Solved Trojan.Agent infecting (or running as) C:\Windows\svchost.exe causing BSOD

[Aravind]

Hi

I am constantly getting a BSoD while using my Windows 7 OS.
I tried using my Antivirus s/w to scan for viruses but it always went into BSoD before scan can complete.

I have Malwarebytes Anti-Malware installed and ran a quick scan. It consistently finds 2 Trojan.Agent infecting (or running as) C:\Windows\svchost.exe
I ask it to remove the same and then it asked to restart which I did - however problem persists and a rescan using Malwarebytes finds the same Trojan again.

Since I am not sure if this Trojan is causing the BSoD issue (but I think it is), how do I remove this Trojan? (Malwarebytes clearly is unable to do it)
Kindly let me know if you want any logs or other information.

Thanks

Aravind

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Download Farbar Recovery Scan Tool and save it to a flash drive.


Depending on your type of system, you will have to select 32-bit or 64-bit accordingly. How do I tell?

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
• Press Scan button.
• type exit and reboot the computer normally
• FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

 

[Aravind]

Scan result of Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 12-08-2012 04:25:33
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2281256 2010-09-13] (Synaptics Incorporated)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [611896 2010-01-20] ()
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-06-18] (Hewlett-Packard Company)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [161304 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [415256 2010-08-25] (Intel Corporation)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2011-01-18] (IDT, Inc.)
HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [167936 2008-07-06] (PowerISO Computing, Inc.)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [587320 2011-06-14] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [273528 2011-10-21] (RealNetworks, Inc.)
HKLM-x32\...\Run: [Sophos AutoUpdate Monitor] C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe [900120 2012-07-26] (Sophos Limited)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKU\aravindnv\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\aravindnv\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-06-16] (Hewlett-Packard Company)
HKU\aravindnv\...\Run: [googletalk] C:\Users\aravindnv\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart [3739648 2007-01-01] (Google)
HKU\aravindnv\...\Run: [Google Update] "C:\Users\aravindnv\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-01-03] (Google Inc.)
HKU\aravindnv\...\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler [210208 2008-10-20] (Acresso Corporation)
HKU\aravindnv\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet [6276408 2011-08-22] (Yahoo! Inc.)
HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Default User\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKLM-x32\...\Runonce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x]
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\Program Files (x86)\DigitalPersona\Bin\DPAgent.exe, [739664 2010-09-15] (DigitalPersona, Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL
Lsa: [Notification Packages] DPPassFilter
scecli
Startup: C:\Users\aravindnv\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ======

2 CinemaNow Service; C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [400368 2010-06-12] (CinemaNow, Inc.)
2 CLKMSVC10_C6F09094; "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\Kernel\HDDVD\NavFilter\kmsvc.exe" /svc [245232 2010-06-29] (CyberLink)
2 DpHost; C:\Program Files\DigitalPersona\Bin\DpHostW.exe [440144 2010-09-15] (DigitalPersona, Inc.)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 MSSQL$SQLEXPRESS; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [29293408 2010-12-10] (Microsoft Corporation)
4 msvsmon90; "C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe" /service msvsmon90 [4466688 2007-11-07] (Microsoft Corporation)
2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)
2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
2 SAVAdminService; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe" [216600 2012-07-26] (Sophos Limited)
2 SAVService; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe" [139840 2012-07-26] (Sophos Limited)
2 Sophos AutoUpdate Service; "C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe" [232472 2012-07-26] (Sophos Limited)
2 Sophos Web Control Service; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe" [357400 2012-07-26] (Sophos Limited)
2 swi_service; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe" [2862656 2012-07-26] (Sophos Limited)
2 swi_update_64; "C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe" [2009152 2012-07-26] (Sophos Limited)
2 UNS; "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [2533400 2010-04-30] (Intel Corporation)

