Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Various viruses?


  • This topic is locked This topic is locked
7 replies to this topic

#1 RJ8080

RJ8080

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 01 May 2011 - 08:40 PM

I believe my laptop has been infected with a number of problems. Any assistance would be truly helpful. Problems observed so far include:

1. Audio type adverts running in the background sporadically.
2. Some re-directing from searches, a site called scour was opening but this has mainly cleared up. However various other redirecting issues have occured.

3. Lots of internet explorer post script error messages, usually with a strange webite address in them. Message asks if i should continue running scripts? I don't use IE a great deal usually google chrome or firefox.

4. Vista total secutity 2011 was trying to or did install itself and highlighting prolems. This may have cleared up.
5. strange proc: click messages following google searches.

I have always had symantec av installed however for the last few weeks there has been a prolem with it,with windows installer requesting thesik which i no longer have. Should I unistall symantec and install something like microsoft securtiy essentials?

I have also had spybot installed for a number of years and have run scans. Some propblems were removed however one from Zango? remains which i can't remove.

I have now installed Malwarebytes. This cleared up a number of problems, however most of those detailed above are still occuring and further malwarebytes reveal no infections.I am very confused and slightly worried. Any suggestions to remedy my prolems would be most grateful.

Thanks

RJ

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 PM

Posted 02 May 2011 - 08:04 AM

Please download SystemLook from one of the links below and save it to your Desktop.
Link 1: SystemLook (32-bit)
Link 2: SystemLook (32-bit)

Link 1: SystemLook (64-bit)
Link 2: SystemLook (64-bit)
  • Double-click SystemLook.exe to run it.
  • Vista/Windows 7 users right-click and select Run As Administrator.
  • Copy and paste everything in the codebox below into the main textfield:
    :filefind
    volsnap.sys
    
  • Click the Look button to start the scan.
  • When finished, a Notepad window will open SystemLook.txt with the results of the search and save a copy on your Desktop.
  • Copy and paste the contents of that log in your next reply.

Go to one of the following online services that analyzes suspicious files: In the "File to upload & scan" box, click the "browse" button and locate the following file:
c:\windows\system32\drivers\volsnap.sys <- this file
Click "Open", then click the "Submit" button.
-- Post back with the results of the file analysis in your next reply. If you used Jotti, copy and paste the "Permalink" that you will find in the "Jotti's malware scan" box in the upper left hand part of the page.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 RJ8080

RJ8080
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 02 May 2011 - 09:56 AM

Hi, thanks for the speedy reply.

Just to let you know the vista 2011 total security raised its ugly head again following an update request that i cancelled. I re-scanned malwarebytes and that seems to have gone again but the other issues remain. windows seems to block malwarebytes on startup, though I did not purchase the full real time version yet.

Anyway I have completed the steps you asked for, here are the details.


Systemlook see below

SystemLook 04.09.10 by jpshortstuff
Log created at 15:40 on 02/05/2011 by Richard
Administrator - Elevation successful

========== filefind ==========

Searching for "volsnap.sys"
C:\Windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_17a2308cf936c619\volsnap.sys --a---- 226280 bytes [23:03 22/08/2010] [06:32 11/04/2009] 147281C01FCB1DF9252DE2A10D5E7093
C:\Windows\System32\drivers\volsnap.sys --a---- 226280 bytes [20:43 30/08/2010] [06:32 11/04/2009] 147281C01FCB1DF9252DE2A10D5E7093
C:\Windows\System32\DriverStore\FileRepository\volume.inf_1e6030e4\volsnap.sys --a---- 226280 bytes [20:43 30/08/2010] [06:32 11/04/2009] 147281C01FCB1DF9252DE2A10D5E7093
C:\Windows\System32\DriverStore\FileRepository\volume.inf_9320b452\volsnap.sys --a---- 208488 bytes [10:25 02/11/2006] [09:51 02/11/2006] 11EF6C1CAEF76B685233450A126125D6
C:\Windows\System32\DriverStore\FileRepository\volume.inf_f47b2c78\volsnap.sys --a---- 211000 bytes [20:12 07/02/2008] [20:12 07/02/2008] 80DC0C9BCB579ED9815001A4D37CBFD5
C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys --a---- 227896 bytes [15:53 01/10/2008] [07:42 19/01/2008] D8B4A53DD2769F226B3EB374374987C9
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6000.16586_none_137ff950ff29e447\volsnap.sys --a---- 211000 bytes [20:12 07/02/2008] [20:12 07/02/2008] 80DC0C9BCB579ED9815001A4D37CBFD5
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6000.20709_none_146318401803edb5\volsnap.sys --a---- 211000 bytes [20:12 07/02/2008] [20:12 07/02/2008] 327639D2EC931B057F3826A51ADC73E9
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd\volsnap.sys --a---- 227896 bytes [15:53 01/10/2008] [07:42 19/01/2008] D8B4A53DD2769F226B3EB374374987C9
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_17a2308cf936c619\volsnap.sys --a---- 226280 bytes [20:43 30/08/2010] [06:32 11/04/2009] 147281C01FCB1DF9252DE2A10D5E7093

