BSOD when mediaCenter PC goes to hibernate

I use HP mediaCenter PC as a DigitalVideoRecorder. Now I get the BSOD when the machine goes into hibernate mode. I leave the system on all the time so it can wake up and record, and I use hibernate mode to be kinder to the environment.

On blue screen is text: DRIVER_IRQL_NOT_LESS_OR_EQUAL_VAL and hiber_iastor.sys

I wandered thru the web and found recommendation to run MicroSoft malware tool. It (windows-kb890830-v3.2.exe) reports: win32/Alureon.F c:\windows\system32\drivers\iastor.sys. And claims to have removed it. But when it put the PC into hibernate mode I get the same BSOD again. And if I rerun the uSoft tool it reports finding the same infected file (iastor.sys).

I also tried using uSoft restore to roll back to a time when the problem didn't happen, but that didn't help. The problem persists.

Thanx, Drew



DDS (Ver_09-12-01.01) - NTFSx86
Run by drew at 14:30:07.21 on Mon 01/04/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1297 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\MoodLogic\Service\Updater.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\drew\My Documents\HPcomputer\virusrepair\12_2009\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MoodLogic Service] c:\program files\moodlogic\service\MLService.exe
mRun: [MoodLogic Updater] c:\program files\moodlogic\service\Updater.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\drew\startm~1\programs\startup\pinmclnk.lnk - c:\hp\bin\cloaker.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
Trusted Zone: trymedia.com
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-27 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-29 28424]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-27 360584]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-30 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-30 285392]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 RVIEGVST;VSC VST Engine;c:\program files\roland\virtual sound canvas vst\RVIEg01VST.sys [2008-12-19 188276]

=============== Created Last 30 ================


==================== Find3M ====================

2010-01-04 04:14:20 90112 ----a-w- c:\windows\system32\udupynax.exe
2009-12-01 01:39:52 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-01 01:39:52 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-01 01:39:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-29 19:08:22 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 05:38:23 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 05:38:22 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 05:38:22 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-14 01:14:40 218 ----a-w- c:\documents and settings\drew\fet_settings.dat
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2007-12-01 16:08:59 22 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 14:31:08.25 ===============

Here is an update because the symptoms have changed.

Although for quite a while the only problem the PC had was hibernating (and I disabled hibernation and left the PC running), one day I got the BSOD with the message PFN_LIST_CORRUPT. Now things are very bad.

New symptoms:
* firefox can't access internet (but FTP in a cmd.exe window can access the net)
* after a couple of minutes of operation the PC slows so badly it can take minutes to start a program, 100% CPU utilization is reported.
I think avg was listed as top hog process. I killed that and then lsass became the cpu hog.
* can't boot windows in safe mode (prints normal rdisk(0) startup messages but then I get the "we apologize but windows failed to start...")
* can boot into recovery console. It is the only thing that still seems to work.

At this point I don't think I can use windows to download anything, or run anything.

I did remove the drive and check it on another PC (not using it as system disk), and the disk seems fine.

Thanx,
Drew

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

• Please download OTL from following mirror:
  • This is THE Mirror
• Save it to your desktop.
• Double click on the icon on your desktop.
• Click the "Scan All Users" checkbox.
• Push the button.
• Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

Hi myrti,

Thanx for helping me.

You have requested that I download and run OTL, and then send you the results. I don't think that is possible.

1) I think I can't download anything because firefox can't access the internet. However I can download OTL to a USB stick and probably copy the program onto my sick machine.

2) I believe OTL will not run to completion. When I boot, then log into the machine I have only a about a minute of operation before the system becomes so slow it is effectively stalled. If I hit ctrl-alt-delete it can take 10 minutes for the task manager to appear

Hi,

is there any mode that will stay on for a couple of minutes, so that we can do some preliminary tests and runs? Do you have your windows cd to access the infected PC over recovery console?

regards myrti

>>is there any mode that will stay on for a couple of minutes, so that we can do some preliminary tests and runs?

The PC will run for a couple of minutes, although it does get slower and slower as time goes on. I would be happy to try anything you suggest to see if we are luck and get results. I wanted to let you know that if a test/scan normally took longer than a minute or two I expect that it will never run to completion with the PC in the current state.

>>Do you have your windows cd to access the infected PC over recovery console?