========================== Drivers (Whitelisted) =============

1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20110616.003\BHDrvx64.sys [1143416 2011-05-19] (Symantec Corporation)
3 clwvd; C:\Windows\System32\Drivers\clwvd.sys [32880 2010-06-24] (Windows (R) Win 7 DDK provider)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20110701.051\IDSvia64.sys [488056 2011-06-02] (Symantec Corporation)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20110702.002\ENG64.SYS [117880 2011-05-18] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20110702.002\EX64.SYS [2011768 2011-05-18] (Symantec Corporation)
1 SAVOnAccess; C:\Windows\System32\Drivers\SAVOnAccess.sys [144672 2012-07-26] (Sophos Limited)
3 sdcfilter; C:\Windows\System32\Drivers\sdcfilter.sys [36640 2012-07-26] (Sophos Limited)
4 SophosBootDriver; C:\Windows\System32\Drivers\SophosBootDriver.sys [25608 2012-02-20] (Sophos Plc)
3 SRTSP; C:\Windows\System32\Drivers\NISx64\1207020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NISx64\1207020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NISx64\1207020.003\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NISx64\1207020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-05-11] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-12 04:25 - 2012-08-12 04:25 - 00000000 ____D C:\FRST
2012-08-12 03:18 - 2012-08-12 03:18 - 01439703 ____A (Farbar) C:\Users\aravindnv\Downloads\FRST64.exe
2012-08-12 03:11 - 2012-08-12 03:11 - 00278624 ____A C:\Windows\Minidump\081212-49577-01.dmp
2012-08-12 02:46 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-08-12 01:43 - 2012-08-12 01:43 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-08-12 01:35 - 2012-08-12 01:35 - 00000000 ____D C:\Windows\Sun
2012-08-12 01:23 - 2012-08-12 01:23 - 00278624 ____A C:\Windows\Minidump\081212-41043-01.dmp
2012-08-11 23:12 - 2012-08-11 23:12 - 00302592 ____A C:\Users\aravindnv\Downloads\otcp49o7.exe
2012-08-11 22:16 - 2012-08-11 22:16 - 00278624 ____A C:\Windows\Minidump\081112-48890-01.dmp
2012-08-11 21:06 - 2012-08-11 21:06 - 00270760 ____A C:\Windows\Minidump\081112-49608-01.dmp
2012-08-11 19:40 - 2012-08-11 19:40 - 00278624 ____A C:\Windows\Minidump\081112-56893-01.dmp
2012-08-11 14:47 - 2012-08-11 14:47 - 00000000 ____D C:\Users\aravindnv\AppData\Roaming\Leadertech
2012-08-11 13:34 - 2012-08-11 14:31 - 100839666 ____A C:\Users\aravindnv\Downloads\452.avi
2012-07-29 17:52 - 2012-07-29 17:52 - 00000000 ____D C:\Users\aravindnv\Documents\My Games
2012-07-28 16:47 - 2012-07-28 16:47 - 04503728 ___AT C:\Users\All Users\zak_lo0i7g.pad
2012-07-27 20:11 - 2012-07-27 20:11 - 00000000 ____D C:\f5a1bf0982a18a87c32548a7bc73
2012-07-26 17:24 - 2012-07-26 17:23 - 00037400 ____A (Sophos Limited) C:\Windows\System32\SophosBootTasks.exe
2012-07-26 17:23 - 2012-07-26 17:23 - 00144672 ____A (Sophos Limited) C:\Windows\System32\Drivers\savonaccess.sys
2012-07-26 17:23 - 2012-07-26 17:23 - 00036640 ____A (Sophos Limited) C:\Windows\System32\Drivers\sdcfilter.sys

