Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

volsnap.sys, Alureon....newbie here ~ assist por favor!


  • Please log in to reply
22 replies to this topic

#1 fishetti

fishetti

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 11 July 2011 - 03:58 PM

Hi to all...kudos and many thanks in advance from here on the beach in Charleston, SC ~

I believe my problems began with the 'Windows Recovery Virus' and they've run their course since then. Unfortunately I did a System Restore just after it hid all of my files before I knew what I had. I have run most supported online fix recommendations including: Avast (which catches the Malicious URLs 64.111.211.158, 64.11.211.164 and 64.11.211.165. Also MBAM, Spybot, Spyware Doctor, WebRoot Spyware Sweeper, Commodo, Registry Booster.....most recently trying to run tdsskiller.exe but it will not initiate even after changing the name and extension. I just downloaded Resource Tuner but don't know exactly what to do with it so I've stopped there.


Visible problems I'm experiencing (but not limited to these I'm sure) -

- Redirects
- No sound in webpages, the box unchecks itself upon restart
- Most streaming video freezes
- My childs online games will not play
- Prior to the 'no sound' issue I could hear audio from commercials without a browser or webpage being open

This is my first post and an intermediate computer user but I have been a fan of the website and learned many helpful things from reading this forum over the last year. In this instance I don't want to overstep my ability so here I am. Again in advance....you guys rock.

Marc aka Fishetti

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 11 July 2011 - 06:05 PM

Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Exciter

Exciter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 11 July 2011 - 06:13 PM

I've been trying to clean this off a vista machine for 2 days. It won't let TDSSkiller run. combofix doesn't seem to finish..
It re-directs from search engine links. What finally cleaned it was to boot off a vista cd (f8 repair your computer from recovery partition would crash had to boot off a installation cd) then went to command prompt and wrote a new MBR. Bootrec /fixmbr
Rebooted, ran tdsskiller which did run but found nothing. Checked search engine search and no more redirection.

Hope this helps.

#4 fishetti

fishetti
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 12 July 2011 - 12:41 AM

Hi Budapest, thanks for the quick help!

The TDSS Fix Tool says: ***Infected Driver: volsnap.sys

Awaiting instructions...

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 12 July 2011 - 01:17 AM

Click "Repair".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 fishetti

fishetti
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 12 July 2011 - 11:02 AM

After initially running the TDSS Fix Tool and it saying the infected driver was volsnap.sys, when I ran it again after you telling me to choose 'repair' I had problems getting windows to restart again and when it finally did the TDSS Fix Tool did not find the problem again. Upon reboot it recommends to repair my computer, which yields nothing, and then to do a system restore. I have not run TDSS Fix again. My Microsoft Security Essentials keeps popping up that it is catching Win32/Alureon and I need to restart. Okay, firstly should I turn off system protection before running TDSS Fix again? I believe the first time I ran TDSS Fix when I restarted it turned Avast, Spybot, etc. back on. I need to close all of those programs yes?

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 12 July 2011 - 04:42 PM

Try this:

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 fishetti

fishetti
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 12 July 2011 - 05:41 PM

Thanks Budapest...will do so now and report after.

#9 fishetti

fishetti
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 12 July 2011 - 06:16 PM

After following these instructions it finds:

Select action for found objects:
Suspicious objects
Forged file Skip
Service
Service name: volsnap
Service type: Kernel driver (0x1)
Service start: Boot (0x0)
File: C:\Windows\systen32\DRIVERS\volsnap.sys
MD5: 48e724d86ea12ec1b827d18c69961374
MD5(forged): c18111166690541d6cb0cfcafe9ef38b


Following the instruction to click 'Continue' it says:

System Scan Completed
Infection: Not Found


*Please advise, thanks.

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 12 July 2011 - 06:23 PM

Run a quick scan with MBAM and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 fishetti

fishetti
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 12 July 2011 - 06:55 PM

It comes up clean, no infections.

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 12 July 2011 - 06:57 PM

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 fishetti

fishetti
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 12 July 2011 - 09:31 PM

5 infected files found so far at 48% scan progress:

Win32OpenCandy Application
Win32RegistryBooster Application
Java/Agent AC Trojan
Java/TrojanDownloaderOpenStream NCA trojan
a variant of the Win32/SlowPCfighter application

#14 fishetti

fishetti
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 12 July 2011 - 10:28 PM

Result from ESET........thx again Budapest!

C:\ProgramData\ReviverSoft\RegistryReviver\InstallCache\{63E13B95-3168-481C-A8DF-FBE0DCDF5699}\Registry Reviver.msi a variant of Win32/SlowPCfighter application deleted - quarantined
C:\Users\FishLaptop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\6e45fa36-528c31ff Java/TrojanDownloader.OpenStream.NCA trojan deleted - quarantined
C:\Users\FishLaptop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\4a5bb93f-31e808f7 Java/Agent.AC trojan deleted - quarantined
C:\Users\FishLaptop\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe Win32/OpenCandy application deleted - quarantined
C:\Users\FishLaptop\AppData\Roaming\Uniblue\RegistryBooster\_temp\ub.exe Win32/RegistryBooster application deleted - quarantined

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 12 July 2011 - 10:39 PM

So how's your computer running now?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users