Hello, I scan many infected drives each day by hooking them up to a clean system. Running nod32 v4 with updated defs. While the drive scans it finds a olimarik variant has taken over one of the sys files in system32/drivers (winxp sp3 on the infected drive). Nod cant delete it but keeps trying, popping up saying "error deleting..." Nod32 has no idea what permissions are. Whenever this happens i have to go into the registry, turn on the security tab for files in normal mode, and then find the infected sys file and set owner to administrator and take full control. Once i've done that..nod deletes the file. So my question is...why in the world cant nod take permission of files? The other bad thing about this whole thing is...if i dont replace the system file that nod deleted after i manually granted it permission to be able to, I will be looking at a blue screen when i put the drive back into the system it came from. Could you maybe add a warning or something like "nod deleted critical system files that you need to manually replace"
ESET has a stand-alone removal tool for Win32/Olmarik infections here You may generate a memory dump for the blue screen issue by using this solution Of note, the virus definitions currently target most variants of this pest, you may also want to run a scan in safe mode
1, use the Olmarik stand-alone remover or the ESET rescue cd to scan and remove it 2, Olmarik is known to infect (patch) system drivers. You'll need to replace the affected file(s) with a clean version (it might be nececssary to do that after booting from a clean media, such as the rescue cd). You needn't send any dumps from BSOD which are expected when crucial system files gets patched or removed. ESET never removes such files automatically but leaves the decision to the user.
Yes i realize there are many stand alone removal tools for this infection. But the question still remains...why cant nod deal with file permissions?
1, a scan is run in the account of the current user. There would be no sense in having accounts if everyone had same rights for everything, that's how Windows is designed. 2, rootkits are made to make detection and removal difficult or impossible in normal mode. Malware authors can easily adapt their creations to security solutions but not to standalone removers. Rootkits like Olmarik patch system drivers. The only way to make the system clean is restore the original clean copy of the affected system drivers.
Huh? 1) I didnt ask how windows was designed...i asked why nod cant take permission of a clearly infected file and delete it. If i can manually replace permissions on the same file in normal mode in the same user account, then why cant nod do it programatically? 2) Nod detected the file, it just cant remove it. And again, if i can manually set permissions then it is neither difficult or impossible to remove. And yes you have to replace the infected driver. Problem with that is what i said before. The average user will not know that nod deleted a system file and since nod doesnt tell you that it did...the average person will bluescreen the next time they reboot. Which is why i said.... Could you maybe add a warning or something like "nod deleted critical system files that you need to manually replace" I thought the idea was to give feedback to help make nod a better product and help people with problems. Telling people to go download other tools all the time for the things nod cant deal with isnt a good solution.
You know, once you've been infected by a rootkit, you go and restore a known clean image or reinstall from scratch. Don't waste time with removal tools, the system cannot be trusted any more. End of story here. Rootkit -> game over. (Oh, and your idea of removing rootkits by changing permissions is really funny at best).
Run a scan in Safe Mode since most variants of this pest are now detected. The TheatSense definitions now fully detect Win32/Olmarik and numerous variants. If none of the above work, submit an Issue Ticket to ESET