============ 3 Months Modified Files ========================

2012-08-12 03:18 - 2012-08-12 03:18 - 01439703 ____A (Farbar) C:\Users\aravindnv\Downloads\FRST64.exe
2012-08-12 03:11 - 2012-08-12 03:11 - 00278624 ____A C:\Windows\Minidump\081212-49577-01.dmp
2012-08-12 03:11 - 2011-01-18 17:42 - 543300421 ____A C:\Windows\MEMORY.DMP
2012-08-12 03:07 - 2011-05-22 06:37 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-12 03:07 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-12 03:07 - 2009-07-13 20:51 - 00091311 ____A C:\Windows\setupact.log
2012-08-12 02:46 - 2011-01-03 19:13 - 00000924 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1626714976-4022887705-2032377424-1001UA.job
2012-08-12 02:45 - 2010-09-16 00:55 - 00133730 ____A C:\Windows\PFRO.log
2012-08-12 02:37 - 2011-05-22 06:37 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-12 02:13 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-12 02:13 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-12 01:23 - 2012-08-12 01:23 - 00278624 ____A C:\Windows\Minidump\081212-41043-01.dmp
2012-08-12 00:39 - 2011-05-22 06:37 - 00002344 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-08-11 23:12 - 2012-08-11 23:12 - 00302592 ____A C:\Users\aravindnv\Downloads\otcp49o7.exe
2012-08-11 22:16 - 2012-08-11 22:16 - 00278624 ____A C:\Windows\Minidump\081112-48890-01.dmp
2012-08-11 21:54 - 2012-08-11 21:54 - 01558528 ____A C:\Users\aravindnv\Downloads\RogueKiller.exe
2012-08-11 21:06 - 2012-08-11 21:06 - 00270760 ____A C:\Windows\Minidump\081112-49608-01.dmp
2012-08-11 19:40 - 2012-08-11 19:40 - 00278624 ____A C:\Windows\Minidump\081112-56893-01.dmp
2012-08-11 14:31 - 2012-08-11 13:34 - 100839666 ____A C:\Users\aravindnv\Downloads\452.avi
2012-08-06 20:46 - 2011-01-03 19:13 - 00000872 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1626714976-4022887705-2032377424-1001Core.job
2012-07-28 16:47 - 2012-07-28 16:47 - 04503728 ___AT C:\Users\All Users\zak_lo0i7g.pad
2012-07-26 17:23 - 2012-07-26 17:24 - 00037400 ____A (Sophos Limited) C:\Windows\System32\SophosBootTasks.exe
2012-07-26 17:23 - 2012-07-26 17:23 - 00144672 ____A (Sophos Limited) C:\Windows\System32\Drivers\savonaccess.sys
2012-07-26 17:23 - 2012-07-26 17:23 - 00036640 ____A (Sophos Limited) C:\Windows\System32\Drivers\sdcfilter.sys
2012-07-25 19:34 - 2011-10-18 07:44 - 00000348 ____A C:\Windows\Tasks\HPCeeScheduleForaravindnv.job
2012-07-24 21:01 - 2011-01-04 23:51 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-07-24 21:00 - 2011-11-01 08:22 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2012-07-18 21:39 - 2011-09-19 02:32 - 00000350 ____A C:\Windows\Tasks\HPCeeScheduleForARAVINDNV-HP$.job
2012-07-12 18:14 - 2009-07-13 20:45 - 00442304 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 22:28 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-07-11 22:20 - 2011-01-04 23:52 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-10 23:02 - 2012-07-10 22:21 - 04503728 ___AT C:\Users\All Users\go_0molg.pad
2012-07-10 22:41 - 2012-07-10 22:41 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\aravindnv\Downloads\mbam-setup-1.61.0.1400.exe
2012-07-08 09:41 - 2009-07-13 21:13 - 00846342 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-06 16:29 - 2012-01-05 00:28 - 00000163 ____A C:\Users\aravindnv\Desktop\accwork.txt
2012-07-03 17:19 - 2011-01-03 19:18 - 00001964 ____A C:\Users\aravindnv\Desktop\New Text Document.txt
2012-07-03 12:46 - 2012-07-10 22:41 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-03 09:43 - 2009-07-13 21:08 - 00032536 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-12 16:45 - 2011-02-06 15:27 - 00001033 ____A C:\Users\aravindnv\Desktop\Dropbox.lnk
2012-06-12 16:38 - 2012-04-04 15:30 - 00002480 ____A C:\Users\Public\Desktop\Norton Internet Security.lnk
2012-06-11 19:08 - 2012-07-11 22:28 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:43 - 2012-07-11 22:00 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-11 22:00 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-11 22:01 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-11 22:01 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-11 22:00 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-11 22:01 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-11 22:01 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-11 22:00 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-21 10:26 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 10:26 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 10:26 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 10:26 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 10:26 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-21 10:25 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:15 - 2012-06-21 10:26 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 10:26 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:15 - 2012-06-21 10:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-11 22:19 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 22:19 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 22:19 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 22:19 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 22:19 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 22:19 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-11 22:19 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-11 22:19 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 22:19 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 22:19 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 22:19 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 22:19 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 22:19 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 22:19 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 22:19 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 22:19 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 22:19 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 22:19 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 22:19 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 22:19 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-11 22:19 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 22:19 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 22:19 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 22:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 22:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 22:19 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 22:19 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 22:19 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-11 22:00 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-11 22:00 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-11 22:00 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-11 22:00 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-11 22:00 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-11 22:00 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-11 22:00 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-11 22:00 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-11 22:00 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-31 11:25 - 2011-01-03 18:56 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-05-21 14:59 - 2012-05-21 14:15 - 79689952 ____A C:\Users\aravindnv\Downloads\291.wmv
2012-05-19 11:43 - 2012-05-19 10:33 - 126965820 ____A C:\Users\aravindnv\Downloads\298.wmv