Recovery console is already installed, and last time I checked the PC booted into that mode without any trouble.
The PC is an HP pavillion, and it does not come with Windows install disks.
However HP has a utility to make recovery disks, which I did run before the PC got ill. Also the hard disk is partitioned into C: and D:, where D: is a recovery partition. The HP bios has a boot option to run the recovery process off of d:. I would like to avoid re-installing the OS if I can, because I have a lot of installed programs that would require a lot of work to reinstall.

======
Schedule
======
I am at work right now (eastern US time zone), so any experiments on the PC will have to be done at night. Although I could consider bringing the machine into work tomorrow if that meant I could respond quickly to your suggestions.

Thanx,
Drew

Hi,
ok, please try to run OTL, it should not take more than a minute or two.

In addition (or after a reboot) try to run the following scan:

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Double-click the SystemLook and copy/paste the following into the box
  

  :filefind
  iastor.*

• Hit the Look button. Let it finish the scan
• A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

To prevent infections spreading from your infected PC to your clean machine over the flash drive, please do the following on your clean machine:

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
• Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Let me know if you run into any problems, for example when the scans take to much time.

regards myrti

Hi myrti,

I had very good luck.

* using spare PC and USB mem stick, installed Flash_Disinfector, copied OTL and SystemLook
* booted sick Hp (network cable disconnected) and logged in, inserted memory stick
* ran OTL scan (scan all users). Left the mem stick inserted, it shows up as removable drive F:
It popped open a new window during the scan(windows no disk, exception processing message). I hit continue/cancel/tryAgain until message went away
Saved OTL.txt log. I did not see Extra.txt log file
* ran SystemLook(filefind iastor*). I realize forgot the period before the wildcard, but I think we got what we want.
* Copied the log files to the memory stick and shutown the PC

The HP PC ran normally during all of this. I didn't connect the PC to the net, and did not run any browsers. I had turned off AVG when the PC started acting crazy last week. It continues to be turned off.
Thanx, Drew

===================================================
OTL.txt
===================================================
OTL logfile created on: 1/12/2010 8:53:21 PM - Run 2
OTL by OldTimer - Version 3.1.24.0 Folder = F:\hpCrisis
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 289.44 Gb Total Space | 3.53 Gb Free Space | 1.22% Space Free | Partition Type: NTFS
Drive D: | 8.63 Gb Total Space | 0.38 Gb Free Space | 4.45% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
Drive F: | 488.60 Mb Total Space | 485.33 Mb Free Space | 99.33% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOWER2
Current User Name: drew
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/12 15:10:03 | 00,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/11/30 20:39:38 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/11/30 20:39:35 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/01/14 16:53:02 | 00,226,656 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/04/23 02:38:16 | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/10/26 11:06:47 | 00,292,152 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2007/10/04 17:14:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/05/08 15:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PRC - [2006/09/29 10:01:06 | 00,258,560 | ---- | M] (ASUSTeK COMPUTER INC.) -- C:\WINDOWS\ATKKBService.exe
PRC - [2006/07/06 16:15:00 | 00,151,552 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/07/06 16:14:30 | 00,090,112 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2006/06/21 06:08:48 | 00,049,152 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2006/06/13 22:05:26 | 16,239,616 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2006/06/02 01:25:00 | 00,180,224 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
PRC - [2006/04/13 11:05:00 | 00,090,112 | ---- | M] (Sonic Solutions) -- C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
PRC - [2006/02/16 00:34:58 | 00,249,856 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
PRC - [2004/10/01 23:16:50 | 00,544,256 | ---- | M] (OldTimer Tools) -- F:\hpCrisis\OTL.exe
PRC - [2004/05/27 16:52:53 | 00,217,088 | ---- | M] (Moodlogic) -- C:\Program Files\MoodLogic\Service\Updater.exe


