Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

System gets BSOD 0x7b after virus removal


  • This topic is locked This topic is locked

#1
NYJIMBO

NYJIMBO

    Member

  • Member
  • PipPip
  • 13 posts
HP desktop running Vista, no obvious fake AV malware but has google redirects and weird audio playing, like ads. Could not kill with MBAM, Spybot, etc or in safemode. Used Kaspersky Rescue Disk 10 and it found TDSS.e virus and claimed it was bad volsnap.sys. Did recommended delete and then reboot. Now getting 0x7b on all boot attempts (regular, safemode, last known, vga,etc). Tried repair in recovery console but after 10 minutes it reported could not do repair. Reading additional details said "bad driver". Tried to copy good volsnap.sys from several locations to windows/system32/drivers but still BSOD 0x7b.

There are restore points but each attempt comes back with "catastrophic failure 0x8000ffff". Ran memtest86+ two passes, ran chkdsk/r with no errors, sfc scannow with no errors, ran SMART tests in BIOS with no errors.

Cannot get past BSOD 0x7b, can only get into recovery console but repair or restore fails.

I dont think this is a hardware failure, but cant tell if there is still a virus or if the volsnap.sys removal caused something else to go wrong. I have been hearing about this kind of failure very recently but dont have enough to go on to fix.

Can anyone help ? Thank you.
  • 0

Advertisements


#2
mitch8

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
Hi,

Hello NYJIMBO, and welcome to GeeksToGo! My name is Mitch8 and I will be helping you with your problem. Here are a few things I would like to point out:
  • Please post your logs, don't attach them unless stated.
  • Please read my posts carefully and if you have any questions ask.
  • Stay with this topic until I tell you that your system is clean. Malware can still be on your system even if you don't notice it.

Please print these instruction out so that you know what you are doing

OTLPENet.exe
MD5=79209302A1AFB2490808DB890A815CED
Size: 127,222,215b / 121.3MB

  • Download OTLPENet.exe to your desktop
  • Ensure that you have a blank CD in the drive
  • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)

  • Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Drag and drop this attached Attached File  scan.txt   74bytes   192 downloads into the Custom scans and fixes box
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system.
  • Right click the file and select send to : select the USB drive.
  • Confirm that it has copied to the USB drive by selecting it
  • You can backup any files that you wish from this OS
  • Please post the contents of the C:\OTL.txt file in your reply.

  • 0

#3
NYJIMBO

NYJIMBO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok, will do now and get back to you shortly. Thank you.
  • 0

#4
NYJIMBO

NYJIMBO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok, after booting up with the DVD and dragging and dropping the scans.txt file into the box it comes up
with the error: NOT A VALID FIX FILE.

The contents of that file are:

%SYSTEMDRIVE%\volsnap.sys /s /md5
%systemroot%\system32\drivers\*.sys /90


Is there something missing or did I possibly do something wrong ?
  • 0

#5
mitch8

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
OK,

Can you copy and paste the contents of the file to the custom scans box and click on run scan?
  • 0

#6
NYJIMBO

NYJIMBO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok, I figured out how to move the scan.txt around, here is the OTL output. Thank you for helping.

OTL logfile created on: 6/13/2011 4:47:54 PM - Run
OTLPE by OldTimer - Version 3.1.46.0 Folder = X:\Programs\OTLPE
Windows Vista ™ Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
Internet Explorer (Version = 8.0.6001.19048)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 85.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 140.97 Gb Total Space | 82.58 Gb Free Space | 58.58% Space Free | Partition Type: NTFS
Drive D: | 1.86 Gb Total Space | 1.07 Gb Free Space | 57.53% Space Free | Partition Type: FAT32
Drive I: | 8.08 Gb Total Space | 1.46 Gb Free Space | 18.12% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2010/08/23 21:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2010/03/25 10:25:22 | 030,969,208 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2008/01/18 23:38:26 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand] -- -- (IpInIp)
DRV - [2008/08/01 19:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/05/22 21:49:00 | 007,465,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/05/08 05:05:18 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2008/05/08 05:03:18 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2007/10/26 18:51:22 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot] -- C:\WINDOWS\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/10/18 07:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\System32\drivers\XAudio.sys -- (XAudio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\John_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\John_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\John_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local




FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/04/01 11:00:37 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\WINDOWS\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [hpsysdrv] C:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [OsdMaestro] C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SnapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\John_ON_C..\Run: [NuHveRXdmtu] File not found
O4 - HKU\LocalService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\NetworkService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKLM..\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Launcher] C:\WINDOWS\SMINST\Launcher.exe (soft thinks)
O7 - HKU\John_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.aka...vex-2.2.4.1.cab (DLM Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.237.161.12
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/30 13:40:11 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/06 02:16:31 | 000,226,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\volsnap.2009
[2011/06/05 11:23:17 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0

