Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Olmarik Trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 synsup

synsup

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 10 June 2010 - 08:09 AM

Hi,

A few weeks ago I was given a laptop that was causing its a user some problems. After a brief look it was clear that at the very least the machine was infected with some spyware. So out came the trusted Malwarebytes Antimalware scanner, which removed a significant number of trojans and other malicious files and registry entries. After rebooting I thought that would be that, however the resident AV software provided by ESET picked up an Olmarik Trojan in Operating Memory, which it was unable to clean. I have used a number of offline and online scanners to try and remove this problem, as although it does not at present appear to be interfering with the machine's performance investigating the trojan suggests it is in the habit of downloading additional malware over time, which is obviously not a good thing. However, every time I using the ESET software to scan the Operating Memory, back comes the same outcome, with the Olmarik Trojan detected but unable to be removed.

I would like to avoid an OS reinstall as that would feel like defeat, and have noticed that this site has a very good success rate with this sort of problem. Any help would be appreciated greatly.

Unfortunately GMER crashes every time I have run it unless done in safe mode, so this is the only way I can post a log at present.


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Wembley at 17:00:22.84 on 09/06/2010
Internet Explorer: 7.0.6000.17037
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.44.1033.18.1919.1341 [GMT 1:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 4.0 *enabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\ffc19bc7-2490-455f-8120-fb4f525c2479.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\support\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://uk.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=none&bd=smb&pf=laptop
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRunOnce: [ST Recovery Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: ja-glover.co.uk\mail
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: {15887E6E-59E1-4A2E-B554-CFF33C879810} = 10.1.0.10,208.67.222.222
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\APSHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-6-28 179712]
S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
S2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2006-11-2 22016]
S2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-11-2 22016]
S2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-2-6 92800]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-8-7 24880]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2007-6-28 540448]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-06-09 15:25:06 0 d-----w- c:\program files\Belarc
2010-06-09 14:30:23 0 d-----w- C:\$RECYCLE.BIN
2010-06-09 14:08:02 98816 ----a-w- c:\windows\sed.exe
2010-06-09 14:08:02 77312 ----a-w- c:\windows\MBR.exe
2010-06-09 14:08:02 256512 ----a-w- c:\windows\PEV.exe
2010-06-09 14:08:02 161792 ----a-w- c:\windows\SWREG.exe
2010-06-09 14:01:24 3704641 ----a-r- C:\Combo-Fix.exe
2010-06-09 08:57:45 0 d-----w- C:\bluescreenview
2010-05-28 08:36:20 0 d-----w- c:\program files\CCleaner
2010-05-28 08:27:45 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-05-28 08:27:45 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-05-28 08:27:45 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-05-28 08:27:45 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-05-28 08:27:45 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-05-28 08:27:15 0 d-----w- c:\users\wembley\appdata\roaming\Simply Super Software
2010-05-28 08:27:15 0 d-----w- c:\programdata\Simply Super Software
2010-05-28 08:27:15 0 d-----w- c:\program files\Trojan Remover
2010-05-28 08:06:23 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-05-28 08:05:52 0 d-----w- c:\users\wembley\appdata\roaming\SUPERAntiSpyware.com
2010-05-28 08:05:52 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-28 08:05:14 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-28 07:42:13 0 d-----w- c:\windows\system32\MpEngineStore
2010-05-28 06:47:59 172 ----a-w- c:\windows\system32\MRT.INI
2010-05-28 06:40:35 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-05-28 06:37:37 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-28 06:37:33 396800 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-28 06:37:32 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-05-27 13:23:10 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-27 13:23:05 389120 ----a-w- c:\windows\system32\html.iec
2010-05-27 13:17:52 472576 ----a-w- c:\windows\system32\secproc.dll
2010-05-27 13:17:51 473088 ----a-w- c:\windows\system32\secproc_isv.dll
2010-05-27 13:17:46 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-05-27 13:17:46 515584 ----a-w- c:\windows\system32\RMActivate.exe
2010-05-27 13:17:46 435712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-05-27 13:17:46 431104 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-05-27 13:17:45 154112 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-05-27 13:17:44 312320 ----a-w- c:\windows\system32\msdrm.dll
2010-05-27 13:17:44 154624 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-05-27 13:11:27 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2010-05-27 13:11:26 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-05-27 13:09:08 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-27 13:09:08 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-27 13:09:07 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-27 13:08:52 434176 ----a-w- c:\windows\system32\vbscript.dll
2010-05-27 13:07:51 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-27 12:52:26 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-05-27 12:52:26 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-05-27 12:52:09 815104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-05-27 12:52:07 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-05-27 12:52:07 179712 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-05-27 12:52:03 22016 ----a-w- c:\windows\system32\netiougc.exe
2010-05-27 12:52:02 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2010-05-27 12:52:01 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
2010-05-27 12:31:18 1327616 ----a-w- c:\windows\system32\quartz.dll
2010-05-27 12:31:17 31232 ----a-w- c:\windows\system32\msvidc32.dll
2010-05-27 12:31:12 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-05-27 12:31:10 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-05-27 12:31:07 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-05-27 12:31:06 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-05-27 12:31:05 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-05-27 12:31:03 88576 ----a-w- c:\windows\system32\avifil32.dll
2010-05-27 12:31:02 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-05-27 12:31:01 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-05-27 11:48:45 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-05-27 11:48:16 97792 ----a-w- c:\windows\system32\cabview.dll
2010-05-27 11:23:12 0 d-----w- c:\windows\pss
2010-05-27 10:23:33 0 d-----w- C:\support
2010-05-27 09:39:39 0 d--h--w- c:\windows\PIF
2010-05-27 09:28:14 0 d-----w- c:\users\wembley\appdata\roaming\Malwarebytes
2010-05-27 09:28:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-27 09:28:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-27 09:28:08 0 d-----w- c:\programdata\Malwarebytes
2010-05-27 09:28:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 10:42:15 24576 ----a-w- c:\windows\system32\stu2.exe

==================== Find3M ====================

2009-01-30 17:39:20 174 --sha-w- c:\program files\desktop.ini
2008-10-20 07:01:19 86016 ----a-w- c:\windows\inf\infstrng.dat
2008-10-20 07:01:19 86016 ----a-w- c:\windows\inf\infstor.dat
2008-10-20 07:01:19 51200 ----a-w- c:\windows\inf\infpub.dat
2008-06-19 06:56:23 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 17:04:09.50 ===============

Attached Files


Edited by synsup, 11 June 2010 - 03:33 AM.


BC AdBot (Login to Remove)

 


#2 synsup

synsup
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 14 June 2010 - 09:33 AM

wasn't given the time to resolve this infection, so ended up reformatting.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:16 AM

Posted 15 June 2010 - 05:38 AM

I'm sorry to hear that, but I hope things are running fine now.

I will close this topic now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users