ZeroAccess:
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\@
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\L
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\U
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\L\00000004.@
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\L\201d3dde
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\U\00000004.@
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\U\00000008.@
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\U\000000cb.@
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\U\80000000.@
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\U\80000032.@
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\U\80000064.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

Type 00 partition infection:
C:\Windows\svchost.exe

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 5941.86 MB
Available physical RAM: 5088.24 MB
Total Pagefile: 5940.01 MB
Available Pagefile: 5087.95 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:445.07 GB) (Free:225.14 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:20.4 GB) (Free:2.97 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive g: () (Removable) (Total:29.8 GB) (Free:29.75 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 103 MB
Disk 1 Online 29 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 445 GB 200 MB
Partition 3 Primary 20 GB 445 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 445 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RECOVERY NTFS Partition 20 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 29 GB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 29 GB Healthy

==================================================================================

Last Boot: 2012-08-07 19:53

======================= End Of Log ==========================

 

[Aravind]

Also I forgot to mention one thing before... when I first encountered the problem, I ran a system restore to a previous restore point (thinking some update caused the BSoD) but that did not help - that is when I checked for malware

 

[Jay Pfoutz]

Okie dokie.

Additional FRST Scan

Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

services.exe

Click: Search file(s)

When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply.

 

[Aravind]

Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 2012-08-13 07:28:10
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

 

[Jay Pfoutz]

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\svchost.exe
C:\Users\aravindnv\Downloads\otcp49o7.exe
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
CMD: bootrec /FixMBR
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

 

[Aravind]

Following is the log Fixlog.txt.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-08-2012
Ran by SYSTEM at 2012-08-14 07:45:41 Run:1
Running from G:\

==============================================

C:\Windows\svchost.exe moved successfully.
C:\Users\aravindnv\Downloads\otcp49o7.exe not found.
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e} not found.
C:\Windows\assembly\GAC_32\Desktop.ini not found.
C:\Windows\assembly\GAC_64\Desktop.ini not found.

========= bootrec /FixMBR =========

ÿþT h e o p e r a t I o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Also, the BSoD came before I could even finish typing this in and posting the reply. I ended up sending this reply in Safe mode with Networking.

 

[Jay Pfoutz]

Another scan from FRST please.

 

[Aravind]

Scan result of Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 15-08-2012 07:06:54
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2281256 2010-09-13] (Synaptics Incorporated)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [611896 2010-01-20] ()
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-06-18] (Hewlett-Packard Company)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [161304 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [415256 2010-08-25] (Intel Corporation)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2011-01-18] (IDT, Inc.)
HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [167936 2008-07-06] (PowerISO Computing, Inc.)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [587320 2011-06-14] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [273528 2011-10-21] (RealNetworks, Inc.)
HKLM-x32\...\Run: [Sophos AutoUpdate Monitor] C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe [900120 2012-07-26] (Sophos Limited)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKU\aravindnv\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\aravindnv\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-06-16] (Hewlett-Packard Company)
HKU\aravindnv\...\Run: [googletalk] C:\Users\aravindnv\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart [3739648 2007-01-01] (Google)
HKU\aravindnv\...\Run: [Google Update] "C:\Users\aravindnv\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-01-03] (Google Inc.)
HKU\aravindnv\...\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler [210208 2008-10-20] (Acresso Corporation)
HKU\aravindnv\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet [6276408 2011-08-22] (Yahoo! Inc.)
HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Default User\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\Program Files (x86)\DigitalPersona\Bin\DPAgent.exe, [739664 2010-09-15] (DigitalPersona, Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL
Lsa: [Notification Packages] DPPassFilter
scecli
Startup: C:\Users\aravindnv\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ======