========== Modules (SafeList) ==========

MOD - [2007/10/26 11:06:56 | 00,062,768 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\patrolpro.dll
MOD - [2004/10/01 23:16:50 | 00,544,256 | ---- | M] (OldTimer Tools) -- F:\hpCrisis\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/12/12 15:10:02 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled | Stopped] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/11/30 20:39:35 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled | Stopped] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Disabled | Stopped] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/03/21 17:07:52 | 00,183,280 | ---- | M] (Google) [Disabled | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/01/14 16:53:02 | 00,226,656 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/10/10 04:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/07/07 08:15:18 | 00,611,664 | ---- | M] (Lavasoft) [Disabled | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2007/11/15 13:10:54 | 00,504,104 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2007/10/31 14:09:16 | 00,110,592 | ---- | M] (Apple, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/10/04 17:14:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2006/09/29 10:01:06 | 00,258,560 | ---- | M] (ASUSTeK COMPUTER INC.) [Auto | Running] -- C:\WINDOWS\ATKKBService.exe -- (ATKKeyboardService)
SRV - [2006/07/06 16:14:30 | 00,090,112 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2006/06/21 06:08:48 | 00,049,152 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2006/06/02 01:25:00 | 00,180,224 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe -- (ELService) Intel®
SRV - [2004/10/22 12:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2009/11/30 20:39:52 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/11/30 20:39:52 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/11/30 20:39:51 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2008/04/13 13:45:34 | 00,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irbus.sys -- (IrBus)
DRV - [2008/04/13 11:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/04 17:14:00 | 06,854,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/10/31 15:55:38 | 00,011,008 | ---- | M] (ASUSTeK COMPUTER INC.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\atkkbnt.sys -- (asuskbnt)
DRV - [2006/09/29 10:06:26 | 00,010,752 | ---- | M] (ASUSTeK COMPUTER INC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Video3D32.sys -- (Video3D)
DRV - [2006/09/19 14:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2006/07/06 08:59:42 | 00,246,784 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\iastor.sys -- (iaStor)
DRV - [2006/06/23 16:02:02 | 01,095,680 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2006/06/14 13:44:30 | 00,012,288 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\EIO.sys -- (EIO)
DRV - [2006/06/14 13:04:12 | 04,299,264 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/05/16 13:37:50 | 00,229,376 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2006/05/10 00:36:44 | 00,009,728 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ELacpi.sys -- (ELacpi)
DRV - [2006/05/10 00:36:42 | 00,007,040 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Elmon.sys -- (ELmon)
DRV - [2006/05/10 00:36:22 | 00,006,912 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Elkbd.sys -- (ELkbd)
DRV - [2006/05/10 00:36:20 | 00,006,400 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Elmou.sys -- (ELmou)
DRV - [2006/05/10 00:36:18 | 00,010,112 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Elhid.sys -- (ELhid)
DRV - [2006/04/13 18:47:38 | 00,168,064 | ---- | M] (Hauppauge Computer Works, Inc.) [23|25|26]xxx) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hcwPP2.sys -- (hcwPP2)
DRV - [2006/03/09 13:00:00 | 00,046,080 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2005/12/12 19:27:00 | 00,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2005/12/06 13:20:50 | 00,241,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2005/12/06 13:20:42 | 00,670,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsx)
DRV - [2005/12/06 13:20:40 | 00,936,448 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSX_DP.sys -- (HSX_DP)
DRV - [2005/10/05 17:57:08 | 00,012,544 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2005/06/29 19:03:18 | 00,175,104 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ftsata2.sys -- (ftsata2)
DRV - [2005/03/03 12:53:57 | 00,048,640 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2005/02/23 10:59:54 | 00,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2004/12/03 05:20:41 | 00,020,544 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfsync02.sys -- (sfsync02) StarForce Protection Synchronization Driver (version 2.x)
DRV - [2004/08/09 23:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/03 16:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/04/01 16:30:46 | 00,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/11/05 09:45:12 | 00,017,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\bb-run.sys -- (bb-run)
DRV - [2001/04/13 19:18:24 | 00,188,276 | ---- | M] (Roland) [Kernel | Auto | Running] -- C:\Program Files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys -- (RVIEGVST)
DRV - [2001/04/13 19:16:38 | 00,187,992 | ---- | M] (Roland) [Kernel | Auto | Running] -- C:\Program Files\Roland\Virtual Sound Canvas DXi\RVIEg01.sys -- (RVIEG01)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008\S-1-5-21-2513693763-3669167794-4027820331-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Search"
FF - prefs.js..browser.startup.homepage: "http://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716
FF - prefs.js..extensions.enabledItems: avg@igeared:3.011.025.005
FF - prefs.js..extensions.enabledItems: max@subfighter.com:1.0.2
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.07076007

