Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Perfmon Report/ Sysnative (Svchost.exe & Regsvcs.exe Trojan)


  • Please log in to reply
1 reply to this topic

#1 tcade777

tcade777

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Area 51, NV
  • Local time:11:32 AM

Posted 25 July 2016 - 05:42 PM

Here is my Perfmon report & Sysnativefilecollectionapp.

 

 

http://www.filedropper.com/perfmonreport

 

http://www.filedropper.com/sysnativefilecollectionapp



BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:02:32 PM

Posted 26 July 2016 - 08:31 PM

If infected, I'd suggest posting over in the Am I Infected forum:  http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/
Please read the pinned topics at the top of the forum for instructions on how to post there.

If there's another reason for this, please let us know.

 

Please install Service Pack 1, then....

Only 47 Windows Update hotfixes installed.  Most systems with SP1 have 350-400 or more.  Please visit Windows Update and get ALL available updates (it may take several trips to get them all).
The actual number is not important.  Rather it's important that you checked manually, installed any available updates, and didn't experience any errors when checking or updating.

You have a NETGEAR WNDA3100v2 N600 Wireless Dual Band USB Adapter:

I do not recommend using wireless USB network devices.
These wireless USB devices have many issues with Win7 and later systems - using older drivers with them is almost certain to cause a BSOD.
Should you want to keep using these devices, be sure to have the latest W7/8/8.1/10 drivers - DO NOT use older drivers!!!
An installable wireless PCI/PCIe card that's plugged into your motherboard is much more robust, reliable, and powerful.


H: drive only has about 9% free space.  Windows likes 15% free space in order to perform stuff "behind the scenes" without adversely affecting the system's performance.  Please free up 15% on ALL hard drives (you can get away with 10% on larger drives and won't notice a large performance penalty).  Low free space can cause BSOD's - but the actual amount depends on the files being used by the system.

The memory dumps point to an issue with MalwareBytes.  This is similar to the issue with MalwareBytes Premium and BitDefender 2016.

In those cases, it was actually BitDefender that was to blame - yet the crash occurred in MalwareBytes.

 

It appears that you've switched antivirus' and the problem still persists.

As such, I'd suggest running Driver Verifier according to these instructions:  http;//www.carrona.org/verifier.html

 

Your NEC USB 3.0 drivers date from 2010 and those were known to cause BSOD's on some Windows systems.

Please update them to a later version

 

Analysis:

The following is for information purposes only. The following information contains the relevant information from the blue screen analysis:

**************************Fri Jul 22 15:48:58.403 2016 (UTC - 4:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\072216-53648-01.dmp]
Windows 7 Kernel Version 7600 MP (8 procs) Free x64
Missing Windows 7 Service Pack 1
Built by: 7600.16617.amd64fre.win7_gdr.100618-1621
System Uptime:0 days 0:02:38.621
*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by :fwpkclnt.sys ( fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+20a )
BugCheck 19, {20, fffffa800d07e740, fffffa800d07e760, 4020074}
BugCheck Info: BAD_POOL_HEADER (19)
Arguments:
Arg1: 0000000000000020, a pool block header size is corrupt.
Arg2: fffffa800d07e740, The pool entry we were looking for within the page.
Arg3: fffffa800d07e760, The next pool entry.
Arg4: 0000000004020074, (reserved)
BUGCHECK_STR:  0x19_20
PROCESS_NAME:  mbamservice.ex
FAILURE_BUCKET_ID: X64_0x19_20_fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+20a
CPUID:        "Intel® Core™ i7 CPU         930  @ 2.80GHz"
MaxSpeed:     2800
CurrentSpeed: 2800
  BIOS Version                  0003   
  BIOS Release Date             09/01/2011
  Manufacturer                  System manufacturer
  Baseboard Manufacturer        ASUSTeK Computer INC.
  Product Name                  System Product Name
  Baseboard Product             Rampage III GENE
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Wed Jul 20 17:34:28.824 2016 (UTC - 4:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\072016-38189-01.dmp]
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Built by: 7601.17592.amd64fre.win7sp1_gdr.110408-1631
System Uptime:0 days 0:58:56.948
*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by :fwpkclnt.sys ( fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+20a )
BugCheck 19, {20, fffffa800d35c0c0, fffffa800d35c0e0, 402000c}
BugCheck Info: BAD_POOL_HEADER (19)
Arguments:
Arg1: 0000000000000020, a pool block header size is corrupt.
Arg2: fffffa800d35c0c0, The pool entry we were looking for within the page.
Arg3: fffffa800d35c0e0, The next pool entry.
Arg4: 000000000402000c, (reserved)
BUGCHECK_STR:  0x19_20
PROCESS_NAME:  mbamservice.ex
FAILURE_BUCKET_ID: X64_0x19_20_fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+20a
CPUID:        "Intel® Core™ i7 CPU         930  @ 2.80GHz"
MaxSpeed:     2800
CurrentSpeed: 2800
  BIOS Version                  0003   
  BIOS Release Date             09/01/2011
  Manufacturer                  System manufacturer
  Baseboard Manufacturer        ASUSTeK Computer INC.
  Product Name                  System Product Name
  Baseboard Product             Rampage III GENE
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``




