HTTP 503 – “temporarily closed for maintainance” on FreeFixer.com and other anti-malware sites

Just wanted let you know about a nasty piece of malware that blocks access to many of the anti-virus sites out there. Freefixer.com is one of them. If you see a HTTP 503 error message saying:

“The site is temporarily closed for maintainance. Please try again later.”

when visiting freefixer.com and other sites you have this infection, or some variant of it. Notice that “maintainance” is spelled incorrectly. A few users had already reported this issue to me, starting in the beginning of January 2015. I first thought I had made some configuration error at the web server but I could not find any issue, nor that spelling error.

Today, Martin who is located in Hamburg, Germany, reported that he had been able to track down the root caused. I’ve not been able to get my hands on this malware myself, so I cannot verify it, but according to him nothing showed up in FreeFixer, nor in any of the 3 anti-rootkit scanners he tried.

However, after rebooting from the live Knoppix Linux DVD he was able to track down a malware driver called msreadyboost.sys, located in C:\WINDOWS\system32\drivers. After deleting this driver the system operated normally again.

Thanks Martin!  Good job!

Do you also see the HTTP 503 message? Did the removal of msreadyboost.sys solve the problem?