Olmarik Trojan not removed.

Discussion in 'ESET NOD32 Antivirus' started by Lightningcount, Aug 11, 2010.

Thread Status:
Not open for further replies.
  1. Lightningcount

    Lightningcount Registered Member

    Joined:
    Aug 11, 2010
    Posts:
    1
    Hi, I am having a hell of a time trying to remove this from my computer. Nod32 finds the olmarik in the operating memory, but can not clean it. I used the stand alone remover, and it was not able to clean it either. It said olmarik not found. I am using windows 7 ultimate 32 bit. Other than the nod notification, I am seeing no signs of the virus on my computer. I think nod may be blocking it, but it cant seem to clean it.


    I would also like to add that I no longer have my nod startup disc. It was destroyed by my 6 year old niece a few weeks ago.
     
  2. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Have you tried making a new ESET SysRescue disc and scanning from that?

    Regards,

    Aryeh Goretsky
     
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  4. Duch

    Duch Registered Member

    Joined:
    Jul 2, 2009
    Posts:
    5
    One of our customer has the same problem. Scanned with the Olmarik remover (that has just been updated on 9th of Augustus), but not detected...
     
  5. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    I have never seen Windows 7 infected by this malware but who know , it may work as well (depening on your config).

    Olmarik is considered rootkit and is dangerous infection that steals personal information. Make sure that you change passwords or other sensitive data after you have cleaned your computer or from another known clean machine . Consider professional anti-malware help to remove the pest like in a forum that provides malware cleaning services
     
  6. Matthijs5nl

    Matthijs5nl Guest

    Why did you actually choose for this kind of rescue disc, to be honest I (and I think with me a lot of consumers) can't be arsed of downloading 1.2 GB first.
     
  7. Mister Natural

    Mister Natural Registered Member

    Joined:
    May 10, 2007
    Posts:
    225
    Location:
    3rd density St. Louis
    I also am coming across new variants of olmarik which NOD detects but will not remove. The eset olmarik tool does not work on these new variants. I had success removing them using Kapersky's TDSSKiller tool.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you don't use a 64-bit system, try enabling pre-release updates. I assume you should be able to clean machines already infected with Olmarik fine.
     
  9. 8bit

    8bit Registered Member

    Joined:
    Jun 18, 2008
    Posts:
    9
    I think I am too. I tried the removal tool with no luck. Every time I run the tool, it finds it, states that it removes it but never does.

    I've enabled pre-release updates to see if that will help. I'll let everyone know what I find.
     
  10. 8bit

    8bit Registered Member

    Joined:
    Jun 18, 2008
    Posts:
    9
    SUCCESS!! The Olmrik Trojan was successfully removed by the updated Olmarik removal tool provided by ESET!

    I ran the old tool and Olmarik was still found. I then ran the updated removal tool, Olmarik was found, removed. I rebooted and ran the tool again and no sight of Olmarik. I then ran a full ESET scan of memory and file systems and nothing was found. NOD32 had found the Olmarik in memory but couldn't remove it. The removal tool did the job.

    The machine that was infected was running Windows XP Pro SP3.

    Thank you Marcos!

    Cheers,
     
  11. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    It was chosen for a number of technical as well as licensing reasons, however, other kinds of rescue environments may be available in the future.

    Regards,

    Aryeh Goretsky

     
  12. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    We're getting absolutely slammed with clients infected with this rootkit, ComboFix followed by MalwareBytes are cleaning it up nicely.
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I think EAV/ESS would do the same would the same with pre-release updates enabled. Also we're going to update the stand-alone Olmarik cleaner shortly which should be able to clean all new variants.
     
  14. kocak_gober

    kocak_gober Registered Member

    Joined:
    Nov 9, 2009
    Posts:
    35
    nice.. i'll use it too if nod cannot clean.;)
     
  15. urbite

    urbite Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    6
    I have a WinXP SP3 laptop that was having random reboots and BSOD. This is now at a local PC shop where they said they found a rootkit and some other infections. Before I took the laptop in I installed my last cloned drive and kept the original. I needed some info from that drive, so I installed the hard drive from the laptop in a SATA-to-USB enclosure and connected it to a desktop PC This PC is also running NOD32, and NOD32 identified the Olmarik virus. I downloaded the standalone tool, but when I run the standalone tool no Olmarik virus is found.

    Does the standalone tool not search the removable drives? Is there some kind of option I can set to enable scan and repair of this virus on removable drives? Of not, this would be a very useful addition to this (and and all other) standalone tools.
     