3rd Party Drivers:

The following is for information purposes only. My recommendations were given above. The drivers that follow belong to software or devices that were not developed by Microsoft.  You can find links to the driver information and where to update the drivers in the section after the code box:

**************************Fri Jul 22 15:48:58.403 2016 (UTC - 4:00)**************************
amdxata.sys                 Tue May 19 13:56:59 2009 (4A12F2EB)
intelppm.sys                Mon Jul 13 19:19:25 2009 (4A5BC0FD)
ASACPI.sys                  Wed Jul 15 23:31:29 2009 (4A5E9F11)
P17.sys                     Fri Oct 16 02:44:53 2009 (4AD81665)
e1y62x64.sys                Wed Apr  7 18:58:49 2010 (4BBD0E29)
nusb3hub.sys                Thu Apr 22 21:34:35 2010 (4BD0F92B)
nusb3xhc.sys                Thu Apr 22 21:34:36 2010 (4BD0F92C)
VDiskBus64.sys              Mon Sep 20 23:22:53 2010 (4C98250D)
scmndisp.sys                Fri May 27 06:30:22 2011 (4DDF7D3E)
Tpkd.sys                    Tue Jun 28 20:00:23 2011 (4E0A6B17)
automap.sys                 Thu Apr 19 07:30:08 2012 (4F8FF740)
AsIO.sys                    Wed Aug 22 05:54:47 2012 (5034AC67)
NIWinCDEmu.sys              Wed Sep 26 07:40:33 2012 (5062E9B1)
VClone.sys                  Wed Jul 24 11:02:46 2013 (51EFEC96)
mwac.sys                    Tue Jun 17 22:06:34 2014 (53A0F42A)
mbam.sys                    Wed Sep  3 13:50:25 2014 (540754E1)
HWiNFO64A.SYS               Sun Nov 23 11:24:07 2014 (54720A27)
ElbyCDIO.sys                Wed Dec 17 18:30:51 2014 (5492122B)
SCDEmu.SYS                  Fri Feb 27 22:20:51 2015 (54F13413)
bcmwlhigh664.sys            Mon Mar  2 03:48:58 2015 (54F423FA)
atikmpag.sys                Mon Aug  3 21:42:28 2015 (55C01884)
atikmdag.sys                Mon Aug  3 23:28:52 2015 (55C03174)
AtihdW76.sys                Fri Sep 18 06:08:16 2015 (55FBE290)
avgloga.sys                 Tue Feb 16 09:04:03 2016 (56C32C53)
avgdiska.sys                Fri May 13 01:52:02 2016 (57356B82)
avgrkx64.sys                Wed Jun  1 07:16:31 2016 (574EC40F)
avguniva.sys                Wed Jun  1 07:25:28 2016 (574EC628)
avgidsha.sys                Wed Jun  1 07:25:33 2016 (574EC62D)
avgtdia.sys                 Wed Jun  1 07:26:21 2016 (574EC65D)
avgldx64.sys                Wed Jun  1 07:27:54 2016 (574EC6BA)
avgmfx64.sys                Thu Jun  2 09:12:57 2016 (575030D9)
avgidsdrivera.sys           Thu Jun  9 02:14:52 2016 (5759095C)
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Wed Jul 20 17:34:28.824 2016 (UTC - 4:00)**************************
amdxata.sys                 Fri Mar 19 12:18:18 2010 (4BA3A3CA)
MBAMSwissArmy.sys           Thu Jan  8 21:45:43 2015 (54AF40D7)
klmouflt.sys                Tue Jun  2 08:36:27 2015 (556DA34B)
klbackupdisk.sys            Tue Jun  2 16:18:33 2015 (556E0F99)
kltdi.sys                   Wed Jun 10 08:28:21 2015 (55782D65)
kl1.sys                     Thu Jun 18 14:58:13 2015 (558314C5)
cm_km.sys                   Wed Jul  1 14:08:29 2015 (55942C9D)
klkbdflt.sys                Tue Oct 27 21:24:19 2015 (563023C3)
kldisk.sys                  Tue Nov 10 08:38:35 2015 (5641F35B)
kneps.sys                   Mon Nov 23 04:19:35 2015 (5652DA27)
klwtp.sys                   Mon Nov 23 06:59:00 2015 (5652FF84)
klbackupflt.sys             Thu Nov 26 04:59:54 2015 (5656D81A)
klpd.sys                    Thu Dec  3 11:35:34 2015 (56606F56)
klflt.sys                   Fri Dec  4 08:30:47 2015 (56619587)
klim6.sys                   Fri Feb 26 08:38:57 2016 (56D05571)
klif.sys                    Mon Apr 11 16:36:10 2016 (570C0ABA)
klhk.sys                    Thu Apr 21 10:34:08 2016 (5718E4E0)


