Olimarik

Discussion in 'ESET NOD32 Antivirus' started by xacto, Apr 14, 2010.

Thread Status:
Not open for further replies.
  1. xacto

    xacto Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    9
    Hello, I scan many infected drives each day by hooking them up to a clean system. Running nod32 v4 with updated defs.
    While the drive scans it finds a olimarik variant has taken over one of the sys files in system32/drivers (winxp sp3 on the infected drive). Nod cant delete it but keeps trying, popping up saying "error deleting..."

    Nod32 has no idea what permissions are.

    Whenever this happens i have to go into the registry, turn on the security tab for files in normal mode, and then find the infected sys file and set owner to administrator and take full control.
    Once i've done that..nod deletes the file.

    So my question is...why in the world cant nod take permission of files?

    The other bad thing about this whole thing is...if i dont replace the system file that nod deleted after i manually granted it permission to be able to,
    I will be looking at a blue screen when i put the drive back into the system it came from.

    Could you maybe add a warning or something like "nod deleted critical system files that you need to manually replace"
     
  2. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    ESET has a stand-alone removal tool for Win32/Olmarik infections here

    You may generate a memory dump for the blue screen issue by using this solution

    Of note, the virus definitions currently target most variants of this pest, you may also want to run a scan in safe mode

     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    1, use the Olmarik stand-alone remover or the ESET rescue cd to scan and remove it

    2, Olmarik is known to infect (patch) system drivers. You'll need to replace the affected file(s) with a clean version (it might be nececssary to do that after booting from a clean media, such as the rescue cd). You needn't send any dumps from BSOD which are expected when crucial system files gets patched or removed. ESET never removes such files automatically but leaves the decision to the user.
     
  4. xacto

    xacto Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    9
    Yes i realize there are many stand alone removal tools for this infection.
    But the question still remains...why cant nod deal with file permissions?
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    1, a scan is run in the account of the current user. There would be no sense in having accounts if everyone had same rights for everything, that's how Windows is designed.

    2, rootkits are made to make detection and removal difficult or impossible in normal mode. Malware authors can easily adapt their creations to security solutions but not to standalone removers.

    Rootkits like Olmarik patch system drivers. The only way to make the system clean is restore the original clean copy of the affected system drivers.
     
  6. xacto

    xacto Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    9
    Huh?

    1) I didnt ask how windows was designed...i asked why nod cant take permission of a clearly infected file and delete it.
    If i can manually replace permissions on the same file in normal mode in the same user account, then why cant nod do it programatically?

    2) Nod detected the file, it just cant remove it.
    And again, if i can manually set permissions then it is neither difficult or impossible to remove.

    And yes you have to replace the infected driver.
    Problem with that is what i said before.
    The average user will not know that nod deleted a system file and
    since nod doesnt tell you that it did...the average person will bluescreen
    the next time they reboot.
    Which is why i said....
    Could you maybe add a warning or something like "nod deleted critical system files that you need to manually replace"

    I thought the idea was to give feedback to help make nod a better product and help people with problems. Telling people to go download other tools all the time for the things nod cant deal with isnt a good solution.
     
  7. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    You know, once you've been infected by a rootkit, you go and restore a known clean image or reinstall from scratch. Don't waste time with removal tools, the system cannot be trusted any more. End of story here. Rootkit -> game over.

    (Oh, and your idea of removing rootkits by changing permissions is really funny at best).
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Last edited: May 8, 2010
Thread Status:
Not open for further replies.