59276-2896-4B29-AD54-01938B119226}
Oracle 8 for Axapta 2.5 --> MsiExec.exe /X{C92109B8-FB72-44DF-9F90-70BEDA79EC8B}
Oracle Client --> MsiExec.exe /I{B713A3C9-D312-441E-93F7-9ABE003E4FD2}
Password Depot --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD5B8889-ABD3-4EF1-A0BF-636255BF3BDF}\setup.exe" -l0x9 -removeonly
People Soft Client --> MsiExec.exe /X{6EEAE792-E89C-4C03-98ED-AAEB207FDC0F}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PrimoPDF --> "C:\WINDOWS\PrimoPDF4\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstallPrimoP DF4.xml"
PSPad editor --> "C:\Program Files\PSPad\unins000.exe"
Qexplain2full --> MsiExec.exe /I{67CF58F5-DBA4-4340-99EA-D71BC07D23EE}
Quest Application Integration Tool --> MsiExec.exe /I{639DED6D-3C08-4E63-A560-11E317BFD3B6}
Quest Installer --> C:\Program Files\Quest Software\Quest Installer\Uninstall.EXE
Quest Software Toad for Oracle Version 9.0.1 --> C:\PROGRA~1\QUESTS~1\TOADFO~1\UNINST~1.EXE
Quest SQL Optimizer 7.3 for Oracle --> MsiExec.exe /I{FFE5B5D3-DEA8-4EF0-8FE5-56C206EAACEE}
Quest SQL Tuning for Oracle --> C:\PROGRA~1\QUESTS~1\\TUNING~1\UNWISE.EXE C:\PROGRA~1\QUESTS~1\\TUNING~1\INSTALL.LOG
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Quicktime 6.0 --> MsiExec.exe /I{069B8AD7-CD6B-4B19-806B-12059F34C96C}
Remedy Action Request System® --> MsiExec.exe /I{83C35558-EACD-4D96-9A14-1C4D0494B364}
Remedy Helpdesk --> MsiExec.exe /I{3CA72549-484A-47E2-B0C7-1B440B21C7E0}
Safari --> MsiExec.exe /I{40589552-3892-409E-B92C-9F5032A4B2F0}
SciTE - Scintilla Text Editor 1.70 with Extensions (wbd-1) --> "C:\Program Files\Scintilla Text Editor\unins000.exe"
SCR 7 MR1 SHARED VARIABLES PATCH --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Seagate Software\SCR 7 MR1 SHARED VARIABLES PATCH\Uninst.isu"
Seagate Crystal Reports 7 --> "C:\Program Files\crw\uninst32\setup.exe" /U
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
SnagIt 7 --> MsiExec.exe /I{F1608947-B8A4-4D65-A7B8-8B1D669C0E2C}
Sophos Anti-Virus --> MsiExec.exe /X{034759DA-E21A-4795-BFB3-C66D17FAD183}
Sophos AutoUpdate --> MsiExec.exe /X{15C418EB-7675-42BE-B2B3-281952DA014D}
Sophos Remote Management System --> MsiExec.exe /X{FF11005D-CBC8-45D5-A288-25C7BB304121}
SQR Runner 4 Pro --> "C:\Program Files\sqrun4pro\Uninstall.exe" "C:\Program Files\sqrun4pro\install.log" -u
Subversion 1.4.5-r25188 --> "C:\Program Files\Subversion\unins000.exe"
SVG Viewer --> MsiExec.exe /X{8864F683-FAD8-4BC7-9844-4E01EE453089}
Toad for Oracle --> MsiExec.exe /I{792BCB03-7F7E-4E0F-91D8-55BE5A6C67F0}
Toad for Oracle --> MsiExec.exe /I{B11DA33B-F355-463B-9B69-72DBA1D8CECE}
Toad for Oracle --> MsiExec.exe /I{D6C757FF-2189-46C3-9528-8864B069B192}
TortoiseSVN 1.4.5.10425 (32 bit) --> MsiExec.exe /X{F4BBA950-56F0-4335-8D93-EE64BFF593A0}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Visual Studio 2005 Tools for Office Second Edition Runtime --> C:\Program Files\Common Files\Microsoft Shared\VSTO\8.0\Microsoft Visual Studio 2005 Tools for Office Runtime\install.exe
VMware Virtual Infrastructure Client 2.0 --> MsiExec.exe /X{C7134CDC-2000-1967-A00D-0244A64A998F}
VMware Workstation --> MsiExec.exe /I{98D1A713-438C-4A23-8AB6-41B37C4A2D47}
VSS-Netsetup --> MsiExec.exe /X{75941AF9-EFDA-426A-8B4D-2938500C9462}
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Grep 2.2 --> "C:\Program Files\Windows Grep\unins000.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe "
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spunin st.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spunins t.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WU --> MsiExec.exe /I{A61883F5-F0D8-4501-8055-DE2646EE5DCE}
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type7838 / Error
Event Submitted/Written: 06/26/2008 04:39:29 PM
Event ID/Source: 1030 / Userenv
Event Description:
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Event Record #/Type7837 / Error
Event Submitted/Written: 06/26/2008 04:39:29 PM
Event ID/Source: 1065 / Userenv
Event Description:
Windows cannot perform filter check for Group Policy object cn={891560A1-914A-4CF6-91E1-3AA548469C7B},cn=policies,cn=system,DC=staff,DC=ad ,DC=cqu,DC=edu,DC=au. Group Policy processing aborted.