2 CinemaNow Service; C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [400368 2010-06-12] (CinemaNow, Inc.)
2 CLKMSVC10_C6F09094; "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\Kernel\HDDVD\NavFilter\kmsvc.exe" /svc [245232 2010-06-29] (CyberLink)
2 DpHost; C:\Program Files\DigitalPersona\Bin\DpHostW.exe [440144 2010-09-15] (DigitalPersona, Inc.)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 MSSQL$SQLEXPRESS; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [29293408 2010-12-10] (Microsoft Corporation)
4 msvsmon90; "C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe" /service msvsmon90 [4466688 2007-11-07] (Microsoft Corporation)
2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)
2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
2 SAVAdminService; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe" [216600 2012-07-26] (Sophos Limited)
2 SAVService; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe" [139840 2012-07-26] (Sophos Limited)
2 Sophos AutoUpdate Service; "C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe" [232472 2012-07-26] (Sophos Limited)
2 Sophos Web Control Service; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe" [357400 2012-07-26] (Sophos Limited)
2 swi_service; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe" [2862656 2012-07-26] (Sophos Limited)
2 swi_update_64; "C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe" [2009152 2012-07-26] (Sophos Limited)
2 UNS; "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [2533400 2010-04-30] (Intel Corporation)

========================== Drivers (Whitelisted) =============

1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20110616.003\BHDrvx64.sys [1143416 2011-05-19] (Symantec Corporation)
3 clwvd; C:\Windows\System32\Drivers\clwvd.sys [32880 2010-06-24] (Windows (R) Win 7 DDK provider)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20110701.051\IDSvia64.sys [488056 2011-06-02] (Symantec Corporation)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20110702.002\ENG64.SYS [117880 2011-05-18] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20110702.002\EX64.SYS [2011768 2011-05-18] (Symantec Corporation)
1 SAVOnAccess; C:\Windows\System32\Drivers\SAVOnAccess.sys [144672 2012-07-26] (Sophos Limited)
3 sdcfilter; C:\Windows\System32\Drivers\sdcfilter.sys [36640 2012-07-26] (Sophos Limited)
4 SophosBootDriver; C:\Windows\System32\Drivers\SophosBootDriver.sys [25608 2012-02-20] (Sophos Plc)
3 SRTSP; C:\Windows\System32\Drivers\NISx64\1207020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NISx64\1207020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NISx64\1207020.003\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NISx64\1207020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-05-11] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-14 07:37 - 2012-08-14 07:37 - 00278568 ____A C:\Windows\Minidump\081412-47580-01.dmp
2012-08-14 07:31 - 2012-08-14 07:31 - 00003288 ____N C:\bootsqm.dat
2012-08-14 07:02 - 2012-08-14 07:02 - 00278624 ____A C:\Windows\Minidump\081412-70294-01.dmp
2012-08-14 06:49 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-08-12 18:08 - 2012-08-12 18:09 - 00278624 ____A C:\Windows\Minidump\081212-58703-01.dmp
2012-08-12 04:25 - 2012-08-12 04:25 - 00000000 ____D C:\FRST
2012-08-12 01:43 - 2012-08-12 01:43 - 00000000 ____D C:\Windows\SysWOW64\%APPDATA%
2012-08-12 01:35 - 2012-08-12 01:35 - 00000000 ____D C:\Windows\Sun
2012-08-11 14:47 - 2012-08-11 14:47 - 00000000 ____D C:\Users\aravindnv\AppData\Roaming\Leadertech
2012-07-29 17:52 - 2012-07-29 17:52 - 00000000 ____D C:\Users\aravindnv\Documents\My Games
2012-07-28 16:47 - 2012-07-28 16:47 - 04503728 ___AT C:\Users\All Users\zak_lo0i7g.pad
2012-07-27 20:11 - 2012-07-27 20:11 - 00000000 ____D C:\f5a1bf0982a18a87c32548a7bc73
2012-07-26 17:24 - 2012-07-26 17:23 - 00037400 ____A (Sophos Limited) C:\Windows\System32\SophosBootTasks.exe
2012-07-26 17:23 - 2012-07-26 17:23 - 00144672 ____A (Sophos Limited) C:\Windows\System32\Drivers\savonaccess.sys
2012-07-26 17:23 - 2012-07-26 17:23 - 00036640 ____A (Sophos Limited) C:\Windows\System32\Drivers\sdcfilter.sys

