Olmasco. E trojan removal help

Discussion in 'ESET NOD32 Antivirus' started by solomon320, Apr 7, 2011.

Thread Status:
Not open for further replies.
  1. solomon320

    solomon320 Registered Member

    Joined:
    Apr 7, 2011
    Posts:
    3
    Good Morning,
    I just purchased a copy of ESET NOD32 Antivirus in hopes of getting rid of this issue that I have.

    Win 7,Ultimate 32 bit

    ESET NOD32 Antivirus ver 4.2.71.2
    Virus signature database: 6023 (20110407)
    Update module: 1031 (20091029)
    Antivirus and antispyware scanner module: 1296 (20110301)
    Advanced heuristics module: 1115 (20101116)
    Archive support module: 1128 (20110315)
    Cleaner module: 1050 (20101207)
    Anti-Stealth support module: 1024 (20101227)
    SysInspector module: 1217 (20100907)
    Self-defense support module : 1018 (20100812)
    Real-time file system protection module: 1004 (20100727)

    Upon searching for a cure I was pointed to ESET, I downloaded the trial and subsequently upgraded to the full license. I ran this program in the default mode as well as in safe mode.

    Here is a log of what it came up with.

    4/7/2011 10:57:41 AM Startup scanner file C:\Windows\system32\DRIVERS\volsnap.sys Win32/Olmasco.E trojan unable to clean

    4/7/2011 10:36:58 AM Real-time file system protection file C:\Windows\System32\Drivers\VolSnap.sys Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\svchost.exe.

    4/7/2011 9:01:36 AM Real-time file system protection file C:\WINDOWS\SYSTEM32\DRIVERS\VOLSNAP.SYS Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\svchost.exe.

    4/7/2011 8:16:02 AM Startup scanner file C:\Windows\system32\DRIVERS\volsnap.sys Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type

    4/7/2011 7:49:08 AM Real-time file system protection file C:\Windows\System32\Drivers\VolSnap.sys Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\svchost.exe.


    4/7/2011 7:48:46 AM Real-time file system protection file C:\Windows\system32\DRIVERS\volsnap.sys Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type hppieceofshits\chris Event occurred during an attempt to access the file by the application: C:\Windows\System32\WerFault.exe.

    4/7/2011 7:08:32 AM Real-time file system protection file C:\WINDOWS\SYSTEM32\DRIVERS\VOLSNAP.SYS Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\svchost.exe.

    4/6/2011 6:16:14 PM Startup scanner file C:\Windows\system32\DRIVERS\volsnap.sys Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type

    4/6/2011 12:00:38 PM Startup scanner file C:\Windows\system32\DRIVERS\volsnap.sys Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type


    Any help would be greatly appreciated.
    Thanks for your time and effort

    Chris
     
  2. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    this sounds like TDSS rootkit infection - google volsnap.sys and you will see plenty of results that point you in the direction of either Dr Web/TDSS killer because if you don't get the underlying rootkit, you're going to get reinfected most likely.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Try running a full scan with ESET Online scanner in safe mode with networking and manually replace files that have been patched by malware with their clean copy.
     
  4. solomon320

    solomon320 Registered Member

    Joined:
    Apr 7, 2011
    Posts:
    3
    so I understand the safemode networking thing... but replacing with clean copy throws me.... where do I find clean copies?

    thanks

    chris
     
  5. solomon320

    solomon320 Registered Member

    Joined:
    Apr 7, 2011
    Posts:
    3

    Thank You web...... I ran the root kit killer and it fixed the problem. I rescanned the system32 folder and it was clean. Thanks again for all your help I appreciate it!

    Now I can get my work done.....

    Chris
     
  6. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    You are welcome! I am glad you were able to clean up the system - I've cleaned more than a few TDSS infections... once you know you have one, they are relatively easy to clean up... the key is to know that you probably have one! ;)
     
  7. yongsua

    yongsua Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    474
    Location:
    Malaysia
    Hi,may I know why ESET is unable to clean detected threat?(sometimes)
     
  8. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    We could ask this to every vendor actually, but seriously don't you know the answer?
     
  9. yongsua

    yongsua Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    474
    Location:
    Malaysia
    I really don't know the answer.
     
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  11. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    Detecting and cleaning are different things.

    ESET was able to find the threat that was already on your machine - but it was in a DLL/service/other file that was resident - ie, in use.

    Cleaning up in-use files is NOT that easy. A safe-mode cleanup might have got it - but I am not sure if ESET does a cleanup - or a delete on this type of file. Deleting the file would be potentially be catastrophic to windows in the case of volsnap.sys (according to searching I have done)... it MUST be cleaned....
     
  12. yongsua

    yongsua Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    474
    Location:
    Malaysia
    Thanks for the explanation.Now I know why ESET is unable to clean infected files sometimes.
     
  13. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  14. yongsua

    yongsua Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    474
    Location:
    Malaysia
  15. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    You are welcome. Whatever is relevant to the thread and is also helpful to others reading is a good thing.

    Regards,

     
  16. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    I guess ESET could implement so that it replaces the file with a clean copy upon reboot though, no?
     
Thread Status:
Not open for further replies.