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/12/12 15:10:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2009/12/19 21:07:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/09 12:09:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/07 19:28:02 | 00,000,000 | ---D | M]

[2008/08/26 16:07:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\drew\Application Data\Mozilla\Extensions
[2008/05/03 20:18:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\drew\Application Data\Mozilla\Extensions\home2@tomtom.com
[2010/01/09 12:05:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\drew\Application Data\Mozilla\Firefox\Profiles\oy4z9vn0.default\extensions
[2008/09/26 21:29:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\drew\Application Data\Mozilla\Firefox\Profiles\oy4z9vn0.default\extensions\max@subfighter.com
[2008/04/21 21:09:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\drew\Application Data\Mozilla\Firefox\Profiles\oy4z9vn0.default\extensions\moveplayer@movenetworks.com
[2008/03/14 21:31:31 | 00,000,276 | ---- | M] () -- C:\Documents and Settings\drew\Application Data\Mozilla\Firefox\Profiles\oy4z9vn0.default\searchplugins\search.xml
[2010/01/08 15:28:16 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/08/18 11:54:49 | 00,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}

O1 HOSTS File: (686 bytes) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (hpWebHelper Class) - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll (Hewlett-Packard)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O3 - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [DMAScheduler] c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe (Sonic Solutions)
O4 - HKLM..\Run: [ftutil2] C:\WINDOWS\System32\ftutil2.dll (Promise Technology, Inc.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPBootOp] C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [MoodLogic Service] C:\Program Files\MoodLogic\Service\MLService.exe (Moodlogic Inc)
O4 - HKLM..\Run: [MoodLogic Updater] C:\Program Files\MoodLogic\Service\Updater.exe (Moodlogic)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PCDrProfiler] File not found
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe (BillP Studios)
O4 - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe (NVIDIA)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Pin.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\PinMcLnk.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\drew\Start Menu\Programs\Startup\PinMcLnk.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\terri\Start Menu\Programs\Startup\PinMcLnk.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\terri.TOWER2\Start Menu\Programs\Startup\PinMcLnk.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data]
O7 - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O15 - HKLM\..Trusted Domains: trymedia.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: trymedia.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 31 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 31 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-2513693763-3669167794-4027820331-1008\..Trusted Domains: 31 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} http://download.macromedia.com/pub/shockwa...are/awswaxf.cab (Macromedia Authorware Web Player Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/pub/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/08/24 14:54:32 | 00,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 08:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 00:01:14 | 00,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2004/10/01 23:06:08 | 00,000,000 | RHSD | M] - F:\autorun.inf -- [ FAT ]
O33 - MountPoints2\{00f209a1-45d5-11de-bb08-0018f3e732e8}\Shell\AutoRun\command - "" = F:\setup.exe -- File not found
O33 - MountPoints2\{7c057c74-a136-11dc-8f7a-0018f3e732e8}\Shell\AutoRun\command - "" = J:\wd_windows_tools\setup.exe -- File not found
