Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows FixDisk


  • Please log in to reply
2 replies to this topic

#1 Chuck Sp

Chuck Sp

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 28 April 2011 - 01:26 PM

Hi this is just an informative post to share my trials and tribulations in removing Windows Fix Disk and associated issues that the guide was not completely helpful with.

hopefully this info will help someone else.

So a client brought me a windows 7 pro PC with windows fix disk, hidden files, browser search redirection and other errors.

He got the malware through an email attachment from an email purporting to be from his friend. He deleted the email so I dont have the contents of the email to share.

I started out with the guide on the spyware removal tab of this website (thanks for all your hard work!).

This cleaned up alot of it, but the google redirects were still there, as well as an audible advertisement that played shortly after system startup through the speakers (no visible indicator the computer was doing this, just the audio). There were also script errors that popped up even though IE was not running.

TDSSkiller would not run, even after being renamed, and even not in safe mode.

GMER found an rootkit infected svchost.exe I booted off a CD and replaced that with a known good copy off the windows 7 CD.

The google redirects were still there, as well as an audible advertisement that played shortly after system startup through the speakers (no visible indicator the computer was doing this, just the audio). There were also script errors that popped up even though IE was not running.

TDSSKiller still would not run.

ESET run both normally and in safe mode showed no infection.

Hitman pro would not scan, as it showed no internet connection even tho the connection worked.

So I booted off a CD and ran a virus scan that way, and volsnap.sys in C:\windows\system32\drivers\ showed as an unidentified rootkit.

I replaced it with a known good copy from a CD and everything went away.

I ran all scans again. Everything worked, incuding TDSSkiller and Hitman pro, everything showed up clean. I installed an antivirus, and antimalware and updated both, applied all system updates and gave the system a thorough workout with a script that surfed the web and opened and closed emails and programs.

I gave it back to the client and everything seems good 2 days later.

The volsnap.sys seemed the critical agent at work here. No tools would detect it when booting off the hard drive.

Hope this helps someone else.

Edited by Budapest, 28 April 2011 - 06:12 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~Budapest


BC AdBot (Login to Remove)

 


#2 Chuck Sp

Chuck Sp
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 28 April 2011 - 01:39 PM

Oh and just to be thorough, I had also run combofix in all modes (regular, safe etc) and it found a couple of things but did not find the volsnap.sys

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 PM

Posted 29 April 2011 - 06:55 AM

The volsnap.sys seemed the critical agent at work here.

Yes, that is the latest variant of TDSS which prevents TDSSKiller from running even if renamed while using in normal or safe mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users