  16. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Remove Olmarik trojan from your external drive with the latest signatures of NOD32.
     
  17. urbite

    urbite Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    6
    I tried removing the Olmarik boot sector infestation with the latest signature 5636 (20101016) and I get the following message when I try and clean it:

    error while cleaning - operation unavailable for this object type

    Here's more complete info from the log file:
    Scanner: Startup scanner
    Object: boot sector
    Name: MBR sector of the 1. physical disk
    Threat: Win32/Olmarik.ADA trojan
    Action: error while cleaning - operation unavailable for this object type

    To recap my situation. I have a Lenovo T61p laptop running WinXP SP3. In mid-September I started having blue screen issues. I have a backup procedure whereby I clone my Primary/boot drive to one of two identical physical drives in a drive caddy placed in my DVD slot. For clarity, I label the drives as follows.

    Primary: Always stays in the laptop and is cloned to the other two. [Olimark/Blue screens]
    Bkup #1: 1st rotating backup/destination (last clone: 8/1/2010)
    Bkup #2: 2nd rotating backup/destination (last clone: 9/1/2010) [Olimark/Blue screens]

    As you can see, the most recent clone target, Bkup #2, is also infected with the Olmarik MBR trojan. However, Bkup #1 is NOT infected with Olmarik.

    I would like to clean my Primary drive, as I have added lots of data files and installed several programs since that time. I installed Bkup #1 (non-infected) as my boot drive and the infected Primary drive in the caddy slot (so it's non-bootable). I then booted and applied all NOD 32 and Windows updates.

    At this point, I expected (based upon your previous message) that I would be able to clean the infected MBR of the non-booting Bkup #2 with NOD32. However, as you can see from my above results, this was not possible with NOD32.

    Some additional information which may be useful - this Lenovo/IBM laptop has a non-standard sized MBR, which I discovered a while back when I first started cloning the drive using the Casper utility. I was not able to boot from the cloned drive without using a second utility to fix the MBR. Subsequent versions of Casper were able to make a clone that was bootable (as I'm now booting from one of those clones).

    Should I expect NOD32 to be able to fix an infected MBR on a drive that is not currently the boot drive? If so, how do I do it?

    The MBR of the current (uninfected) boot drive (Bkup #1, physical drive 0) should be able to be copied to the Primary/physical drive 1 to fix this.

    Do you have any suggestions for how I can remove infections from my Primary physical drive when I can't make it boot without blue screening?
     
  18. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    can you still boot into safe mode or does it also BSOD?

    have you tried the offline mode with NOD SysRescue? or this ESET Olmarik cleaner http://download.eset.com/special/EOlmarikRemover.exe?
     
    Last edited: Oct 16, 2010
  19. urbite

    urbite Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    6
    I haven't tried that in a while. The last time I tried it safe mode was stable. I'll try that again.

    I tried to use the standalone remover, but it wouldn't fix the infectected MBR on my drive when it was in a SATA-USB caddy (not the bootable drive). If I install the infected drive as the boot drive, it blue screens before I NOD32 can do its' job. How do I run NOD SysRescue or create a bootable CD that will run it?
     
  20. BFG

    BFG Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    482
    Location:
    San Diego
    Hi urbite,

    Section 5.5 of the users manual explains how to create a SysRescue disc.

    BFG
     
  21. urbite

    urbite Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    6
    What will SysRescue do that I can't do by scanning my infected physical disk while it's in a secondary caddy and is the non-boot drive? Wouldn't it also be the non-boot drive when booting from the SysRescue CD/DVD?
     
  22. BFG

    BFG Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    482
    Location:
    San Diego
    You'll most likely get the same results. I was just answering the following question.
     
  23. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Just to make sure, did you run the stand-alone Olmarik remover with elevated administrator rights in case UAC is enabled?
     
  24. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    Your question is not in place and definitely not necessary , Marek. Your Olmarik tool requires Admin rights in order to run . While UAC is enabled and if it is not run as admin , it won't run at all.
     

    Attached Files:

  25. nealuk

    nealuk Registered Member

    Joined:
    Apr 2, 2009
    Posts:
    6
    Location:
    North East England
    When botted up and inside Windows, cleaning the explorer.exe process is tricky. So, to boot up from the ESET SysRescure disc, the explorer.exe process on the Hard Drive isn't running, and is cleaned easily by SysRescue.

    It's a highly valuable tool, I have found it very useful, and would recommend it.
     
Thread Status:
Not open for further replies.