O33 - MountPoints2\{db7b5533-d647-11dd-8fc8-0018f3e732e8}\Shell\AutoRun\command - "" = F:\InstallSeagateManager.exe -- File not found
O33 - MountPoints2\{ea883f2d-db75-11dc-8f8b-0018f3e732e8}\Shell - "" = AutoRun
O33 - MountPoints2\{ea883f2d-db75-11dc-8f8b-0018f3e732e8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ea883f2d-db75-11dc-8f8b-0018f3e732e8}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/12 20:54:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\drew\Desktop\New Folder
[2010/01/06 21:38:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/01/05 14:02:54 | 00,917,504 | ---- | C] (Macromedia, Inc.) -- C:\WINDOWS\System32\FLASH.OCX
[2010/01/05 09:37:07 | 00,000,000 | -HSD | C] -- C:\found.000
[2010/01/04 21:50:13 | 00,025,992 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pgdfgsvc.exe
[2010/01/04 12:27:51 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\drew\Recent
[2010/01/04 10:10:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\drew\Application Data\HpUpdate
[2010/01/03 17:17:05 | 00,000,000 | ---D | C] -- C:\9b43e1e38de81d1ad87251c1
[2008/03/29 09:06:45 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/03/29 09:06:45 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/03/29 09:06:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/03/29 09:06:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/11/26 20:05:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\NVIDIA Corporation
[2007/07/20 11:04:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2006/02/19 12:28:56 | 00,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/12 20:54:17 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/01/12 20:54:07 | 00,000,246 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2010/01/12 20:51:40 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/12 20:51:39 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/12 20:51:38 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/12 20:51:36 | 21,458,57536 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/09 08:35:57 | 47,623,059 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/01/09 02:38:50 | 00,137,194 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/01/05 14:02:54 | 00,917,504 | ---- | M] (Macromedia, Inc.) -- C:\WINDOWS\System32\FLASH.OCX
[2010/01/05 09:19:54 | 07,806,976 | ---- | M] () -- C:\Documents and Settings\drew\NTUSER.DAT
[2010/01/04 21:50:13 | 00,025,992 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pgdfgsvc.exe
[2010/01/04 18:56:30 | 00,000,799 | ---- | M] () -- C:\WINDOWS\orun32.ini
[2010/01/04 09:58:43 | 00,263,824 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/01/03 23:14:20 | 00,090,112 | ---- | M] () -- C:\WINDOWS\System32\udupynax.exe
[2010/01/03 11:34:02 | 00,111,434 | ---- | M] () -- C:\Documents and Settings\drew\My Documents\cc_20100103_1133.reg
[2010/01/02 21:31:14 | 00,081,966 | ---- | M] () -- C:\Documents and Settings\drew\Desktop\W225.MID
[2010/01/02 10:37:37 | 00,702,338 | ---- | M] () -- C:\Documents and Settings\drew\Desktop\CarlosSantanaAnd-GypsyQueen-BlackMagicWoman-UNEM.mid
[2010/01/02 10:32:27 | 00,092,004 | ---- | M] () -- C:\Documents and Settings\drew\Desktop\27909.mid
[2009/12/29 00:14:18 | 00,001,772 | ---- | M] () -- C:\Documents and Settings\drew\Desktop\Document.rtf
[2009/12/19 21:16:36 | 00,000,765 | ---- | M] () -- C:\dirLog
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/03 11:33:52 | 00,111,434 | ---- | C] () -- C:\Documents and Settings\drew\My Documents\cc_20100103_1133.reg
[2010/01/02 21:31:14 | 00,081,966 | ---- | C] () -- C:\Documents and Settings\drew\Desktop\W225.MID
[2010/01/02 10:37:37 | 00,702,338 | ---- | C] () -- C:\Documents and Settings\drew\Desktop\CarlosSantanaAnd-GypsyQueen-BlackMagicWoman-UNEM.mid
[2010/01/02 10:32:27 | 00,092,004 | ---- | C] () -- C:\Documents and Settings\drew\Desktop\27909.mid
[2009/12/29 00:14:18 | 00,001,772 | ---- | C] () -- C:\Documents and Settings\drew\Desktop\Document.rtf
[2009/12/19 20:18:09 | 00,000,765 | ---- | C] () -- C:\dirLog