http://www.carrona.org/drivers/driver.php?id=amdxata.sys
http://www.carrona.org/drivers/driver.php?id=intelppm.sys
http://www.carrona.org/drivers/driver.php?id=ASACPI.sys
http://www.carrona.org/drivers/driver.php?id=P17.sys
http://www.carrona.org/drivers/driver.php?id=e1y62x64.sys
http://www.carrona.org/drivers/driver.php?id=nusb3hub.sys
http://www.carrona.org/drivers/driver.php?id=nusb3xhc.sys
http://www.carrona.org/drivers/driver.php?id=VDiskBus64.sys
http://www.carrona.org/drivers/driver.php?id=scmndisp.sys
http://www.carrona.org/drivers/driver.php?id=Tpkd.sys
http://www.carrona.org/drivers/driver.php?id=automap.sys
http://www.carrona.org/drivers/driver.php?id=AsIO.sys
http://www.carrona.org/drivers/driver.php?id=NIWinCDEmu.sys
http://www.carrona.org/drivers/driver.php?id=VClone.sys
http://www.carrona.org/drivers/driver.php?id=mwac.sys
http://www.carrona.org/drivers/driver.php?id=mbam.sys
http://www.carrona.org/drivers/driver.php?id=HWiNFO64A.SYS
http://www.carrona.org/drivers/driver.php?id=ElbyCDIO.sys
http://www.carrona.org/drivers/driver.php?id=SCDEmu.SYS
http://www.carrona.org/drivers/driver.php?id=bcmwlhigh664.sys
http://www.carrona.org/drivers/driver.php?id=atikmpag.sys
http://www.carrona.org/drivers/driver.php?id=atikmdag.sys
http://www.carrona.org/drivers/driver.php?id=AtihdW76.sys
http://www.carrona.org/drivers/driver.php?id=avgloga.sys
http://www.carrona.org/drivers/driver.php?id=avgdiska.sys
http://www.carrona.org/drivers/driver.php?id=avgrkx64.sys
avguniva.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=avgidsha.sys
http://www.carrona.org/drivers/driver.php?id=avgtdia.sys
http://www.carrona.org/drivers/driver.php?id=avgldx64.sys
http://www.carrona.org/drivers/driver.php?id=avgmfx64.sys
http://www.carrona.org/drivers/driver.php?id=avgidsdrivera.sys
http://www.carrona.org/drivers/driver.php?id=amdxata.sys
http://www.carrona.org/drivers/driver.php?id=MBAMSwissArmy.sys
http://www.carrona.org/drivers/driver.php?id=klmouflt.sys
http://www.carrona.org/drivers/driver.php?id=klbackupdisk.sys
http://www.carrona.org/drivers/driver.php?id=kltdi.sys
http://www.carrona.org/drivers/driver.php?id=kl1.sys
http://www.carrona.org/drivers/driver.php?id=cm_km.sys
http://www.carrona.org/drivers/driver.php?id=klkbdflt.sys
http://www.carrona.org/drivers/driver.php?id=kldisk.sys
http://www.carrona.org/drivers/driver.php?id=kneps.sys
http://www.carrona.org/drivers/driver.php?id=klwtp.sys
http://www.carrona.org/drivers/driver.php?id=klbackupflt.sys
http://www.carrona.org/drivers/driver.php?id=klpd.sys
http://www.carrona.org/drivers/driver.php?id=klflt.sys
http://www.carrona.org/drivers/driver.php?id=klim6.sys
http://www.carrona.org/drivers/driver.php?id=klif.sys
http://www.carrona.org/drivers/driver.php?id=klhk.sys


 
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users