Olmarik Trojan not removed.

Discussion in 'ESET NOD32 Antivirus' started by Lightningcount, Aug 11, 2010.

Thread Status:
Not open for further replies.
  1. urbite

    urbite Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    6
    I must be missing something. I'm booting with my backup hard drive in the primary slot, which isn't infected. So why does the running explorer.exe process need to be cleaned? It's my (normally) primary hard drive that is in a caddy and isn't the boot drive (at this time) that is infected.

    I want to clean the Olimark MBR trojan from the non-boot drive. The standalone Olmarik tool wouldn't work on the non-boot drive. And the latest version of NOD32 gave me an error (see previous post) when it tried to remove the Olmarik trojan that it found on the non-boot, D:, drive.

    Unless someone has some other advice, it appears that NOD32 can't fix this problem. ESET - can you help me on thiso_O

    Does anyone have any suggestions on other AV tools that I can install on a bootable CD that will remove this Olmarik trojan?
     
  2. Avail

    Avail Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    29
    Re: Olmarik Trojan can be removed!

    Hi I just today also found out that I got the horrible Trojan. Nod 32 with the latest definition can quarantine the Trojan. I had 5 variants on my sys. :(

    Not sure if everything is remove yet..
     
  3. urbite

    urbite Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    6
    Re: Olmarik Trojan removed.

    After lots of searching on how to repair the MBR for my Lenovo T61p, which was infected with the Olmarik trojan, I found the answer in my cloning software.

    Since I was able to boot into a stable XP environment from a 45-day old clone of my hard drive, I knew that the MBR of the older clone drive was not infected. My cloning software is a product called Casper - which I HIGHLY recommend - and I vaguely remembered that this software also has some utility functions. Turns out that it can repair an MBR. So I booted my laptop with the following configuration.

    Physical drive 0/boot drive: 320GB hard drive with 45-day old clone of Primary
    Physical drive 1/Primary in drive caddy: Latest laptop boot drive with infected MBR

    It should be noted that I booted with the same configuration over the weekend (see previous posts) and ran NOD32 from the older drive to have it scan physical drive 1. In addition to the MBR infection (which NOD32 couldn't fix), there were 8 other files that were identified and quarantined. So, I'm guessing that NOD32 identified other portions of the malware that the MBR trojan may have passed control to after booting.

    Now back to this evening. After I booted, NOD32 again found the Olmarik virus on the MBR of physical drive 1, but couldn't clean it so I just selected 'Ignore'. Then, I ran Casper 5.0 and navigated the menus where I found an option to repair the MBR on a selected physical drive. I selected physical drive 1, but Casper said the MBR looked OK. I told it to 'Repair anyway', which it did.

    Next I shut my laptop down, placed the Primary drive with the just-fixed MBR as the boot drive. Successfully updated NOD32 from 9/15 (the date my blue screen problems started), updated WinXP, rebooted.

    So far, no problems after 1.5 hours of uptime. Now performing a full NOD32 scan of my Primary drive, now at 9% and nothing found yet.

    LESSONS LEARNED:

    1. Spend $50-$60 each for identical hard drives as your primary and use software to fully clone them - OS, apps, data, EVERYTHING!
    2. Rotate your backups every other week or two.
    3. Make sure you periodically check your backups by configuring your machine to boot from the backup drives.
    4. Make a copy of the MBR if you have a laptop such as mine that uses a non-standard-sized MBR.
    5. ESET needs to figure out why NOD32 it couldn't fix my MBR. I've been using NOD32 for 3+ years on 5 PCs a year. I use it based upon a recommendation from an IT friend of mine. My expectations were/are that it should be able to clean my MBR, not fail in this critical endeavor.

    Thanks for all of the suggestions.
     
  4. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    @Urbite,

    Use your ESET SysRescue CD and "Username and Password" information for update.

    Scan all your drives (recommended). Setup your ThreatSense engine with suitable settings. :D

    Disinfection in a infected environment is uneffective (especially in rootkits).
     
  5. Vinnie

    Vinnie Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    19
    Location:
    Bournemouth, UK
    Hi All, I have not been here in quite a few years. Just thought I would pop-in and let you know I had a similar problem to a lot of you with the Olmarik Trojan.

    For us it started with Bamital EL virus on our system (Windows 7 Ultimate). NOD32 would not clean it and any attempts to remove it met with system crashes. At one point on a reboot after using Malware Bytes it gave me a blue screen and an option to repair. This did not work for us at all.

    My next call was to boot in Safe Mode and run GMER to hunt for suspected root kit. Again this crashed my system. I did a system restore and a through clean of the system. Bamital seemed to disappear (or maybe eradicated) what came up next was the Olmarik Trojan. For the life of us we could not remove it and not with the Eset Olmarik cleaner either. In actual fact like a lot of you it would detect it and not clean. Because of the virulent nature of this Trojan we were quite eager (bordering on desperation to remove it).

    Olamarik Removal
    After several new attempts with various rootkit sniffers and removers we again attempted Malware Bytes. Thsi time MB seemed to be disabled. (Trojan is clever). I called a colleague of mine who hosts a lot of our clients websites and a bit of an expert in matters of security and his response was simply use the Kaspersky TDSS Killer - he claimed it worked on several of his customers.
    I did this and and yes it worked. It immediately detected the Rootkit and after a reboot wiped it completely. After a full scan by Eset the system seems to be fully clean.

    NOD32 as part of the ESET Smart Security System is a fantastic AV and all around protection. But it should never be an end all to security measures. We pride ourselves on taking a lot of precautions to keep our system clean but sometimes you just can't help whether by surfing or opening an unsuspected email to pick up a nasty. Thsi is when all options need to be looked at - not just relying on the AV you trust the most. One company might just have that fix.

    -keep an open mind :)
     
    Last edited: Oct 22, 2010
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.