Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Win32/Olmarik and XP Internet Security 2010


  • Please log in to reply
1 reply to this topic

#1 Dark_

Dark_

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 26 January 2010 - 12:41 AM

Hello. I have been messing with computer security for about 5-6 years now, so i'm far from new at removing computer infections, or navigating through the registry and so on, just to put that out there to begin with.

My computer stats are:

Microsoft Windows XP Professional
Version 2002
Service Pack 3

Lately, (about 1-2 weeks) in Firefox 3.5 (my default browser at the time, now 3.6) began acting strange. I would be on websites such as youtube, or other websites, and in a new tab it would head to a random website, which would redirect about 5 times to either a page asking me to download something, or it would be some kind of spam. I at the time figured it was adware, and scanned my computer with the tools i had. (AVG Free and Malwarebytes) AVG found nothing but tracking cookies, and Malwarebytes found nothing.

The problem persisted.

A few times i would be going about my business when all of a sudden a shutdown prompt would come up saying that a WINDOWS/NT (think that's how you spell it) process had ended and that the computer was required to reboot. It gave me a good minute to save what i was doing, and then would shut down. The second time this happened (today), when it rebooted, i was greeted by XP Antivirus 2010. I knew from the start this was an infection of malware, and after opening task manager, saw it was running as av.exe. I killed the process, but it would come back when i tried to run Malwarebytes. Using Process Explorer 11.33 (a trusted program that has helped me many times) i found that the program was located at
( C:\Documents and Settings\(onlyuseronpcalsotheadmin)\Local Settings\Application Data\av.exe )

and under command line it said something along the lines of ( "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /START "C:\Documents and Settings\(onlyuseronpcalsotheadmin)\Local Settings\Application Data\av.exe" )

However, when checking the location, it was not there, which to me meant it was hidden, so i checked my settings and i am allowed to see hidden files and folders. I knew now that it must be hiding itself.

Since the onslaught by Antivirus 2010 was continuing, and i couldn't run Malwarebytes, after looking online, i found that there were no files located where all my search results told me to look, which makes me presume that it is a new form of the same program, or an edited form from the attacker. You would think it was all just hidden, but since it's running as av.exe and not AV2010.exe, and that there is no Program Files folder made, nor a link a my desktop leads me to believe otherwise.

So, the only thing i could think to do is to become more powerful, so i used the trick to get onto the SYSTEM account to see what i could do. That is where i am currently typing this after restoring my ability to run applications and relinking the exe association. I re-enabled my firewall, and ever since this reboot has started, i have seen no sign of AVG accept it's running processes, which seem to be doing nothing of use. I have installed Malwarebytes on this account, and it's scan found nothing. I installed my antivirus of choice (Nod32) and did a scan that came up with the result
Operating Memory - Trojan.Win32/Olmarik (level 9 risk)
It gave me no option on how to remove it, and online results are also not helping, the same as with the antivirus. After using ESET SysInspector, i found one program that i had never seen before running as sttxsp.exe in C:\Windows\temp\
There was also a module being used by explorer.exe in C:\Program Files\WinRAR\Formats called z.fmt. It also came up for running memory the Trojan.Win32/Olmarik infection. It also gave me no way to remove it.

I ran a RootKit detector, and it came up that a few things were hooked, but it just found them and didn't give an option to fix them. I havn't restarted my computer since this, since i've been investigating it since.

My Run\RunOnce\etc is clean of any out of place apps
My Startup folder is completely clean (user and all users)

I forgot to mention, Internet Explorer isn't working, so i'm using Firefox (which i would be anyways)
Also, Nod32 can't collect it's two new updates, it gets halfway and then says the update failed.
Windows Live Messenger also will not connect, and when troubleshooted says it is port problems, but cannot repair them.
I have both ESET and the Messenger set as exceptions in my firewall, and exceptions are turned on.

So i come to you for help, since i'm not sure where to go from here.


EDIT: Topic moved to a more appropriate forum ~ Elise

UPDATE:
Just a few updates, Firefox no longer works on the admin account at all. Websites don't load. Also when i open pretty much any application that needs to connect to the internet, it reopens av.exe.

Also, strangely enough, AVG crawled out of a hole per-se and is now back running on my system account.

Edited by Dark_, 26 January 2010 - 10:31 AM.


BC AdBot (Login to Remove)

 


#2 Dark_

Dark_
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 26 January 2010 - 12:12 PM

I have some good updates for once.

I decided since i knew av.exe was there, but my computer couldn't read that it was there due to a rootkit, i decided to try to overwrite it. I opened notepad, and saved it blank as av.exe in the location, and low and behold it asked me if it was sure i want to overwrite it and i did.
After a restart, i didn't get any XP Antivirus 2010 windows, but i did get a lot of something along the lines of
"%FileName% is not a valid Win32 Application"

After closing all the error popups, explorer for my account started, but i could not run any applications, and would get the same error.

After a quick search, i reset EXE file type associations to applications, and now everything works fine.

So, av.exe is still hidden, but is no longer active.
Win32/Olmarik still comes up in Nod32 as being in Operating Memory
and i am still getting the random search tabs, and the first 10 links in google search results go to the same weird search websites.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users