[2009/09/24 22:54:49 | 00,002,272 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/09/17 19:12:22 | 00,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2009/05/05 19:53:34 | 00,870,128 | ---- | C] () -- C:\Documents and Settings\drew\Application Data\mcs.rma
[2009/05/05 19:53:34 | 00,000,004 | ---- | C] () -- C:\Documents and Settings\drew\Application Data\E6B4FE
[2009/04/30 23:31:06 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/04/30 23:31:06 | 01,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/04/30 23:31:06 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/04/30 23:31:06 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/10/26 17:32:39 | 00,003,920 | ---- | C] () -- C:\WINDOWS\scad3.INI
[2008/10/07 08:13:30 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 08:13:22 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/09/04 21:59:40 | 00,000,187 | ---- | C] () -- C:\Documents and Settings\drew\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
[2008/04/13 20:29:39 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/02/12 20:25:58 | 00,061,952 | ---- | C] () -- C:\WINDOWS\System32\rmmerge2.DLL
[2008/02/12 20:25:58 | 00,009,728 | ---- | C] () -- C:\WINDOWS\System32\rmevents.DLL
[2008/02/12 20:23:39 | 00,000,724 | R--- | C] () -- C:\WINDOWS\~FORGE45.INI
[2007/12/03 20:31:43 | 00,639,046 | ---- | C] () -- C:\WINDOWS\aticlocklib.dll
[2007/12/03 20:31:43 | 00,110,592 | ---- | C] () -- C:\WINDOWS\R5ClkLib.dll
[2007/12/03 20:31:43 | 00,046,080 | ---- | C] () -- C:\WINDOWS\System32\aseng.dll
[2007/12/03 20:31:43 | 00,011,136 | ---- | C] () -- C:\WINDOWS\System32\ATKOSDMini.DLL
[2007/12/03 20:31:43 | 00,000,018 | ---- | C] () -- C:\WINDOWS\System32\atkid.ini
[2007/12/01 11:09:44 | 00,000,000 | ---- | C] () -- C:\WINDOWS\msicpl.ini
[2007/11/30 20:35:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\LegitCheckControl.dll
[2007/11/20 21:14:51 | 00,003,457 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/10/04 17:14:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/06/14 17:35:27 | 00,000,156 | ---- | C] () -- C:\WINDOWS\matlab.ini
[2007/04/04 22:10:24 | 00,001,506 | ---- | C] () -- C:\WINDOWS\FORGE32.ini
[2007/03/12 12:01:30 | 00,217,088 | ---- | C] () -- C:\WINDOWS\NVGfxOgl.dll
[2007/01/26 21:30:03 | 00,000,080 | ---- | C] () -- C:\WINDOWS\BBW_INFO.INI
[2007/01/18 23:31:05 | 00,001,861 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/01/14 18:42:50 | 00,000,419 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2007/01/02 21:55:45 | 00,009,216 | ---- | C] () -- C:\Documents and Settings\drew\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/12/21 12:32:03 | 00,000,127 | ---- | C] () -- C:\Documents and Settings\drew\Local Settings\Application Data\fusioncache.dat
[2006/08/24 15:19:55 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/24 15:02:10 | 00,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2006/08/24 14:57:37 | 00,014,316 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2006/08/24 14:57:33 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2006/08/24 14:54:44 | 00,000,174 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/08/24 14:45:01 | 00,000,530 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/08/24 14:44:25 | 00,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/08/24 14:40:30 | 00,000,368 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/08/24 14:39:41 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/08/24 14:37:31 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\hcwXDS.dll
[2006/08/24 14:35:48 | 00,000,799 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/08/24 14:32:09 | 00,348,880 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2006/08/24 14:32:09 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4624.dll
[2006/08/24 14:14:40 | 00,323,584 | ---- | C] () -- C:\WINDOWS\System32\pythoncom22.dll
[2006/08/24 14:14:40 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\pywintypes22.dll
