Hi,

Currently I have a very clean install XP-SP3 with avast free edition (that’s what I would like to believe). Prior to reinstalling I had virus problems so had to delete all partitions, reinstall XP on C: however I could not delete D: partition because of 30 gigs of data.

Before reinstall there was always a svchost (see screenshots attached) attached to System Volume Information folder (hidden) on all partitions even though I never keep Sys restore turned on. Tried most of AV scanner, ComboFix etc but none was able to remove the actual virus,malware (or I dont know what, so f***ing fedup) which I very strongly believe is related to svchost and system volume information folder.

Anyways onto new install of XP-SP3 as I told u I could not delete D: partition so surely the system volume information folder was to be found there. Now even before accessing D: drive after the new install, one of the first thing I did was to turn off SYS Restore turned off SYS Restore, TURN AUTOMATIC UPDATES OFF, REMOTE SHARING ETC installed UNLOCKER browsed to d: found SYS vol info folder tried to delete it, unlocker popped up showing the SVCHOSt process attached to it, killed off the process in unlocker and it was able to successfully delete the folder and Recycler folder. Rebooted and as expected SYStem vol info folder was again to be found on D: (Pls note SYS Volume Information folder can now be found on all drives, system restore turned off.)

I downloaded & transferred SDFIX to laptop via pendrive, ran as instructed ON BC forum and sdFix found virus in system32 folder(check the LOG attached). As soon as SDFIX rebooted system and generated the log, WINDOWS Security Alerts reminds me “Your Automatic Updates are turned off”, pls remember just after the clean install I had turned off Automatic updates and this is exactly the same behaviour I used to experience prior to new install, whenever any AV used to detect any sort of virus related to SVCHOST and SYSTEM VOLUME INFORMATION so this confirm the virus,malware is still present on my system after successfully managing to waste three months of my life.

As from my past experiences at supposedly helpful guys at Kaspersky forums (http://virusinfo.info/showthread.php?t=70506) and many other forum, I am very positive that this post will not get many comments/resolutions to my problem and if at all, would be of reinstalling xp r wiping of my HDD completely. That is not an option since I have some really valuable data on my D: and even if I was to transfer it to another HDD, clean install xp on wiped off HDD and retransfer the problem would not go away since the virus, malware would also be propogated along with data.

I have scanned my laptop innumerable times with avast but no traces ever so found. I have also tried most other spyware and antivirus scanners such as vipe, cureit, avg, panda, rootkitreveler, ad-aware, superantispyware and many many more before posting here.

I am sure expert folks here would be able to find me a way out if they really want to, which would be nothing short of a blessing.

regards,
rseni

---

Attachments:

Unlocker_system volume information folder screenshots
Sdfix log
Hijackthis log

QUICK UPDATE:

Here is an text file services.txt for all services running on my computer. Pls check out any unwanted, malicious services running on my system. The following service needs more attention:

COMSysApp dllhost.ex e /Processid :{02D4B3F1 -FD88-11D1 -960D-0080 5FC79235} Stopped Manual

SwPrv dllhost.ex e /Processid :{1E5A4C93 -9DCD-45DF -B53F-EEEF 3328BE10} Stopped Manual

thanks

QUICK UPDATE:

Here is a text file services.txt for all services running on my computer. Pls check out any unwanted, malicious services running on my system. The following service needs more attention:

COMSysApp dllhost.ex e /Processid :{02D4B3F1 -FD88-11D1 -960D-0080 5FC79235} Stopped Manual

SwPrv dllhost.ex e /Processid :{1E5A4C93 -9DCD-45DF -B53F-EEEF 3328BE10} Stopped Manual

thanks

Follow this guide from Essexboy and post MBAM and OTL logs HERE
http://forum.avast.com/index.php?topic=53253.0

if the log is to big, go to " Additional Options… " down in left corner and Attach:

followed procedures as directed, I am attaching all logs generated by MBM and OTL for your reference. Pls go through with an eagle eye. I would also request you to kindly check services.txt (previous attachment) as well.

Many thanks for checking and replying.
rseni.

2nd set of files as otl.txt was almost 175 KB.

Nothing untoward on that log

Do you recognize these files/folders

C:\WINDOWS\€AstInfo.dat
C:\vid.flv

Lets look deeper

Download avz4.zip from HERE

[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window:
http://perplexus.geekstogo.com/avz-update-button.png

[*]Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

[*] Start AVZ.

[*] Choose from the menu “File” => "Standard scripts " and mark the “Advanced System Analysis with malware removal mode enabled” check box.

http://perplexus.geekstogo.com/avz-standardscripts-asa-removal.png

[*] Click on the “Execute selected scripts”.
[*] Automatic scanning, healing and system check will be executed.
[*] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[] All applications will work properly after the system restart.

When restarted

[*] Start AVZ.

[*] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Analysis” check box.

http://perplexus.geekstogo.com/avz-standardscripts-asa.png

[*] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

maybe this one can help!!
http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/

some svchost will delete because it is hosting the running virus. the svchost in the system volume information it is hosting the partition thats why you see it, ok can be delete by unlocker but its coming back because your drive partition is running.

Hi esseyboxy,

I have done as instructed. The forum does not allow zip or html files. Pls download both files at http://nuvotechnologies.in/images/files/

I think avz report contains some false positives too so kindly take a note.

Both files are valid.
vid.flv is a youtube valid file.
€Astinfo.dat is attached to astsrv.exe which is a Nalperion Licensing Service. (http://www.nitropdf.com/kb/article.aspx?id=10211).

Thanks for reply.
rseni.

Nothing showing there that is of a concern - and there are very few rootkits that it will not show. No malicious processes or services detected.

As previously stated Svchost (service host - full name) is the main workhorse of windows and there will always be multiple copies running

What problems are you experiencing ?

Svchost (service host - full name)

;)correct!!! and it will become a virus also if it is hosting a virus ;D you can target it function according to the host. that's why all host must be monitor by anti virus that the primary concept of anti virus anti malware works only when host is identified and deleted the process that is forming that why anti virus can be called as police, or simply host guard. :-*