AVG 2013 Says Volsnap Infected With Trojan Generic3_c.BNQG

mohavepc · 23 May 2013

AVG was reinstalled after a lic issue. Ran malwarebytes and removed a few cookies and a mywebsearch toolbar. during first scan after updates on AVG it warns me that Volsnap.sys is infected with Trojan Generic3_c.BNQG. It states to download the ISO for AVG Rescue. I downloaded burned and ran the AVG rescue cd booting into it via the cd. It found the same infection but could not heal it. I tried to run Kaspersky rescue cd but it freezes a third through boot up and wont respond.

I have a bad feeling this is going to be a backup and reinstall but we can hope not right?

Please advise

VistaKing · 23 May 2013

mohavepc

Warning

You will need a USB FLASH DRIVE

Tip

Download the Tool from a non infected PC

Download Farbar Recovery Scan Tool

Here

Farbar Recovery Scan Tool Download

Click on the Download Now 64-bit Version button

Save the FRST64 file to your USB Flash Drive

Plug the flash drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

Select Command Prompt

In the command window type e:\frst64.exe and press Enter

Note

Replace letter e with the drive letter of your flash drive.

Tip

Type the commands below to see what your letter is for the USB drive and press ENTER after each command

Code:

Diskpart
List volume

The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
FRST will let you know when the scan is complete and has written the FRST.txt to file
Please copy and paste both logs in your reply.(FRST.txt and Addition.txt)

josearedux · 23 May 2013

IS the size of volsnap.sys in C:\Windows\System32\driver 288 kb?

mohavepc · 23 May 2013

Josea said:

IS the size of volsnap.sys in C:\Windows\System32\driver 288 kb?

no it is 239kb

Vistaking I will not be able to run this until tomorrow then I will post results in the am. Got to go get Groceries. I guess some of us need to eat

mohavepc · 24 May 2013

Too long for one post. There was no Addition.txt generated

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-05-2013
Ran by SYSTEM on 24-05-2013 08:43:51
Running from F:\
Windows 7 Home Premium (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7625248 2009-07-28] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1545512 2009-07-20] (Synaptics Incorporated)
HKLM\...\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL [352256 2009-07-09] (TOSHIBA CORPORATION)
HKLM\...\Run: [HWSetup] "C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" hwSetUP [425984 2009-06-02] (TOSHIBA Electronics, Inc.)
HKLM\...\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe [34088 2009-01-13] (TOSHIBA CORPORATION)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [476512 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [460088 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [738616 2009-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [ToshibaServiceStation] "C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1295736 2011-02-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [611672 2009-09-17] (TOSHIBA Corporation)
HKLM\...\Run: [NortonOnlineBackupReminder] "C:\Program Files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED [529256 2009-07-16] (Toshiba)
HKLM\...\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe [485208 2008-09-30] (Nikon Corporation)
HKLM\...\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe [648072 2007-05-31] (Microsoft Corporation)
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM\...\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-28] (AVG Technologies CZ, s.r.o.)
HKLM\...\Winlogon: [System]
HKU\Holly\...\Run: [MyTOSHIBA] "C:\Program Files\TOSHIBA\My Toshiba\MyToshiba.exe" /AUTO [ 2009-08-06] (TOSHIBA)
HKU\Holly\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Holly\...\Run: [Fitbit Service Monitor] C:\Program Files\Fitbit\fitbit-tray.exe [ 2011-10-26] (Fitbit, Inc.)
HKU\Holly\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [ 2012-02-23] (Apple Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\ExifLauncher2.lnk
ShortcutTarget: ExifLauncher2.lnk -> C:\Program Files\FinePixViewer\QuickDCF2.exe (FUJIFILM Corporation)

========================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-13] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-18] (AVG Technologies CZ, s.r.o.)
S2 cfWiMAXService; C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [185712 2009-08-10] (TOSHIBA CORPORATION)
S2 ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [46448 2009-03-10] (TOSHIBA CORPORATION)
S4 Fitbit; C:\Program Files\Fitbit\fitbit.exe [788000 2011-10-26] (Fitbit, Inc.)
S4 GameConsoleService; C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe [250616 2009-05-22] (WildTangent, Inc.)
S4 SCService; C:\Program Files\Luth Research\SavvyConnectFramework\bin\scservice\SCService.exe [1734656 2012-01-25] ()
S2 SupportDockService.exe; C:\Program Files\iYogi Support Dock\Services\CommAgent\SupportDockService.exe [78336 2012-09-04] (iYogi Technical Services)
S3 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [54136 2011-02-11] (TOSHIBA Corporation)
S3 TOSHIBA HDD SSD Alert Service; C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [111960 2009-09-17] (TOSHIBA Corporation)