============ 3 Months Modified Files ========================

2012-08-14 20:00 - 2011-08-15 02:41 - 00023552 __ASH C:\Users\aravindnv\Thumbs.db
2012-08-14 18:14 - 2009-07-13 21:13 - 00846342 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-14 07:37 - 2012-08-14 07:37 - 00278568 ____A C:\Windows\Minidump\081412-47580-01.dmp
2012-08-14 07:37 - 2011-01-18 17:42 - 449444621 ____A C:\Windows\MEMORY.DMP
2012-08-14 07:34 - 2011-05-22 06:37 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-14 07:33 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-14 07:32 - 2009-07-13 20:51 - 00092115 ____A C:\Windows\setupact.log
2012-08-14 07:31 - 2012-08-14 07:31 - 00003288 ____N C:\bootsqm.dat
2012-08-14 07:02 - 2012-08-14 07:02 - 00278624 ____A C:\Windows\Minidump\081412-70294-01.dmp
2012-08-14 06:48 - 2011-05-22 06:37 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-12 18:09 - 2012-08-12 18:08 - 00278624 ____A C:\Windows\Minidump\081212-58703-01.dmp
2012-08-12 02:13 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-12 02:13 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-28 17:31 - 2010-09-16 00:51 - 01569732 ____A C:\Windows\WindowsUpdate.log
2012-07-28 17:12 - 2010-09-16 00:55 - 00132186 ____A C:\Windows\PFRO.log
2012-07-28 16:47 - 2012-07-28 16:47 - 04503728 ___AT C:\Users\All Users\zak_lo0i7g.pad
2012-07-28 16:46 - 2011-01-03 19:13 - 00000924 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1626714976-4022887705-2032377424-1001UA.job
2012-07-26 20:46 - 2011-01-03 19:13 - 00000872 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1626714976-4022887705-2032377424-1001Core.job
2012-07-26 17:23 - 2012-07-26 17:24 - 00037400 ____A (Sophos Limited) C:\Windows\System32\SophosBootTasks.exe
2012-07-26 17:23 - 2012-07-26 17:23 - 00144672 ____A (Sophos Limited) C:\Windows\System32\Drivers\savonaccess.sys
2012-07-26 17:23 - 2012-07-26 17:23 - 00036640 ____A (Sophos Limited) C:\Windows\System32\Drivers\sdcfilter.sys
2012-07-25 19:34 - 2011-10-18 07:44 - 00000348 ____A C:\Windows\Tasks\HPCeeScheduleForaravindnv.job
2012-07-24 21:01 - 2011-01-04 23:51 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-07-24 21:00 - 2011-11-01 08:22 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2012-07-18 21:39 - 2011-09-19 02:32 - 00000350 ____A C:\Windows\Tasks\HPCeeScheduleForARAVINDNV-HP$.job
2012-07-12 19:14 - 2011-05-22 06:37 - 00002344 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-07-12 18:14 - 2009-07-13 20:45 - 00442304 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 22:28 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-07-11 22:20 - 2011-01-04 23:52 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-10 23:02 - 2012-07-10 22:21 - 04503728 ___AT C:\Users\All Users\go_0molg.pad
2012-07-10 22:41 - 2012-07-10 22:41 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\aravindnv\Downloads\mbam-setup-1.61.0.1400.exe
2012-07-06 16:29 - 2012-01-05 00:28 - 00000163 ____A C:\Users\aravindnv\Desktop\accwork.txt
2012-07-03 17:19 - 2011-01-03 19:18 - 00001964 ____A C:\Users\aravindnv\Desktop\New Text Document.txt
2012-07-03 12:46 - 2012-07-10 22:41 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-03 09:43 - 2009-07-13 21:08 - 00032536 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-12 16:45 - 2011-02-06 15:27 - 00001033 ____A C:\Users\aravindnv\Desktop\Dropbox.lnk
2012-06-12 16:38 - 2012-04-04 15:30 - 00002480 ____A C:\Users\Public\Desktop\Norton Internet Security.lnk
2012-06-11 19:08 - 2012-07-11 22:28 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:43 - 2012-07-11 22:00 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-11 22:00 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-11 22:01 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-11 22:01 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-11 22:00 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-11 22:01 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-11 22:01 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-11 22:00 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-21 10:26 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 10:26 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 10:26 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 10:26 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 10:26 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-21 10:25 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:15 - 2012-06-21 10:26 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 10:26 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:15 - 2012-06-21 10:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-11 22:19 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 22:19 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 22:19 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 22:19 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 22:19 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 22:19 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-11 22:19 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-11 22:19 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 22:19 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 22:19 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 22:19 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 22:19 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 22:19 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 22:19 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 22:19 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 22:19 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 22:19 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 22:19 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 22:19 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 22:19 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-11 22:19 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 22:19 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 22:19 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 22:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 22:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 22:19 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 22:19 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 22:19 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-11 22:00 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-11 22:00 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-11 22:00 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-11 22:00 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-11 22:00 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-11 22:00 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-11 22:00 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-11 22:00 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-11 22:00 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-31 11:25 - 2011-01-03 18:56 - 00279656 ____A (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe


