Win32/Olmarik.OF Virus - Can't Delete

Just assume that it's your C: drive and for some reason when you boot into the OS it's remapping it to a different drive letter, that said:

from the root of C which your allready on in recovery console " copy atapi.sys c:\windows\system32\drivers\ " is the command without the quotes.

 

I tried that and here is what I get:

c:\windows>copy atapi.sys c:\windows\system32\drivers\

The system cannot find the file specified.

Any other ideas?

Thanks,
Jeff

 

I don't know what you got going on then, you need to go into windows xp disk management from computer management in the administrative tools and delete that unused partition.

try to switch to the D: drive which is the next drive letter should be your CD drive the xp disc in it and try the expand command following instructions previously posted here all from recovery console.

make sure your in the D:\I386 dir when you do it.

 

It failed because if i remember well, last time when logged to XP you extracted atapi.sys file to I:. Now when you are in recovery console it should be in C:. But when you issued "copy" command, you were in C:\windows directory and there is no atapi.sys file. So you should type in recovery console:
copy c:\atapi.sys c:\windows\system32\drivers\

or switch to CD drive as ccomputertek wrote, go to I386 folder and type:
expand -r atapi.sy_ c:\windows\system32\drivers\

 

This I: volume looks really strange. Its size is 103 MB and filesystem is unknown.

Boot into XP, start cmd.exe and type: "diskpart" then "list disk" and "list volume". Post the output here.

 

I attached the screenshot. I will try what you recommended from the previous post. I just have to wonder if I have something more going on then just the virus.

Thanks again for all your help.

Jeff

 

As I said before, windows is switching around your drive letters, but from DOS which is the recovery console, it should always be the C: drive then your CD drive as the next letter D:

 

You probably installed Windows with card reader attached to the PC, thats why its not C.

When you are installing Windows, always disconnect card reader and when instalation is done just plug it back

 

You are correct. I did have a usb thumb drive attached. Is it possible to reassign the drive letters so they are the default setting? Or is it not worth it?

Jeff

 

Success! Here is what worked: copy c:\atapi.sys c:\windows\system32\drivers\ I typed this in the recovery console and it replaced the file. I ran a full scan with no viruses found.

I appreciate the help from this forum.

Best regards,
Jeff - AZForexman

 

There is no drive letter assigned to that 103 MB partition in your XP.

You can run "diskpart" and type:
select disk 0
detail disk
list partition

What's the output?

 

I'd nuke the install period as you seem to be one of those people who don't understand how to delete a partition when you reinstall your OS or understand that having a card reader connected at windows install will cause drive letter assignment issues. It's a real nightmare to change the windows drive letter back to C: from I: because a lot of your applications are installed pointing to I: Dude it's a borked windows install... reinstall but be sure to delete your partitions first.

Solid-State

PS When you do reinstall windows you have to remove your internal card reader from your USB controller or you'll just have the same problem over and over again!

 

it's very easy to clean the system, just run Dr.Web CureIt!. why must someone do so stupid things like the file replacement?!

 

Ok. I attached the screenshot.

Thanks again,
Jeff

 

If that machine is a prefab then it's the recovery partition. I wouldn't nuke that friend.

Solid-State

 

Recovery partition would not be 103 MB in size.But he can check whats on the drive.

 

Yeah that's rather small. It's some remnant of a partition he manged to create when he reinstalled windows with the borked I: active partition.

Solid-State

PS if windows install fails at some point could it leave this behind but still manage to get a working install?

 

Marcos
Hi,

I shot a video clip(HD) clean Olmarik(atapi.sys) with the aid of Eset SysRescue: http://www.youtube.com/watch?v=IgOKCC2lAMw

http://smages.com/i/be/85/be85920e8e137c44ea0f7b4dee38f318.png

 

Dr.Web CureIt, that's the answer. The only antivirus that can cure this active rootkit.

 

This should not be in the Eset Support form. He aint looking for recommendations for other AV's just how to fix his current problem.

 

Hi Folks,

I had 2 instances of this virus on PC's I was fixing today and here's what I did to get rid of them. Firstly I used PSKill (Part of the PSTools Suite from SysInternals) to kill the virus in memory. Then Scanned the Registry for the name of the Process I just killed. I can't remember what it was on the first PC but it was called Jaoeii.exe on the second instance.

Go through the registry using the find menu option and locate all references to the virus and delete them from the registry.

Once that is done, restart the PC and make sure that the when the pc reboots the virus doesn't appear in Task Manager. At this point I thought to myself that the virus was gone but I then started recieving NOD32 warnings about Atapi.sys being infected so I got my Windows XP SP3 CD and popped it in the drive and ran the System File Checker. Go to Start -> Run and type the following bold text sfc /scannow. This will tell windows to compare all system files to the files on the XP Disc and if any are changed replace them with the original from the CD.

This seems to have fixed the issue for me. Give it a go and see how you guys get on.

Cheers,
Laoistom

 

Eset has a tool for Olamark here --> http://kb.eset.com/esetkb/index?page=content&id=SOLN2372

Or you could use malware bytes followed by Combofix, which is what worked for me and was recomended by ESET support. (Don't know if the ESET cleaner was out at that time)

-Joe

 

A friend's machine was hit with Olimarik today. Although the Olimarik ESET tool detected the virus and said it was removed, upon rebooting, it was back, in other words, in this case anyway, it didn't work at all. A guy in this thread mentioned Dr Web's CureIt, and was berated for mentioning it in the NOD forum. This is fair comment normally, but in this case at least, I am very glad it was mentioned, because this app (the free version) found a rootkit that was the root cause (not pun intended of my friend's Olimark.

As it happens, I am a NOD fanboi, but nothing is perfect, and you have to give credit where it is due. Whilst the NOD Olmarik fix may have fixed some people's Olmarik, it was unable to fix mine, despite it saying that it did.

 

I got the damn thing on my pc and i downloaded the tool from eset but it didnt work i found this on the net tells u how to delete it manually i personally cant get my head around it u can try it see if it works

http://www.411-spyware.com/remove-olmarik-trojan#deletefiles