Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with an obnoxious virus.


  • Please log in to reply
2 replies to this topic

#1 Crazy49er

Crazy49er

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charlotte, NC
  • Local time:01:58 AM

Posted 19 April 2011 - 10:54 PM

Backstory: I was recently asked to help a friend who believed she had a virus on her PC. Due to the distance between us and work schedule I was unable to do the work myself so I brought up a simple list of programs for her to run and possibly remove the virus(es).

Her problem started when the PC randomly shut down on her (no blue screen) and she turned it back on to find that her files were all gone. I confirmed with her over the phone by doing a little poking at the hard drive and found out that the files were indeed still there but they had been all set to hidden. I've heard of this happening before and Ive seen it once myself so I knew it was a virus or a combination of them.

Next I asked her about the sate of her antivirus program, sadly she had Mcafee on the PC but it expired 2-3 years ago and she had been neglecting it, I told her Im surprised she went this long really.

First things first, I had her boot the PC into safe mode with networking and gave her a small laundry list of programs that Ive used before to remove and dislodge most low level viruses.

1) ESET online scanner - then removal
2) Microsoft Malicious Software Removal Tool
3) Malwarebytes Anti-Malware
4) McAfee Removal Tool (no sense in keeping an old, useless antivirus)
5) Buy a new antivirus but do not install it yet (she picked up Norton Internet Sec 2011)

By this point I contacted her back again and she said between the 3 programs she had taken off 400+ viruses from the PC (Not a big surprise, that many years without a real antivirus im more surprised she didn't have her credit card/account hacked)

I worked with her and helped her over the phone again to unhide all her files and folders on the PC, she was happy to get them back again and from what it sounded like to me the problems had all been taken care of and I gave her the go ahead to install Norton Int. Sec. 2011 but to install, then update, then run full scan, sure enough it found 3 more.

However at this point I think it just merely pissed off the bigger bug on the PC. And she suddenly started complaining of script errors popping up for internet explorer and strange voice recordings/audio playing from nothing.

I found a program called CrossLoop and was able to use it to remotely access her PC and I examined what had transpired. I took a few more scans with the same programs again and found a few more viruses with Malwarebytes. I then had her just run a Rootkit scan with Norton Power Eraser (since I couldn't control the pc after it rebooted to scan for rootkits) and Norton Power Eraser found an issue with a file named Volsnap.sys. I told her to tell norton not to clean it but just leave it alone for now and I looked it up online but all the references to it that I found pointed that it was an infected system file and if you remove it the PC would be hard to repair at that point.

I then logged back in on her PC remotely and tried running TDSSkiller and did as instructed by this thread that sounded exactly like the same issue I was having with her PC.

Now I was unable to get it to run in either normal or safe mode even after renaming and changing the extension of the file. And I dare not use Norton Power Eraser because that is probably just going to destroy the file and not fix the issue.

So here I am, I have 2 file logs that I've made at this point (Hijackthis.txt, and Process Explorer.txt) but I think I read that I'm not to post them unless asked so I'll hold off on them.

Any help in this matter would be much appreciated. I've already warned her to limit her use of the computer and really only thing she should do is online browsing and instant messenger and not to do anything secure or financial. Let me know what you need and I'll do what I can.

Many Thanks in advance.

BC AdBot (Login to Remove)

 


#2 JacobHall

JacobHall

  • Members
  • 300 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 20 April 2011 - 05:21 AM

It seems the only forward is getting a fresh copy of that file from the exact Operating System the person has and replacing it, as it is a System Critical file and Norton will inevitably cause damage, which could leave the computer unbootable.

However, I am unsure as to whether this file is unique in every computer, so replacing it could in turn cause your installation to become corrupted.

It would be best to ask the person if they have the original OEM disk, if not check if there is a hidden partition(or what is known as the "cheap and easy" way for manufacturers to put recovery options on a system) to copy over a fresh copy of the file.

Edited by Super Panda, 20 April 2011 - 05:22 AM.


#3 Crazy49er

Crazy49er
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charlotte, NC
  • Local time:01:58 AM

Posted 20 April 2011 - 08:40 PM

Just want to confirm, you think that there are no other options that may work for fixing this issue aside from a complete reformat?

Edited by Crazy49er, 20 April 2011 - 08:40 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users