==================== Drivers (Whitelisted) ====================

S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208184 2013-03-29] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [60216 2013-02-08] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22328 2013-03-01] (AVG Technologies CZ, s.r.o.)
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [170808 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [245048 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [96568 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [39224 2013-02-08] (AVG Technologies CZ, s.r.o.)
S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [182072 2013-03-21] (AVG Technologies CZ, s.r.o.)
S0 LPCFilter; C:\Windows\System32\DRIVERS\LPCFilter.sys [36208 2009-07-02] (COMPAL ELECTRONIC INC.)
S3 RTL8187Se; C:\Windows\System32\DRIVERS\RTL8187Se.sys [333824 2008-08-22] (Realtek Semiconductor Corporation )
S3 SIUSBXP; C:\Windows\System32\drivers\SiUSBXp.sys [19744 2011-10-26] (Silicon Laboratories)
S0 volsnap; C:\Windows\System32\DRIVERS\volsnap.sys [245328 2009-07-13] ()
S3 catchme; \??\C:\Users\Holly\AppData\Local\Temp\catchme.sys [x]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [x]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-24 08:43 - 2013-05-24 08:43 - 00000000 ____D C:\FRST
2013-05-23 16:29 - 2013-05-23 16:29 - 00000000 ____D C:\Windows\System32\SPReview
2013-05-23 16:18 - 2013-05-23 16:18 - 00000000 ____D C:\Windows\LastGood
2013-05-23 10:15 - 2013-05-23 10:15 - 00000000 ____D C:\Users\Holly\AppData\Roaming\AVG2013
2013-05-23 10:14 - 2013-05-23 10:14 - 00000946 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2013-05-23 10:14 - 2013-05-23 10:14 - 00000000 ____D C:\Users\Holly\AppData\Roaming\TuneUp Software
2013-05-23 10:13 - 2013-05-23 10:15 - 00000000 ____D C:\ProgramData\AVG2013
2013-05-23 10:13 - 2013-05-23 10:13 - 00000000 ___HD C:\$AVG
2013-05-23 10:11 - 2013-05-23 10:11 - 00000000 ____D C:\Program Files\AVG
2013-05-23 10:09 - 2013-05-23 16:26 - 00000000 ____D C:\ProgramData\MFAData
2013-05-23 10:09 - 2013-05-23 10:15 - 00000000 ____D C:\Users\Holly\AppData\Local\Avg2013

mohavepc · 24 May 2013

2013-05-23 10:09 - 2013-05-23 10:09 - 00000000 ____D C:\Users\Holly\AppData\Local\MFAData
2013-05-23 07:12 - 2013-02-21 20:05 - 12324352 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-23 07:12 - 2013-02-21 19:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-23 07:12 - 2013-02-21 19:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-23 07:12 - 2013-02-21 19:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-23 07:12 - 2013-02-21 19:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-23 07:12 - 2013-02-21 19:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-05-23 07:12 - 2013-02-21 19:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-05-23 07:12 - 2013-02-21 19:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-23 07:12 - 2013-02-21 19:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-23 07:12 - 2013-02-21 19:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-05-23 07:12 - 2013-02-21 19:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-05-23 07:12 - 2013-02-21 19:33 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-23 07:12 - 2013-02-21 19:32 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-23 07:12 - 2013-02-21 19:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-23 07:12 - 2013-02-21 19:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-05-23 07:12 - 2013-02-21 19:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-22 15:44 - 2013-05-22 15:44 - 00019441 ____A C:\ComboFix.txt
2013-05-22 15:19 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2013-05-22 15:19 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2013-05-22 15:19 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-05-22 15:19 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-05-22 15:19 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-05-22 15:19 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2013-05-22 15:19 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2013-05-22 15:19 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2013-05-22 13:41 - 2009-09-04 16:44 - 00515416 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_5.dll
2013-05-22 13:41 - 2009-09-04 16:44 - 00069464 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_3.dll
2013-05-22 13:41 - 2009-09-04 16:29 - 00453456 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_42.dll
2013-05-22 12:45 - 2013-05-22 12:45 - 04750496 ____A (Luth Research) C:\Users\Holly\Downloads\SavvyConnectInstall.exe
2013-05-21 15:47 - 2013-05-21 15:47 - 00000000 ____D C:\Users\Holly\AppData\Local\Windows Live
2013-05-21 12:53 - 2013-05-21 12:53 - 00000000 ____D C:\Users\Holly\AppData\Roaming\SUPERAntiSpyware.com
2013-05-21 12:53 - 2013-05-21 12:53 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2013-05-21 09:42 - 2013-05-21 09:42 - 00000000 ____D C:\Program Files\ESET
2013-05-21 08:50 - 2013-05-22 15:44 - 00000000 ____D C:\Qoobox
2013-05-21 08:49 - 2013-05-22 15:43 - 00000000 ____D C:\Windows\erdnt
2013-05-18 09:59 - 2013-05-18 09:59 - 00000784 ____A C:\Users\Holly\Desktop\PC Diagnostics.lnk
2013-05-18 09:56 - 2013-05-18 09:56 - 00000000 ____D C:\Users\Holly\AppData\Roaming\QuickScan
2013-05-18 09:55 - 2013-05-18 09:59 - 00000000 ____D C:\ProgramData\SmartPCScan
2013-05-18 09:53 - 2013-05-18 09:54 - 11581280 ____A (iYogi) C:\Users\Holly\Downloads\PCDiagnostics (1).exe
2013-05-18 09:50 - 2013-05-18 09:51 - 11581280 ____A (iYogi) C:\Users\Holly\Downloads\PCDiagnostics.exe
2013-05-18 09:47 - 2013-05-22 13:11 - 00000000 ____D C:\Program Files\iYogi Support Dock
2013-05-18 09:47 - 2013-05-18 09:47 - 00001992 ____A C:\Users\Public\Desktop\iYogi Support Dock.lnk
2013-05-18 09:45 - 2013-05-18 09:46 - 03361376 ____A (iYogi) C:\Users\Holly\Downloads\SDSetup.exe
2013-05-01 14:39 - 2013-05-01 14:40 - 00000000 ____D C:\Users\Holly\Desktop\ssd cd

