: I was recently asked to help a friend who believed she had a virus on her PC. Due to the distance between us and work schedule I was unable to do the work myself so I brought up a simple list of programs for her to run and possibly remove the virus(es).
Her problem started when the PC randomly shut down on her (no blue screen) and she turned it back on to find that her files were all gone. I confirmed with her over the phone by doing a little poking at the hard drive and found out that the files were indeed still there but they had been all set to hidden. I've heard of this happening before and Ive seen it once myself so I knew it was a virus or a combination of them.
Next I asked her about the sate of her antivirus program, sadly she had Mcafee on the PC but it expired 2-3 years ago and she had been neglecting it, I told her Im surprised she went this long really.
First things first, I had her boot the PC into safe mode with networking and gave her a small laundry list of programs that Ive used before to remove and dislodge most low level viruses.
1) ESET online scanner - then removal
2) Microsoft Malicious Software Removal Tool
3) Malwarebytes Anti-Malware
4) McAfee Removal Tool (no sense in keeping an old, useless antivirus)
5) Buy a new antivirus but do not install it yet (she picked up Norton Internet Sec 2011)
By this point I contacted her back again and she said between the 3 programs she had taken off 400+ viruses
from the PC (Not a big surprise, that many years without a real antivirus im more surprised she didn't have her credit card/account hacked)
I worked with her and helped her over the phone again to unhide all her files and folders on the PC, she was happy to get them back again and from what it sounded like to me the problems had all been taken care of and I gave her the go ahead to install Norton Int. Sec. 2011 but to install, then update, then run full scan, sure enough it found 3 more.
However at this point I think it just merely pissed off the bigger bug on the PC. And she suddenly started complaining of script errors popping up for internet explorer and strange voice recordings/audio playing from nothing.
I found a program called CrossLoop and was able to use it to remotely access her PC and I examined what had transpired. I took a few more scans with the same programs again and found a few more viruses with Malwarebytes. I then had her just run a Rootkit scan with Norton Power Eraser (since I couldn't control the pc after it rebooted to scan for rootkits) and Norton Power Eraser found an issue with a file named Volsnap.sys
. I told her to tell norton not to clean it but just leave it alone for now and I looked it up online but all the references to it that I found pointed that it was an infected system file and if you remove it the PC would be hard to repair at that point.
I then logged back in on her PC remotely and tried running TDSSkiller and did as instructed by this thread
that sounded exactly like the same issue I was having with her PC.
Now I was unable to get it to run in either normal or safe mode even after renaming and changing the extension of the file. And I dare not use Norton Power Eraser because that is probably just going to destroy the file and not fix the issue.
So here I am, I have 2 file logs that I've made at this point (Hijackthis.txt, and Process Explorer.txt) but I think I read that I'm not to post them unless asked so I'll hold off on them.
Any help in this matter would be much appreciated. I've already warned her to limit her use of the computer and really only thing she should do is online browsing and instant messenger and not to do anything secure or financial. Let me know what you need and I'll do what I can.
Many Thanks in advance.