[2006/08/24 14:14:24 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2006/06/16 13:58:18 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/05 23:01:54 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/06/17 08:33:40 | 00,246,784 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys
[2004/09/16 22:24:26 | 03,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/07/26 09:51:38 | 00,000,560 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A11F741D
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >
==========================
SystemLook
==========================
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:01 on 12/01/2010 by drew (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor*"
C:\cmdcons\iastor.sys --a--- 246784 bytes [01:24 01/12/2007] [13:59 06/07/2006] 019CF5F31C67030841233C545A0E217A
C:\hp\drivers\Intel_5_1_0_1022_PV\iastor.cat --a--- 8178 bytes [17:02 01/07/2005] [17:02 01/07/2005] EF34B8C6EAFC9822337D74C35FF5F00B
C:\hp\drivers\Intel_5_1_0_1022_PV\iastor.inf --a--- 3796 bytes [13:26 17/06/2005] [13:26 17/06/2005] CCFDFB6AB928C7187D00C2A90B5903F9
C:\hp\drivers\Intel_5_1_0_1022_PV\iastor.PNF --a--- 9284 bytes [04:15 31/08/2005] [04:21 28/11/2007] 1F9B6CD01A3A233E0499A3C5979D7A4E
C:\hp\drivers\Intel_5_1_0_1022_PV\iastor.sys --a--- 872064 bytes [13:33 17/06/2005] [13:33 17/06/2005] 9A65E42664D1534B68512CAAD0EFE963
C:\hp\drivers\Intel_6.0.0.1022_WHQL\iastor.cat --a--- 8278 bytes [19:10 24/08/2006] [08:41 22/05/2006] 2E3C024419060C15DC9532C11FD8D73C
C:\hp\drivers\Intel_6.0.0.1022_WHQL\iastor.inf --a--- 5742 bytes [19:10 24/08/2006] [18:18 11/05/2006] 6A9AB910B565B5108538C5E01CDECA43
C:\hp\drivers\Intel_6.0.0.1022_WHQL\iastor.PNF --a--- 11516 bytes [19:13 24/08/2006] [04:21 28/11/2007] A079E0591D5792C039C970B98D6E9331
C:\hp\drivers\Intel_6.0.0.1022_WHQL\iaStor.sys --a--- 247808 bytes [19:10 24/08/2006] [18:30 11/05/2006] 294110966CEDD127629C5BE48367C8CF
C:\hp\drivers\Intel_raid\iastor.cat --a--- 8278 bytes [19:35 24/08/2006] [23:06 12/07/2006] 8A9BB18AF2865290E621D361F51950E4
C:\hp\drivers\Intel_raid\iastor.inf --a--- 5742 bytes [19:35 24/08/2006] [13:47 06/07/2006] 7E0A6A0B61E54A876B4D726D3D4916F9
C:\hp\drivers\Intel_raid\iastor.PNF --a--- 11516 bytes [19:35 24/08/2006] [04:21 28/11/2007] 6EA808D60043BABCFC77266AAD6897FE
C:\hp\drivers\Intel_raid\iastor.sys --a--- 246784 bytes [19:35 24/08/2006] [13:59 06/07/2006] 019CF5F31C67030841233C545A0E217A
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\iastor.cat --a--- 8250 bytes [19:35 24/08/2006] [15:03 13/07/2006] 12DFF2E343CAF356587CC4F838F72304
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\iastor.inf --a--- 5742 bytes [19:35 24/08/2006] [20:47 06/07/2006] 7E0A6A0B61E54A876B4D726D3D4916F9
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 484864 bytes [19:35 24/08/2006] [21:01 06/07/2006] 6A3C354BFC163B81F6EF2FC421280DB5
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iastor.cat --a--- 8278 bytes [19:35 24/08/2006] [06:06 13/07/2006] 8A9BB18AF2865290E621D361F51950E4
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iastor.inf --a--- 5742 bytes [19:35 24/08/2006] [20:47 06/07/2006] 7E0A6A0B61E54A876B4D726D3D4916F9
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys --a--- 246784 bytes [19:35 24/08/2006] [20:59 06/07/2006] 019CF5F31C67030841233C545A0E217A
C:\WINDOWS\system32\drivers\iaStor.sys --a--- 246784 bytes [13:33 17/06/2005] [13:59 06/07/2006] 90D46E15096D1A68D8B9379D61476810
C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\iaStor.cat --a-s- 8278 bytes [19:35 24/08/2006] [08:41 22/05/2006] 2E3C024419060C15DC9532C11FD8D73C
C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\iastor.inf --a--- 5742 bytes [19:35 24/08/2006] [18:18 11/05/2006] 6A9AB910B565B5108538C5E01CDECA43
C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\iastor.PNF --a--- 11612 bytes [19:35 24/08/2006] [19:14 24/08/2006] B11EC7E5B38F903BC6CB456B739C0051
C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\iaStor.sys --a--- 247808 bytes [19:35 24/08/2006] [18:30 11/05/2006] 294110966CEDD127629C5BE48367C8CF