========== Files - Modified Within 30 Days ==========

[2011/06/11 14:21:18 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/06/05 14:03:38 | 000,227,407 | ---- | M] () -- C:\Windows\System32\drivers\volsnap.sys.bad
[2011/06/04 12:45:47 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/04 12:45:47 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/04 12:43:31 | 000,604,264 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/06/04 12:43:31 | 000,103,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/06/04 12:38:59 | 2011,750,400 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/24 19:14:10 | 000,222,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe

========== Files Created - No Company Name ==========

[2011/06/07 14:49:17 | 000,227,407 | ---- | C] () -- C:\Windows\System32\drivers\volsnap.sys.bad
[2010/09/28 20:27:46 | 000,003,584 | ---- | C] () -- C:\Users\John\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/17 10:19:45 | 000,077,375 | ---- | C] () -- C:\Windows\hpqins05.dat
[2010/04/01 10:55:24 | 000,176,364 | ---- | C] () -- C:\Windows\hpwins24.dat
[2009/09/30 22:45:03 | 000,000,165 | ---- | C] () -- C:\Windows\QUICKEN.INI
[2009/09/13 12:03:16 | 000,004,984 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2009/09/12 10:36:08 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/09/12 10:35:03 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/09/12 03:10:16 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/12/17 00:09:43 | 000,001,879 | ---- | C] () -- C:\Windows\hpwmdl24.dat
[2007/07/30 13:35:24 | 000,103,521 | ---- | C] () -- C:\Windows\hpqins13.dat
[2007/07/30 12:59:18 | 000,061,440 | ---- | C] () -- C:\Windows\System32\OsdRemove.exe
[2007/07/30 12:55:44 | 000,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom24.dll
[2007/07/30 12:55:44 | 000,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes24.dll
[2007/03/06 04:47:24 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/12/14 02:01:36 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/12/14 02:01:36 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/11/02 08:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:37 | 000,396,504 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:33:01 | 000,604,264 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,103,964 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== LOP Check ==========

[2009/09/11 12:29:31 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\Snapfish
[2009/09/11 11:54:31 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
[2009/09/11 11:54:31 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
[2009/09/11 11:54:31 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
[2009/09/11 11:54:31 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
[2009/09/13 11:16:13 | 000,000,000 | ---D | M] -- C:\ProgramData\Geek Squad
[2011/03/15 02:20:44 | 000,000,000 | ---D | M] -- C:\ProgramData\gNlHhMf16633
[2007/07/30 13:39:34 | 000,000,000 | ---D | M] -- C:\ProgramData\muvee Technologies
[2007/07/30 13:47:27 | 000,000,000 | ---D | M] -- C:\ProgramData\PC-Doctor
[2009/09/11 11:54:31 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
[2009/09/11 11:54:31 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
[2009/09/12 10:19:14 | 000,000,000 | ---D | M] -- C:\ProgramData\WildTangent
[2010/09/03 16:04:09 | 000,000,000 | ---D | M] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/06/04 12:47:21 | 000,032,650 | ---- | M] () -- C:\WINDOWS\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\volsnap.sys /s /md5 >
[2009/04/11 03:32:56 | 000,226,280 | ---- | M] (Microsoft Corporation) MD5=147281C01FCB1DF9252DE2A10D5E7093 -- C:\WINDOWS\System32\drivers\volsnap.sys
[2009/04/10 23:32:56 | 000,226,280 | ---- | M] (Microsoft Corporation) MD5=147281C01FCB1DF9252DE2A10D5E7093 -- C:\WINDOWS\System32\DriverStore\FileRepository\volume.inf_1e6030e4\volsnap.sys
[2006/11/02 05:51:18 | 000,208,488 | ---- | M] (Microsoft Corporation) MD5=11EF6C1CAEF76B685233450A126125D6 -- C:\WINDOWS\System32\DriverStore\FileRepository\volume.inf_9320b452\volsnap.sys
[2008/01/18 23:42:50 | 000,227,896 | ---- | M] (Microsoft Corporation) MD5=D8B4A53DD2769F226B3EB374374987C9 -- C:\WINDOWS\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys
[2008/01/18 23:42:50 | 000,227,896 | ---- | M] (Microsoft Corporation) MD5=D8B4A53DD2769F226B3EB374374987C9 -- C:\WINDOWS\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd\volsnap.sys
[2009/04/10 23:32:56 | 000,226,280 | ---- | M] (Microsoft Corporation) MD5=147281C01FCB1DF9252DE2A10D5E7093 -- C:\WINDOWS\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_17a2308cf936c619\volsnap.sys

