BleepingComputer.com: volsnap.sys, Alureon....newbie here ~ assist por favor!

Hi to all...kudos and many thanks in advance from here on the beach in Charleston, SC ~

I believe my problems began with the 'Windows Recovery Virus' and they've run their course since then. Unfortunately I did a System Restore just after it hid all of my files before I knew what I had. I have run most supported online fix recommendations including: Avast (which catches the Malicious URLs 64.111.211.158, 64.11.211.164 and 64.11.211.165. Also MBAM, Spybot, Spyware Doctor, WebRoot Spyware Sweeper, Commodo, Registry Booster.....most recently trying to run tdsskiller.exe but it will not initiate even after changing the name and extension. I just downloaded Resource Tuner but don't know exactly what to do with it so I've stopped there.


Visible problems I'm experiencing (but not limited to these I'm sure) -

- Redirects
- No sound in webpages, the box unchecks itself upon restart
- Most streaming video freezes
- My childs online games will not play
- Prior to the 'no sound' issue I could hear audio from commercials without a browser or webpage being open

This is my first post and an intermediate computer user but I have been a fan of the website and learned many helpful things from reading this forum over the last year. In this instance I don't want to overstep my ability so here I am. Again in advance....you guys rock.

Marc aka Fishetti

Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.

I've been trying to clean this off a vista machine for 2 days. It won't let TDSSkiller run. combofix doesn't seem to finish..
It re-directs from search engine links. What finally cleaned it was to boot off a vista cd (f8 repair your computer from recovery partition would crash had to boot off a installation cd) then went to command prompt and wrote a new MBR. Bootrec /fixmbr
Rebooted, ran tdsskiller which did run but found nothing. Checked search engine search and no more redirection.

Hope this helps.

Hi Budapest, thanks for the quick help!

The TDSS Fix Tool says: ***Infected Driver: volsnap.sys

Awaiting instructions...

Click "Repair".

After initially running the TDSS Fix Tool and it saying the infected driver was volsnap.sys, when I ran it again after you telling me to choose 'repair' I had problems getting windows to restart again and when it finally did the TDSS Fix Tool did not find the problem again. Upon reboot it recommends to repair my computer, which yields nothing, and then to do a system restore. I have not run TDSS Fix again. My Microsoft Security Essentials keeps popping up that it is catching Win32/Alureon and I need to restart. Okay, firstly should I turn off system protection before running TDSS Fix again? I believe the first time I ran TDSS Fix when I restarted it turned Avast, Spybot, etc. back on. I need to close all of those programs yes?

Try this:

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

Thanks Budapest...will do so now and report after.

After following these instructions it finds:

Select action for found objects:
Suspicious objects
Forged file Skip
Service
Service name: volsnap
Service type: Kernel driver (0x1)
Service start: Boot (0x0)
File: C:\Windows\systen32\DRIVERS\volsnap.sys
MD5: 48e724d86ea12ec1b827d18c69961374
MD5(forged): c18111166690541d6cb0cfcafe9ef38b


Following the instruction to click 'Continue' it says:

System Scan Completed
Infection: Not Found


*Please advise, thanks.

Run a quick scan with MBAM and post the log.

It comes up clean, no infections.

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on this link to open ESET OnlineScan in a new window.
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the
    icon on your desktop.
  
  
• Check "YES, I accept the Terms of Use."
  
• Click the Start button.
  
• Accept any security warnings from your browser.
  
• Under scan settings, check "Scan Archives" and "Remove found threats"
  
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, click List Threats
  
• Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Click the Back button.
  
• Click the Finish button.

5 infected files found so far at 48% scan progress:

Win32OpenCandy Application
Win32RegistryBooster Application
Java/Agent AC Trojan
Java/TrojanDownloaderOpenStream NCA trojan
a variant of the Win32/SlowPCfighter application

Result from ESET........thx again Budapest!

C:\ProgramData\ReviverSoft\RegistryReviver\InstallCache\{63E13B95-3168-481C-A8DF-FBE0DCDF5699}\Registry Reviver.msi a variant of Win32/SlowPCfighter application deleted - quarantined
C:\Users\FishLaptop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\6e45fa36-528c31ff Java/TrojanDownloader.OpenStream.NCA trojan deleted - quarantined
C:\Users\FishLaptop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\4a5bb93f-31e808f7 Java/Agent.AC trojan deleted - quarantined
C:\Users\FishLaptop\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe Win32/OpenCandy application deleted - quarantined
C:\Users\FishLaptop\AppData\Roaming\Uniblue\RegistryBooster\_temp\ub.exe Win32/RegistryBooster application deleted - quarantined

So how's your computer running now?