==================== One Month Modified Files and Folders ========

2013-05-24 08:43 - 2013-05-24 08:43 - 00000000 ____D C:\FRST
2013-05-23 16:54 - 2009-11-01 20:14 - 01209447 ____A C:\Windows\WindowsUpdate.log
2013-05-23 16:44 - 2010-01-28 15:42 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-23 16:36 - 2012-06-23 16:42 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-23 16:29 - 2013-05-23 16:29 - 00000000 ____D C:\Windows\System32\SPReview
2013-05-23 16:26 - 2013-05-23 10:09 - 00000000 ____D C:\ProgramData\MFAData
2013-05-23 16:21 - 2009-07-13 20:34 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-23 16:21 - 2009-07-13 20:34 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-23 16:19 - 2009-08-27 20:12 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-23 16:18 - 2013-05-23 16:18 - 00000000 ____D C:\Windows\LastGood
2013-05-23 16:18 - 2009-07-13 20:39 - 00092222 ____A C:\Windows\setupact.log
2013-05-23 16:16 - 2010-01-28 15:42 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-23 16:11 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-23 11:57 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-05-23 10:15 - 2013-05-23 10:15 - 00000000 ____D C:\Users\Holly\AppData\Roaming\AVG2013
2013-05-23 10:15 - 2013-05-23 10:13 - 00000000 ____D C:\ProgramData\AVG2013
2013-05-23 10:15 - 2013-05-23 10:09 - 00000000 ____D C:\Users\Holly\AppData\Local\Avg2013
2013-05-23 10:14 - 2013-05-23 10:14 - 00000946 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2013-05-23 10:14 - 2013-05-23 10:14 - 00000000 ____D C:\Users\Holly\AppData\Roaming\TuneUp Software
2013-05-23 10:13 - 2013-05-23 10:13 - 00000000 ___HD C:\$AVG
2013-05-23 10:11 - 2013-05-23 10:11 - 00000000 ____D C:\Program Files\AVG
2013-05-23 10:09 - 2013-05-23 10:09 - 00000000 ____D C:\Users\Holly\AppData\Local\MFAData
2013-05-23 09:49 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-05-23 09:16 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-05-23 08:42 - 2010-03-16 15:35 - 00000000 ____D C:\Program Files\iMesh Applications
2013-05-23 08:37 - 2009-08-27 20:23 - 00324046 ____A C:\Windows\PFRO.log
2013-05-23 07:41 - 2012-07-29 17:22 - 00000000 ____D C:\Users\Holly\AppData\Roaming\Spotify
2013-05-22 15:44 - 2013-05-22 15:44 - 00019441 ____A C:\ComboFix.txt
2013-05-22 15:44 - 2013-05-21 08:50 - 00000000 ____D C:\Qoobox
2013-05-22 15:43 - 2013-05-21 08:49 - 00000000 ____D C:\Windows\erdnt
2013-05-22 15:39 - 2009-07-13 18:04 - 00000215 ____A C:\Windows\system.ini
2013-05-22 15:33 - 2009-07-13 18:03 - 49545216 ____A C:\Windows\System32\config\software.bak
2013-05-22 15:33 - 2009-07-13 18:03 - 14942208 ____A C:\Windows\System32\config\system.bak
2013-05-22 15:33 - 2009-07-13 18:03 - 00524288 ____A C:\Windows\System32\config\default.bak
2013-05-22 15:33 - 2009-07-13 18:03 - 00262144 ____A C:\Windows\System32\config\security.bak
2013-05-22 15:33 - 2009-07-13 18:03 - 00262144 ____A C:\Windows\System32\config\sam.bak
2013-05-22 15:31 - 2012-06-23 10:27 - 00000000 ____D C:\Users\Holly\AppData\Local\ArcadeCandy
2013-05-22 15:14 - 2009-12-02 12:18 - 00000000 ___HD C:\Users\Holly\AppData\Local\Google
2013-05-22 14:21 - 2009-08-27 20:16 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-05-22 14:11 - 2009-11-01 20:21 - 00000000 ____D C:\ProgramData\Microsoft Help