Type 00 partition infection:
C:\Windows\svchost.exe

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 5941.86 MB
Available physical RAM: 5092.19 MB
Total Pagefile: 5940.01 MB
Available Pagefile: 5090.88 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:445.07 GB) (Free:240.34 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:20.4 GB) (Free:2.97 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive g: () (Removable) (Total:29.8 GB) (Free:29.75 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 103 MB
Disk 1 Online 29 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 445 GB 200 MB
Partition 3 Primary 20 GB 445 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 445 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RECOVERY NTFS Partition 20 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 29 GB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 29 GB Healthy

==================================================================================

Last Boot: 2012-08-07 19:53

======================= End Of Log ==========================

 

[Aravind]

I also ran the search for Services.exe again in case you need it - following is the log search.txt

Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 2012-08-15 07:20:27
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\FRST\Quarantine\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

 

[Jay Pfoutz]

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\svchost.exe
CMD: bootrec /FixMBR
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

 

[Aravind]

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-08-2012
Ran by SYSTEM at 2012-08-15 20:37:29 Run:2
Running from G:\

==============================================

C:\Windows\svchost.exe moved successfully.

========= bootrec /FixMBR =========

ÿþT h e o p e r a t I o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


==== End of Fixlog ====

ps. BSOD still happened when using Windows

 

[Jay Pfoutz]

We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

Download the OTLPE Network REATOGO Windows Recovery Environment.

• Place a blank CD-R disc in to your CD burning drive.
• Download OTLPENet.exe and double-click on it to burn to a CD using ISO Burner.
• Reboot your system using the boot CD you just created.
  
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start. Change the following settings
  • Change Drivers to Non-Microsoft
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\_OTL\MovedFiles
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

 

[Aravind]

Hi

I was unable to run the steps you said.
I created the boot CD based on your instructions and set the computer to boot from the CD.

It then showed a progress bar for loading REATOGO-X-P, followed by a Windows XP loading bar.
And then I got a BSOD (picture of which is attached below) - this was different from the ones I usually get with my problem.

Is the tool not compatible with Windows 7 (which is the OS I have) or is there some other issue?

 

[Jay Pfoutz]

Back to FRST64...