-= EOF =-


Permalink see below
http://virusscan.jotti.org/en/scanresult/504c025ae084b73afa4cbbdace1c6657db171173/0a1de14d017b7726f07b5ee93eda3a417abb60ae

Please let me know any other steps i should take. I will try and get through them though i am something of a computer dummy. I wouldn't e surprised if there are other problems on my machine. I seem to have a number of very popular issues.

If this wasn't what you wanted please say and I will repeat.

Thanks again

RJ

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 PM

Posted 02 May 2011 - 10:05 AM

I was expecting to find volsnap.sys infected and replace it with a copy from another location but those results show its clean.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.

    Posted Image
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.

    Posted Image
  • Click Continue > Reboot now to finish the cleaning process.<- Important!!

    Posted Image
  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.


Please download and scan with the Kaspersky Virus Removal Tool from one of the links provided below and save it to your desktop.
Link 1
Link 2Be sure to print out and read the instructions provided in:How to Install Kaspersky Virus Removal Tool
How to use the Kaspersky Virus Removal Tool to automatically remove viruses
  • Double-click the setup file (i.e. setup_9.0.0.722_22.01.2010_10-04.exe) to select your language and install the utility.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • When the 'Setup page' appears, click Next, check the box 'I accept the license agreement' and click Next twice more to begin extracting the required files.
  • Setup may recommend to scan the computer in Safe Mode. Click Ok.
  • A window will open with a tab that says Autoscan and one for Manual disinfection.
  • Click the green Start scan button on the Autoscan tab in the main window.
  • If malware is detected, you will see the Scan Alert screen. Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  • After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
  • Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  • If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
  • In the Scan window click the Reports button, choose Critical events and select Save to save the results to a file (name it avptool.txt).
  • Copy and paste the report results of any threats detected and if they were successfully removed in your next reply. Do not include the longer list marked Events.
  • When finished, follow these instructions on How to uninstall Kaspersky Virus Removal Tool 2010.
-- If you cannot run this tool in normal mode, then try using it in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 RJ8080

RJ8080
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 02 May 2011 - 10:49 AM

I have tried downloading TDSS by both suggested methods.

Icon is located on desktop. However application doesn't appear to be opening up when right clicking and run as administrator. Neither does it open via simple double click. I get asked to give permission then nothing. Does it take a long time to open and am I just being impatient or am i missing something?

RJ

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 PM

Posted 02 May 2011 - 11:45 AM

TDSSKiller should not take that long to open/run/complete a scan. It's the malware infection blocking it. Usually the volsnap.sys file has been the culprit so that's why I wanted to check it first.

Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the "Preparation Guide".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 RJ8080

RJ8080
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 02 May 2011 - 01:42 PM

Ok, I have followed the steps you suggest and posted in the Virus, Trojan etc. removal section.

with the following link.

http://www.bleepingcomputer.com/forums/topic395067.html

All steps were completed however my gmer.zip ark.txt file was too large to attach. I guess this will be dealt with in the other forum so you can close this loop now.

Many thanks for your help so far.

RJ

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 PM

Posted 02 May 2011 - 02:03 PM

You're welcome.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users