mohavepc · 24 May 2013

2013-05-22 13:42 - 2009-08-27 20:14 - 00000000 ____D C:\Program Files\Windows Live
2013-05-22 13:17 - 2012-07-07 12:28 - 00000000 ____D C:\Program Files\FrostWire 5
2013-05-22 13:17 - 2010-04-20 10:02 - 00000000 ___HD C:\Users\Holly\AppData\Roaming\Mozilla
2013-05-22 13:17 - 2009-12-02 11:50 - 00000000 ____D C:\users\Holly
2013-05-22 13:17 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp
2013-05-22 13:17 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat
2013-05-22 13:16 - 2009-11-01 20:15 - 00000000 ____D C:\Program Files\Microsoft Works
2013-05-22 13:16 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
2013-05-22 13:13 - 2009-07-13 18:37 - 00000000 ___RD C:\users\Public
2013-05-22 13:11 - 2013-05-18 09:47 - 00000000 ____D C:\Program Files\iYogi Support Dock
2013-05-22 13:11 - 2009-07-13 18:37 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2013-05-22 12:45 - 2013-05-22 12:45 - 04750496 ____A (Luth Research) C:\Users\Holly\Downloads\SavvyConnectInstall.exe
2013-05-21 15:47 - 2013-05-21 15:47 - 00000000 ____D C:\Users\Holly\AppData\Local\Windows Live
2013-05-21 12:53 - 2013-05-21 12:53 - 00000000 ____D C:\Users\Holly\AppData\Roaming\SUPERAntiSpyware.com
2013-05-21 12:53 - 2013-05-21 12:53 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2013-05-21 09:42 - 2013-05-21 09:42 - 00000000 ____D C:\Program Files\ESET
2013-05-18 09:59 - 2013-05-18 09:59 - 00000784 ____A C:\Users\Holly\Desktop\PC Diagnostics.lnk
2013-05-18 09:59 - 2013-05-18 09:55 - 00000000 ____D C:\ProgramData\SmartPCScan
2013-05-18 09:56 - 2013-05-18 09:56 - 00000000 ____D C:\Users\Holly\AppData\Roaming\QuickScan
2013-05-18 09:54 - 2013-05-18 09:53 - 11581280 ____A (iYogi) C:\Users\Holly\Downloads\PCDiagnostics (1).exe
2013-05-18 09:51 - 2013-05-18 09:50 - 11581280 ____A (iYogi) C:\Users\Holly\Downloads\PCDiagnostics.exe
2013-05-18 09:47 - 2013-05-18 09:47 - 00001992 ____A C:\Users\Public\Desktop\iYogi Support Dock.lnk
2013-05-18 09:46 - 2013-05-18 09:45 - 03361376 ____A (iYogi) C:\Users\Holly\Downloads\SDSetup.exe
2013-05-18 09:38 - 2012-03-22 09:23 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-05-18 09:36 - 2012-06-23 16:42 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-05-18 09:36 - 2011-08-16 07:36 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-05-18 09:24 - 2009-07-13 18:37 - 00000000 __RHD C:\Users\Public\Libraries
2013-05-13 13:45 - 2012-02-11 07:50 - 00002140 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-05-13 13:32 - 2012-07-29 17:23 - 00000000 ____D C:\Users\Holly\AppData\Local\Spotify
2013-05-03 14:57 - 2010-02-08 10:29 - 72607752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-05-02 01:06 - 2010-01-27 12:32 - 00238872 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-05-01 14:40 - 2013-05-01 14:39 - 00000000 ____D C:\Users\Holly\Desktop\ssd cd