Event Record #/Type7836 / Warning
Event Submitted/Written: 06/26/2008 04:39:04 PM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{6295DF2D-35EE-11D1-8707-00C04FD93327}. CoGetObject returned HRESULT 8000401A.

Event Record #/Type7835 / Error
Event Submitted/Written: 06/26/2008 04:38:42 PM
Event ID/Source: 1030 / Userenv
Event Description:
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Event Record #/Type7834 / Error
Event Submitted/Written: 06/26/2008 04:38:42 PM
Event ID/Source: 1065 / Userenv
Event Description:
Windows cannot perform filter check for Group Policy object cn={891560A1-914A-4CF6-91E1-3AA548469C7B},cn=policies,cn=system,DC=staff,DC=ad ,DC=cqu,DC=edu,DC=au. Group Policy processing aborted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type10983 / Error
Event Submitted/Written: 06/26/2008 04:44:33 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460

Event Record #/Type10963 / Error
Event Submitted/Written: 06/26/2008 04:39:50 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The FAH@C:+Documents and Settings+bhardac+Desktop+FAH504-Console.exe service failed to start due to the following error:
%%2

Event Record #/Type10939 / Error
Event Submitted/Written: 06/26/2008 03:41:44 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460

Event Record #/Type10934 / Error
Event Submitted/Written: 06/26/2008 03:38:09 PM
Event ID/Source: 1003 / System Error
Event Description:
Error code 1000008e, parameter1 c0000005, parameter2 80540a24, parameter3 a65f4cf0, parameter4 00000000.

Event Record #/Type10916 / Error
Event Submitted/Written: 06/26/2008 03:37:02 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The FAH@C:+Documents and Settings+bhardac+Desktop+FAH504-Console.exe service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-06-26 17:02:12 ------------

Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

=======================================

Please download SDFix from here and save it to your desktop

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please copy and paste that log in your next reply.

Well thank you for your quick reply!

I cant seem to get into safe mode though. The reason, my admin account seems to have had it's password changed, and when i try to change it and/or create a new account apparently the policy wont allow it, so I'll go trudging through the group policies and see how to enable that again. But ran ComboFix and here are the results from that and ran hijackthis again:

log.txt:

ComboFix 08-06-20.4 - bhardac 2008-06-27 9:51:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1240 [GMT 10:00]
Running from: C:\Documents and Settings\bhardac\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\bhardac\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
/wow section - STAGE 41
pv: No matching processes found
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\oledb32.dll

----- BITS: Possible infected sites -----

hxxp://sus.cqu.edu.au
.
((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 )))))))))))))))))))))))))))))))
.