-=End Of File=-

Hi,

• Restart your computer
• Before Windows loads, you will be prompted to choose which Operating System to start
• Use the up and down arrow key to select Microsoft Windows Recovery Console
• You must enter which Windows installation to log onto. Type 1 and press enter.
• At the C:\Windows prompt, type the following bolded text, and press Enter:
  
  set AllowAllPaths=TRUE
  
• At the next prompt type the following bolded text, and press Enter:
  
  cd C:\windows\system32\drivers
• At the next prompt type the following bolded text, and press Enter:
  ren iastor.sys iastor.bak
• At the next prompt type the following bolded text, and press Enter:
  
  copy C:\cmdcons\iastor.sys C:\windows\system32\drivers\iastor.sys
• The command should then show 1 file(s) copied. At the next prompt type the following bolded text, and press Enter:
  
• At the next prompt type the following bolded text, and press Enter:
  
  exit

Windows will now begin loading.

Is the PC more stable now?

Edited by myrti, 12 January 2010 - 10:43 PM.

Hi myrti,

I made one mistake in your instructions but it things turned out OK. When choosing the recovery console installation I selected D:\MiniNT (from the HP recovery partition) instead of windows. Despite that, I successfully replaced C:\windows\system32\drivers\iastor.sys with a copy from C:\windows\system32\drivers. I attached the PC to the net, rebooted, logged in to personal account and tested things.

* The PC can now enter hibernate mode, and wake up from hibernate mode without any problems (BSOD).
* Firefox and IE can access the web again
* Windows now successfully runs in safe mode

I think the PC is healed!!!!

I will do two things different in the future which may help.
1) Switch my account I normally use to a limited privileges, and do all the system admin stuff with an unrestricted account
2) install sandboxie, and do all web browsing from within the sandbox. Infections won't be able to escape from the sandbox to the rest of the computer.

Thank You so much for your help. I will donate to help others to get the service I received.
Drew

Hi,

please don't leave just yet. I would like to do a couple of checks first.

First of all please run a scan with Eset to check that nothing is left:

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
• Check
• Click the button.
• Accept any security warnings from your browser.
• Check
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Push the button.
• Push

regards myrti

The PC has been running the ESET scan for 2 hours, and it is 30% done. I will post the results when it hopefully finishes.

ESET has an option (checkbox) to remove threats, which I did not enable. So ESET ran in scan mode only. I hope that is what you wanted.

=============
ESET output (jan 15, 2010)
=============
C:\Documents and Settings\drew\Local Settings\Temp\TMP0000000195763F31D506F7D0 a variant of Win32/TrojanDownloader.FakeAlert.IQ trojan
C:\Documents and Settings\drew\My Documents\tower1\oldpcC\Program Files\Netscape\Users\User1\Cache\M1AGK309.HTM probably a variant of JS/NoClose.gen trojan
C:\Documents and Settings\drew\My Documents\tower1\oldpcC\Program Files\Netscape\Users\User1\Cache\MUH9PLQ1 probably a variant of JS/NoClose.gen trojan
C:\Documents and Settings\drew\My Documents\tower1\oldpcC\Program Files\Netscape\Users\User1\Cache\MVLU09AS.HTM probably a variant of JS/NoClose.gen trojan
C:\Documents and Settings\drew\My Documents\tower1\oldpcC\Program Files\Netscape\Users\User1\Cache\MVN5OVKC.HTM probably a variant of JS/NoClose.gen trojan
C:\Documents and Settings\drew\My Documents\tower1\oldpcC\Program Files\Netscape\Users\User1\Mail\Inbox JS/NoClose.Q trojan
C:\Documents and Settings\drew\My Documents\tower1\oldpcC\Program Files\Netscape\Users\User1\Mail\Trash JS/NoClose.Q trojan
C:\hp\bin\wbug\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
C:\WINDOWS\system32\blackster.scr probably a variant of Win32/TrojanDropper.Agent trojan
C:\WINDOWS\system32\critical_warning.html Win32/TrojanDownloader.FakeAlert.AED virus
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AED virus
C:\WINDOWS\system32\drivers\iastor.bak Win32/Olmarik.SJ virus
D:\I386\APPS\APP14588\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
D:\I386\APPS\APP14588\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application

Hi,

Please remove the following files, from your system:

C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\critical_warning.html 
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt 
C:\WINDOWS\system32\drivers\iastor.bak

While they are not dangerous on their own, they definitely belong to malware and should not remain on your system.

Please download TFC by Old Timer and save it to your desktop.
alternate download link

• Save any unsaved work. TFC will close ALL open programs including your browser!
• Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
• Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
• Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

Please also update your software:

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
• Click the Download button to the right.
• Select your Platform: "Windows".
• Select your Language: "Multi-language".
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
• Click Continue and the page will refresh.
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
• Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.
Your Adobe Reader is also out of date. Please uninstall it and download the latest version from Adobe: Download
Please untick all proposed toolbars unless you really want them.

Let me know if you run into any problems,

regards myrti

temp files "cleaned", the specific files your requested were deleted, and Java was updated.

I haven't noticed any abnormal behavior from the PC.