< %systemroot%\system32\drivers\*.sys /90 >
< End of report >
  • 0

#7
mitch8

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
Run OTL from OTLPE
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    [2011/03/15 02:20:44 | 000,000,000 | ---D | M] -- C:\ProgramData\gNlHhMf16633
    O4 - HKU\John_ON_C..\Run: [NuHveRXdmtu] File not found
    O4 - HKLM..\Run: [] File not found
    
  • Then click the Run Fix button at the top


Do you know if you have a recovery partition on your computer? (please don't use the recovery partition but I need to know because the next steps may remove the recovery feature.)
  • 0

#8
NYJIMBO

NYJIMBO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Yes, there is a recovery partition. It looks like its intact but dont know if its infected. I will run this scan thing now and get back to you
in a couple minutes.
  • 0

#9
NYJIMBO

NYJIMBO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ran the fix, out put was:

========== OTL ==========
Folder C:\ProgramData\gNlHhMf16633\ not found.
Registry value HKEY_USERS\John_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\NuHveRXdmtu deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.

OTLPE by OldTimer - Version 3.1.46.0 log created on 06132011_180925
  • 0

#10
mitch8

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
Hi,

Please post at http://forum.kaspers...howtopic=210216 that you are already receiving help for this issue. It is a waste of time to be helped at two different forums.

Fixing the Master Boot Record (MBR) would remove the ability to boot into the recovery partition. The TDSS infection infects the MBR. Let's try putting the infected file back to see if you can boot into your computer and then solve the issue from there. I have never tired this before, I'm not sure if it will work. :)

Run OTL from OTLPE
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :FILES
    [override]
    C:\WINDOWS\System32\drivers\volsnap.sys
    [stopoverride]
    C:\WINDOWS\System32\drivers\volsnap.sys|C:\Windows\System32\drivers\volsnap.sys.bad /replace
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

If your computer can boot then do this immediately:

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

  • 0

Advertisements


#11
NYJIMBO

NYJIMBO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Added message at kaspersky that I was geting help here.

Applied fix, let it run until done, shut down and restarted machine.

Still getting 0x7b stop moments after the windows loading progress bar start to scroll accross the screen. Just like before.

Edited by NYJIMBO, 13 June 2011 - 01:39 PM.

  • 0

#12
mitch8

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
Hi,

Run OTL from OTLPE
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Files
    C:\WINDOWS\System32\drivers\volsnap.sys|C:\WINDOWS\System32\DriverStore\FileRepository\volume.inf_1e6030e4\volsnap.sys /replace
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered.

Next,

Double-click on the MBRFix icon from the OTLPE desktop, a command window will open
Posted Image

In the command window type in the following lines and press enter after each:

MbrFix /drive 0 savembr C:\Backup_MBR_0.bin
MbrFix /drive 0 fixmbr /vista /yes

Try and reboot normally into your computer.
  • 0

#13
NYJIMBO

NYJIMBO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I was able to run the fix you gave me, but after clicking on the mbrfix and then typing in:

MbrFix /drive 0 savembr C:\Backup_MBR_0.bin

it came back with :

Function Failed. Error 21: The device is not ready.

I stopped at that point, leaving the fixmbr open at the prompt.

edit: would having a USB stick on the machine affect this ?. One is in there now for possible file copy needs.

Edited by NYJIMBO, 13 June 2011 - 02:03 PM.

  • 0

#14
mitch8

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
The usb may be affecting it, I don't know. Try turning off the computer, unplugging the flash drive and try it again.
  • 0

#15
NYJIMBO

NYJIMBO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok, after reboot and attempt to pick up from mbr commands still got the same error code.

I did a : mbrfix /drive X driveinfo and kept replacing X until I got something:

X:\Programs\MBRFix>MbrFix /drive 4 driveinfo
Drive 4
Cylinders = 20673
Tracks (heads) per cylinder = 240
Sectors per track = 63
Bytes per sector = 512
Disk size = 160038789120 (Bytes) = 149 (GB)

Could this mean that this drive is seen as drive "4". It is a sata and I think it could be wired
as sata 4 inside the machine. There is only 1 hd and it is 160gb.

Shouold I apply the MBRFIX command to this drive number ?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP