Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tdsskiller, others blocked by rootkit


  • Please log in to reply
2 replies to this topic

#1 Teconic

Teconic

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 20 April 2011 - 04:29 PM

I'm here because I WAS infected by a particularly nasty bit of malware - now gone, but wanted to share because I found no references to this TDSS variant.

OS: Windows 7 Business, 32 bit. Symptoms: Google redirects, pop-up audio commercials (new to me!), IE Script error pop-ups (even when out of IE), general weirdness. Tried: Rkill (ran OK, no results), Malwarebytes (ran, found nothing), Symantec (ran, found a few Java junk files, no payload. I was pretty sure that I had TDSS on board, but TDSSKiller would not execute - quick clock then nothing. Safe Mode, no change. Combofix found a few things, no rootkit. I tried GMER - found nothing.

Finally yanked the hard drive out and mounted it in a clean system, scanned with Microsoft Security Essentials. Found Win32/Alureon.K in \Windows\System32\Drivers\Volsnap.sys. Replaced Volsnap.sys with a clean copy - Bam! All fixed!

Did a search on TDSS and Volsnap.sys and found a couple of references to it. One guy posted a video of his experience with it. He used something called Dr. Web Cure-it. Anybody tried it? Anyway, wasted many hours chasing this PITA, and a couple of minutes fixing it once I knew where it was. Hope someone finds this info useful. This site has been extremely useful to me over the years and I just wanted to give a little bit back. Thanks!

Edited by Teconic, 20 April 2011 - 04:32 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 20 April 2011 - 08:31 PM

Thanks for your post. Yes we use DRWeb here. Volsnap is anew variant to the TDL... infection.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:34 AM

Posted 21 April 2011 - 11:46 AM

Volsnap is anew variant to the TDL... infection.

And it won't be the last.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users