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
CMD: bootrec /fixboot
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

 

[Aravind]

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-08-2012
Ran by SYSTEM at 2012-08-18 03:30:49 Run:3
Running from G:\

==============================================


========= bootrec /fixboot =========

ÿþT h e o p e r a t I o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


==== End of Fixlog ====

Blue Screen still happens on boot - of late it is happening much faster -within the first 5 minutes of starting windows. Am pretty much relying on Safe Mode now.

 

[Jay Pfoutz]

Does Safe Mode actually stay on?

Work in Safe Mode with Networking, if so, and do the following:

ComboFix

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
• It is important to rename ComboFix before the download.
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

 

[Aravind]

I was not able to do the above either.

I could download the file and rename it while doing so. However, when I tried to run it, it started off fine but midway through the process of installing I got a BSoD and computer restarted.
Saving the file under the other suggested names did not help.
This was tried in Safe Mode with Networking and SafeMode with same results.

 

[Jay Pfoutz]

Upload Dump Files:
Please go to C:\Windows\Minidump and zip up the contents of the folder. Then upload/attach the .zip file with your next post.
Left click on the first minidump file.
Hold down the "Shift" key and left click on the last minidump file.
Right click on the blue highlighted area and select "Send to"
Select "Compressed (zipped) folder" and note where the folder is saved.
Upload that .zip file with your next post.

If you have issues with "Access Denied" errors, try copying the files to your desktop and zipping them up from there. If it still won't let you zip them up, post back for further advice.

If you don't have anything in that folder, please check in C:\Windows for a file named MEMORY.DMP. If you find it, zip it up and upload it to a free file hosting service . I recommend Windows Live SkyDrive - http://skydrive.live.com or another free, file-hosting service. Then post the link to it in your topic so that we can download it.

Then, follow the directions here to set your system for Minidumps (much smaller than the MEMORY.DMP file): http://www.carrona.org/setmini.html

 

[Aravind]

There are an entire bunch of minidump files (presumably created at different times)

Let me know if you want a minidump corresponding to a particular scenario (like the usual blue screen in Windows or the blue screen when I try to run ComboFix, etc) since these are possibly mixed up.

 

[Jay Pfoutz]

Bug code: 0x0000001E (KMODE_EXCEPTION_NOT_HANDLED)

I suspect still some infection in the MBR or something in a partition...

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

 

[Aravind]

Attached is the TDSSkiller log file

 

[Jay Pfoutz]

Good job. Now, run TDSSKiller once more and post a log and then do this:

Please download aswMBR from here

• Save aswMBR.exe to your Desktop
• Double click aswMBR.exe to run it
• Click the Scan button to start the scan as illustrated below

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review

 

[Aravind]

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-22 21:22:11
-----------------------------
21:22:11.374 OS Version: Windows x64 6.1.7601 Service Pack 1
21:22:11.375 Number of processors: 4 586 0x2505
21:22:11.375 ComputerName: ARAVINDNV-HP UserName: aravindnv
21:22:16.388 Initialize success
21:22:46.643 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:22:46.647 Disk 0 Vendor: WDC_WD50 02.0 Size: 476940MB BusType: 3
21:22:46.660 Disk 0 MBR read successfully
21:22:46.664 Disk 0 MBR scan
21:22:46.668 Disk 0 unknown MBR code
21:22:46.684 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
21:22:46.695 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 455747 MB offset 409600
21:22:46.726 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 20889 MB offset 933779456
21:22:46.775 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 976560128
21:22:46.845 Disk 0 scanning C:\Windows\system32\drivers
21:23:05.486 Service scanning
21:23:50.068 Modules scanning
21:23:50.081 Disk 0 trace - called modules:
21:23:50.105 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys hal.dll
21:23:50.115 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80088a1790]
21:23:50.123 3 CLASSPNP.SYS[fffff88001d8443f] -> nt!IofCallDriver -> [0xfffffa8006991b10]
21:23:50.130 5 hpdskflt.sys[fffff88001d2b2bd] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800688a050]
21:23:50.138 Scan finished successfully
21:24:37.224 Disk 0 MBR has been saved successfully to "C:\Users\aravindnv\Desktop\MBR.dat"
21:24:37.228 The log file has been saved successfully to "C:\Users\aravindnv\Desktop\aswMBR.txt"