2008-06-26 16:20 . 2008-06-26 16:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-26 16:05 . 2008-06-26 16:05 <DIR> d-------- C:\Filemon 6.1
2008-06-26 15:06 . 2008-06-26 15:06 16,244 --a------ C:\WINDOWS\system32\rrt_is.wav
2008-06-26 15:06 . 2008-06-26 15:06 7,302 --a------ C:\WINDOWS\system32\rrt_vf.wav
2008-06-26 15:06 . 2008-06-26 15:06 7,148 --a------ C:\WINDOWS\system32\rrt_tv.wav
2008-06-26 15:06 . 2008-06-26 15:06 6,282 --a------ C:\WINDOWS\system32\rrt_tn.wav
2008-06-26 14:55 . 2008-02-28 14:26 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-06-26 14:55 . 2008-02-28 14:01 774,144 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-06-26 14:53 . 2008-06-26 14:53 0 --a------ C:\WINDOWS\Irremote.ini
2008-06-26 11:06 . 2008-06-26 11:06 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-26 11:06 . 2008-06-26 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-26 11:03 . 2008-06-26 11:03 <DIR> d-------- C:\Documents and Settings\bhardac\Application Data\Nero
2008-06-26 10:59 . 2008-06-26 14:59 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-06-26 10:59 . 2008-06-26 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-06-26 10:57 . 2008-06-27 09:53 63,920 --a------ C:\WINDOWS\system32\drivers\c6bc6737.sys
2008-06-26 10:57 . 2008-06-26 10:57 32,256 --a------ C:\WINDOWS\system32\bsndcom.dll
2008-06-26 10:57 . 2008-06-26 10:57 2 --a------ C:\1826294758
2008-06-23 10:03 . 2008-06-23 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-18 09:21 . 2008-06-18 09:42 <DIR> d-------- C:\Documents and Settings\bhardac\.jake2
2008-06-18 09:21 . 2008-06-18 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WorldWindData
2008-06-18 09:20 . 2008-06-18 09:20 <DIR> d-------- C:\WINDOWS\Sun
2008-06-18 09:19 . 2008-06-18 09:19 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-06-18 09:19 . 2008-06-18 09:19 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-17 10:59 . 2008-06-13 23:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-17 10:59 . 2008-06-13 23:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-16 12:59 . 2008-06-16 15:45 <DIR> d-------- C:\Program Files\BudgetSwift
2008-06-16 12:44 . 2008-06-16 12:57 <DIR> d-------- C:\Program Files\Personal Finance Wizard
2008-06-06 08:32 . 2008-06-06 08:33 <DIR> d-------- C:\oracle.axapta
2008-05-30 10:00 . 2008-06-26 14:55 <DIR> d-------- C:\Program Files\iDump
2008-05-28 15:12 . 2008-05-28 15:12 <DIR> d-------- C:\WINDOWS\PrimoPDF4
2008-05-28 15:12 . 2008-05-28 15:12 <DIR> d-------- C:\Program Files\activePDF
2008-05-28 15:12 . 2006-12-12 07:12 176,235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2008-05-28 13:08 . 2001-08-23 16:00 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-05-28 13:08 . 2001-05-11 13:18 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2008-05-28 13:08 . 2001-05-16 17:54 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-05-28 13:08 . 2001-03-26 04:41 245,760 --a------ C:\WINDOWS\system32\mp4sds32.ax
2008-05-28 13:08 . 2002-07-19 18:31 45,056 --a------ C:\WINDOWS\system32\CxxProgressBar.ocx
2008-05-28 12:57 . 2008-05-28 12:59 <DIR> d-------- C:\Program Files\Solveig Multimedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-26 21:40 --------- d-----w C:\Program Files\Safari
2008-06-26 20:43 2,401 ----a-w C:\WINDOWS\system32\drivers\AlKernel.sys
2008-06-26 06:38 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-06-26 06:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-06-26 05:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 01:16 94,208 ----a-w C:\WINDOWS\DUMP729f.tmp
2008-06-25 23:39 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-06-25 22:16 --------- d-----w C:\Program Files\Folding@Home
2008-06-24 05:42 --------- d-----w C:\Program Files\ComponentSoftware
2008-06-19 00:17 --------- d-----w C:\Program Files\Google
2008-06-17 23:19 --------- d-----w C:\Program Files\Java
2008-06-10 05:46 --------- d-----w C:\Program Files\Picasa2
2008-06-06 00:38 --------- d-----w C:\Program Files\seRapid
2008-06-03 10:05 41 ----a-w C:\AClient.dat
2008-06-02 04:51 --------- d-----w C:\Program Files\SQLTools 1.42
2008-06-02 04:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-02 04:50 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-29 23:54 --------- d-----w C:\Documents and Settings\bhardac\Application Data\Apple Computer
2008-05-29 02:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-29 02:40 --------- d-----w C:\Program Files\AR System
2008-05-26 04:53 --------- d-----w C:\Program Files\Common Files\Quest Shared
2008-05-26 04:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Quest Software
2008-05-21 01:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-21 01:50 --------- d-----w C:\Program Files\ICOA Inc
2008-05-13 05:10 --------- d-----w C:\Program Files\sqrun4pro
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 06:34 --------- d-----w C:\Documents and Settings\bhardac\Application Data\VMware
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-09 22:57 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\1T ortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\2T ortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\3T ortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\4T ortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\5T ortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\6T ortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\7T ortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\ia shepr]
@={DF222F69-24DD-7955-403E-BD48F435CAEE}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\wm spdmok]
@={91FC02FA-0264-5D56-8705-D9D31905731F}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{DF222F69-24DD-7955-403E-BD48F435CAEE}]
C:\WINDOWS\system32\iashepr.dIl

