Olmasco. E trojan removal help

Good Morning,
I just purchased a copy of ESET NOD32 Antivirus in hopes of getting rid of this issue that I have.

Win 7,Ultimate 32 bit

ESET NOD32 Antivirus ver 4.2.71.2
Virus signature database: 6023 (20110407)
Update module: 1031 (20091029)
Antivirus and antispyware scanner module: 1296 (20110301)
Advanced heuristics module: 1115 (20101116)
Archive support module: 1128 (20110315)
Cleaner module: 1050 (20101207)
Anti-Stealth support module: 1024 (20101227)
SysInspector module: 1217 (20100907)
Self-defense support module : 1018 (20100812)
Real-time file system protection module: 1004 (20100727)

Upon searching for a cure I was pointed to ESET, I downloaded the trial and subsequently upgraded to the full license. I ran this program in the default mode as well as in safe mode.

Here is a log of what it came up with.

4/7/2011 10:57:41 AM Startup scanner file C:\Windows\system32\DRIVERS\volsnap.sys Win32/Olmasco.E trojan unable to clean

4/7/2011 10:36:58 AM Real-time file system protection file C:\Windows\System32\Drivers\VolSnap.sys Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\svchost.exe.

4/7/2011 9:01:36 AM Real-time file system protection file C:\WINDOWS\SYSTEM32\DRIVERS\VOLSNAP.SYS Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\svchost.exe.

4/7/2011 8:16:02 AM Startup scanner file C:\Windows\system32\DRIVERS\volsnap.sys Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type

4/7/2011 7:49:08 AM Real-time file system protection file C:\Windows\System32\Drivers\VolSnap.sys Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\svchost.exe.


4/7/2011 7:48:46 AM Real-time file system protection file C:\Windows\system32\DRIVERS\volsnap.sys Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type hppieceofshits\chris Event occurred during an attempt to access the file by the application: C:\Windows\System32\WerFault.exe.

4/7/2011 7:08:32 AM Real-time file system protection file C:\WINDOWS\SYSTEM32\DRIVERS\VOLSNAP.SYS Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\svchost.exe.

4/6/2011 6:16:14 PM Startup scanner file C:\Windows\system32\DRIVERS\volsnap.sys Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type

4/6/2011 12:00:38 PM Startup scanner file C:\Windows\system32\DRIVERS\volsnap.sys Win32/Olmasco.E trojan error while deleting - operation unavailable for this object type


Any help would be greatly appreciated.
Thanks for your time and effort

Chris

 

this sounds like TDSS rootkit infection - google volsnap.sys and you will see plenty of results that point you in the direction of either Dr Web/TDSS killer because if you don't get the underlying rootkit, you're going to get reinfected most likely.

 

Try running a full scan with ESET Online scanner in safe mode with networking and manually replace files that have been patched by malware with their clean copy.

 

so I understand the safemode networking thing... but replacing with clean copy throws me.... where do I find clean copies?

thanks

chris

 

Thank You web...... I ran the root kit killer and it fixed the problem. I rescanned the system32 folder and it was clean. Thanks again for all your help I appreciate it!

Now I can get my work done.....

Chris

 

You are welcome! I am glad you were able to clean up the system - I've cleaned more than a few TDSS infections... once you know you have one, they are relatively easy to clean up... the key is to know that you probably have one!

 

Hi,may I know why ESET is unable to clean detected threat?(sometimes)

 

We could ask this to every vendor actually, but seriously don't you know the answer?

 

I really don't know the answer.

 

Win32/Olmasco.E has been in the signature database since 6017
http://www.eset.com/us/threat-center/threatsense-updates/search?q=Win32/Olmasco.E

 

Detecting and cleaning are different things.

ESET was able to find the threat that was already on your machine - but it was in a DLL/service/other file that was resident - ie, in use.

Cleaning up in-use files is NOT that easy. A safe-mode cleanup might have got it - but I am not sure if ESET does a cleanup - or a delete on this type of file. Deleting the file would be potentially be catastrophic to windows in the case of volsnap.sys (according to searching I have done)... it MUST be cleaned....

 

Thanks for the explanation.Now I know why ESET is unable to clean infected files sometimes.

 

More specifically, My ESET security product detected a virus but cannot clean or delete it.

 

Thanks for the information too

 

You are welcome. Whatever is relevant to the thread and is also helpful to others reading is a good thing.

Regards,

 

I guess ESET could implement so that it replaces the file with a clean copy upon reboot though, no?