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2009-07-13 15:11] - [2009-07-13 17:19] - 0245328 ____A () 7C28B63E4C9E5C3BE7FFE53789593619

C:\Windows\System32\Drivers\volsnap.sys IS INFECTED. <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-05-23 08:18:12
Restore point made on: 2013-05-23 08:57:37
Restore point made on: 2013-05-23 09:32:51
Restore point made on: 2013-05-23 09:54:23
Restore point made on: 2013-05-23 10:11:33
Restore point made on: 2013-05-23 10:13:01
Restore point made on: 2013-05-23 11:31:16
Restore point made on: 2013-05-23 12:08:43
Restore point made on: 2013-05-23 16:22:16

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 1790.42 MB
Available physical RAM: 1408.51 MB
Total Pagefile: 1790.42 MB
Available Pagefile: 1404.92 MB
Total Virtual: 2047.88 MB
Available Virtual: 1961.95 MB

==================== Drives ================================

Drive c: (TI103196W0D) (Fixed) (Total:223.33 GB) (Free:180.35 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (System) (Fixed) (Total:1.46 GB) (Free:0.85 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: () (Removable) (Total:7.5 GB) (Free:5.34 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows Vista) (Size: 233 GB) (Disk ID: 9A0C9A0C)
Partition 1: (Active) - (Size=1 GB) - (Type=27)
Partition 2: (Not Active) - (Size=223 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=8 GB) - (Type=17)

========================================================
Disk: 1 (Size: 8 GB) (Disk ID: 6F20736B)
Partition 1: (Not Active) - (Size=544 GB) - (Type=72)
Partition 2: (Not Active) - (Size=923 GB) - (Type=65)
Partition 3: (Not Active) - (Size=923 GB) - (Type=79)
Partition 4: (Not Active) - (Size=27 MB) - (Type=0D)

Last Boot: 2013-05-21 12:32

==================== End Of Log ============================

cottonball · 24 May 2013

mohavepc,

Let's see if we can find a replacement for the infected file...

Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

volsnap.sys

Click: Search file(s)

When done searching, FRST makes a log, Search.txt, on the pendrive!!

Please provide the Search.txt in your reply.

mohavepc · 24 May 2013

Hello Cottonball:
Nice to see you. here is the search results

Farbar Recovery Scan Tool (x86) Version: 23-05-2013
Ran by SYSTEM at 2013-05-24 09:54:52
Running from F:\
Boot Mode: Recovery
================== Search: "volsnap.sys" ===================
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_17be216c5a5713d8\volsnap.sys
[2011-07-02 07:33] - [2010-11-20 04:30] - 0245632 ____A (Microsoft Corporation) F497F67932C6FA693D7DE2780631CFE7
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7600.21320_none_16526fd7765a2629\volsnap.sys
[2013-05-22 12:32] - [2012-09-06 11:18] - 0245616 ____A (Microsoft Corporation) 295954C522A057D3E590EE38246789CE
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7600.17122_none_15cad1ba5d3abbe6\volsnap.sys
[2013-05-22 12:32] - [2012-09-06 08:48] - 0245616 ____A (Microsoft Corporation) 59F06B4968E58BC83DFC56CA4517960E
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_158d0da45d68903e\volsnap.sys
[2009-07-13 15:11] - [2009-07-13 17:19] - 0245328 ____A (Microsoft Corporation) 58DF9D2481A56EDDE167E51B334D44FD
C:\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_6dee0205881d1a1d\volsnap.sys
[2011-07-02 07:33] - [2010-11-20 04:30] - 0245632 ____A (Microsoft Corporation) F497F67932C6FA693D7DE2780631CFE7
C:\Windows\System32\drivers\volsnap.sys
[2011-07-02 07:33] - [2010-11-20 04:30] - 0245632 ____A (Microsoft Corporation) F497F67932C6FA693D7DE2780631CFE7
=== End Of Search ===

dang it they all went offline.

VistaKing · 24 May 2013

cottonball

Doesn't the volsnap.sys have to do with the Win32/Alureon Trojan ?