[HKEY_CLASSES_ROOT\CLSID\{91FC02FA-0264-5D56-8705-D9D31905731F}]
C:\WINDOWS\system32\wmspdmok.dIl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2008-03-05 08:01 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"backgroundswitcher"="C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe" [2008-06-15 08:35 1021840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"soundmaxpnp"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"aticcc"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 09:12 90112]
"aclntusr"="C:\Program Files\Altiris\AClient\AClntUsr.EXE" [2008-06-26 16:38 184320]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 22:00 143360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]

C:\Documents and Settings\bhardac\Start Menu\Programs\Startup\
Folding@Home 5.03.lnk - C:\Program Files\Folding@Home\winFAH.exe [2008-04-16 09:47:24 323584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2007-08-08 22:02:00 245760]
MultiMon Taskbar.lnk - C:\Program Files\MMTaskbar\MultiMon.exe [2007-12-04 10:02:57 294912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"LogonType"= 0 (0x0)
"MaxGPOScriptWait"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"HideLogonScripts"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~ 1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=details.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\staff.ad.cqu.edu.au\netlogon\MOE\Office 2007\STAFF-Office2007-deployment.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=CheckLocalAdmins.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=CheckLocalAdmins.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\4\0]
"Script"=localadmins.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\s ystem32\DRIVERS\savonaccesscontrol.sys [2007-11-26 15:49]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\sys tem32\DRIVERS\savonaccessfilter.sys [2007-11-26 15:49]
R2 JavaQuickStarterService;Java Quick Starter;"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" []
S2 FAH@C:+Documents and Settings+bhardac+Desktop+FAH504-Console.exe;FAH@C:+Documents and Settings+bhardac+Desktop+FAH504-Console.exe;C:\Documents and Settings\bhardac\Desktop\FAH504-Console.exe []
S3 OracleAxaptaClientCache;OracleAxaptaClientCache;c: \oracle.axapta\BIN\ONRSD.EXE [2000-01-25 18:00]
S3 OracleORANTClientCache;OracleORANTClientCache;C:\O RANT\BIN\ONRSD.EXE [2002-04-26 19:34]
S4 DynDNS_Updater_ServiceynDNS Updater Service;C:\Program Files\DynDNS Updater\DynDNS.exe [2006-09-17 10:32]
S4 OracleOraHome90ClientCache;OracleOraHome90ClientCa che:\oracle\ora90\BIN\ONRSD.EXE [2001-08-14 18:25]

*Newly Created Service* - catchme
*Newly Created Service* - ipod_service

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmactedp.inf,PerUserStub
.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 08:16:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-26 12:00:04 C:\WINDOWS\Tasks\Daily.job"
- C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe'{A38FBDDA-0747-49FC-9DD0-BD3594C98BDB}
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 09:52:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
"ServiceDll"="C:\WINDOWS\system32\es.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\F AH@C:+Documents and Settings+bhardac+Desktop+FAH504-Console.exe]
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S ophos Message Router]
"ImagePath"="\"C:\Program Files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
Completion time: 2008-06-27 9:54:33
ComboFix-quarantined-files.txt 2008-06-26 23:53:54

Pre-Run: 17,421,004,800 bytes free
Post-Run: 17,708,142,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

237 --- E O F --- 2008-06-25 22:02:09

hijackthislog.txt:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:56, on 2008-06-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft