Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivirus

burningicecube · Aug 24, 2011

Hello,

For awhile now on my desktop computer ESET antivirus has detected the threat "Win32/Olmarik.TDL3 Trojan", and when I try to clean it nothing happens. I can't seem to run ESET in safe mode, and a removal tool I downloaded from ESETs website won't run at all.

Thanks for your time, i'm worried that this is sending out private information and destroying my family's computer! Z

Hengis · Aug 24, 2011

Re: Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivir

Hi there and welcome to PCHF

Please click on the Pre-Work link below in my signature and follow the process.

burningicecube · Aug 25, 2011

Re: Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivir

I've attached the requested logs.

Thanks!

As for symptoms with the computer, it has a blank grey screen when booting up and ive noticed a blank white screen when shutting down, i'm not sure if it's related to the trojan. After logging in ESET does a start up scan and finds the Olmarik trogan (under name it says "Operating Memory", and under threat it says "Win32/Olmarik.TDL3 Trojan"), but when I try to clean it nothing happens.

Pancake · Aug 25, 2011

Re: Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivir

Download this file, http://support.kaspersky.com/downloads/utils/tdsskiller.zip and extract TDSSKiller.exe to your Desktop.

Execute TDSSKiller.exe by doubleclicking on it. You may be prompted to restart your machine. Type Y at the prompt.
Once complete, a log will be produced at root. It will be named
UtilityName.Version_Date_Time_log.txt.
for example, C:\TDSSKiller.2.2.0_27.1.2010_15.31.43_log.txt.

Attach that log here please.

============================

Download Combofix from Bleepingcomputer or Geekstogo and place it on your Desktop
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Combofix may be slow to start and appear to be doing nothing before it starts scanning.Just leave it,it will start.
You can get help on disabling your protection programs here : How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Please include the C:\ComboFix.txt in your next reply for further review.

Caution.....
Never use this program to remove files.Only use it with help from an experienced user.Wrongful use can damage your computer.This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a qualified helper

burningicecube · Aug 25, 2011

Re: Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivir

Here are the two logs.

When I ran ComboFix, it warned me the AVG Antivirus was still running. As far as I know, AVG is not installed on the computer, and I couldn't find any trace of it. I ran it anyway, I hope that's ok.

Thanks.

ComboFix 11-08-24.06 - Owner 08/24/2011 19:38:47.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1022.586 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus 7.0.308 *Enabled/Outdated* {41564737-3200-1071-989B-0000E87B4FB1}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Kambly\My Documents\155.wpd
c:\documents and settings\Owner\My Documents\~WRL0004.tmp
c:\program files\messenger\msmsgsin.exe
c:\windows\system32\comct332.ocx
.
---- Previous Run -------
.
c:\documents and settings\Owner\Application Data\Desktopicon\uninstall.exe
c:\windows\system32\hjgruixdltqsio.dat
c:\windows\system32\regobj.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_HJGRUIJBOMPPTM
-------\Legacy_PCMSTUB
-------\Legacy_SVCHOST
-------\Service_6to4
-------\Service_hjgruijbompptm
.
.
((((((((((((((((((((((((( Files Created from 2011-07-24 to 2011-08-24 )))))))))))))))))))))))))))))))
.
.
2011-08-24 23:30 . 2011-08-24 23:30 94768 ----a-w- c:\windows\system32\drivers\39326000.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 22:42 . 2008-08-16 22:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 22:42 . 2008-08-16 22:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 22:42 . 2008-08-16 22:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 22:42 . 2008-08-16 22:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 22:43 . 2008-08-16 22:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 22:42 . 2008-08-16 22:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 22:42 . 2008-08-16 22:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 18:58 . 2008-06-05 18:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 22:42 . 2008-08-16 22:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-08-20 01:54 . 2011-06-12 04:14 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
Cryptography Services Error !!
.
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-15 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 188416]
"Amazing3DAquariumWallpaper"="" [BU]
"HPHmon03"="c:\windows\System32\hphmon03.exe" [2003-01-30 311296]
"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2009-04-19 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-19 198160]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [BU]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"egui"="c:\program files\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="c:\windows\System32\sti_ci.dll" [2003-07-16 130560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""
.
R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [11/29/2009 12:04 AM 22360]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/5/2009 8:56 AM 114768]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [11/29/2009 12:04 AM 45416]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/29/2009 1:02 PM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/29/2009 1:05 PM 96408]
R2 ekrn;ESET Service;c:\program files\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/29/2009 12:04 AM 108289]
S2 Metric Conversion Calculator Installer;Metric Conversion Calculator Installer;"c:\program files\Digital Design Ltd\Metric Conversion Calculator\MCCINST.EXE" /update --> c:\program files\Digital Design Ltd\Metric Conversion Calculator\MCCINST.EXE [?]
S3 Dot4Usb HPH09ot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [1/30/2003 7:55 PM 18864]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 76003140
*NewlyCreated* - ASWMBR
*Deregistered* - 76003140
*Deregistered* - aswMBR
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: aol.com\free
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\cb79uxep.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z003&form=ZGAADF&q=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Sonic RecordNow! - (no file)
HKCU-Run-RoboForm - c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
SafeBoot-36722555.sys
AddRemove-Sega Smash Pack - c:\sega\Smash Pack\Uninst.isu
AddRemove-eBay Shortcuts - c:\documents and settings\Owner\Application Data\Desktopicon\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-24 19:44
Windows 5.1.2600 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="system32\drivers\tsk11E.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{85C70286-A56F-4834-BD24-B34EB76A93A2}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.468.0"
"UniqueId"="0132787B4DEA7D3D"
"ScannerBuild"=dword:00001672
"ScannerVersionId"=dword:00001175
"ScannerVersion"="Locked/open ESET for status."
"FixId"=dword:00000009
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\ODBC32.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
- - - - - - - > 'lsass.exe'(760)
c:\windows\System32\dssenh.dll
.
Completion time: 2011-08-24 19:46:56
ComboFix-quarantined-files.txt 2011-08-24 23:46
.
Pre-Run: 18,128,154,624 bytes free
Post-Run: 18,170,863,616 bytes free
.
- - End Of File - - AA07F5F3BEEEB2E1D2862B4ED9F9B820

Pancake · Aug 25, 2011

Re: Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivir

Ok.How are things now ?

We will just run these two...

I need to make sure your Master Boot Record has been restored.
Download Gmer's mbr.exe to your desktop http://www2.gmer.net/mbr/mbr.exe
mbr.exe MUST be on your desktop to complete the following.
Highlight and copy the following command.
"%userprofile%\desktop\mbr.exe" -f
Click Start>Run, paste the command in the Run dialog then hit enter.

After the fix runs please reboot the computer.
Please post the log it produces

==========================

Please download Malwarebytes' Anti-Malware from one of these places:
Majorgeeks or Besttechie

Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.Do so.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply.

burningicecube · Aug 25, 2011

Re: Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivir

Upon start up there was no detection of the Olmarik trojan by ESET, so that's good news.

I ran the mbr.exe with the command, it went very quickly and seems positive. The log is attached.

I set up and updated Malwarebytes, but when I ran the quick scan it went for 1min 10sec and then crashed. It had scanned just over 30,000 objects. When I tried to do anything with it it stopped responding. (I tried Malwarebytes in the past and the same thing would happpen, even in safe mode I think, sorry I didn't mention this before)

I'm running a quick scan with ESET now, so far no sign of the trojan, it found it almost instantly before.

Thanks for all the help! Please let me know if there is anything else I can do or if there is any way to get Malwarebytes working!

Pancake · Aug 25, 2011

Re: Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivir

Looks as if there will be no need for Malwarebytes. .All done,I see no more malware.Log looks good! All those detections are either in quarantine or system restore, both of which we'll be cleaning out in just a minute. Congratulations, well done.

Go to :
Start > Run then copy and paste the following highlighted (blue) text below into the box and click OK.

ComboFix /uninstall

Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.

Please download OTC to your desktop.

Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Here are some tips to reduce the potential for malware infection in the future; I strongly suggest that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.
Afterwork
Malware Prevention
How Did I Get Infected
More Tips on Prevention

=============================

You will need to install the Windows Recovery Console.
The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you,now and in the future, in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Download the file from this Microsoft page:
For XP Home >> http://www.microsoft.com/downloads/...07-99F7-4A2D-983D-81C2137FF464&displaylang=en
For XP Pro >> http://www.microsoft.com/downloads/...8D-5E10-49B5-B80C-0A0205368124&displaylang=en
Do not be concerned that this file is for SP2 and you have SP3. It will work just fine on your system.

burningicecube · Aug 25, 2011

Re: Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivir

I will begin removing all of the tools shortly. I'm reading the links you posted so I can best keep my computer defended in the future. Thanks again for all the assistance.

I know I am supposed to keep windows updated, but when I select windows update in the control panel it brings me to a microsoft website saying that I have an outdated service pack.

I have been unable to update my version of windows with the latest (or any more recent) service pack. I've tried following microsoft's guides and I've tried multiple downloads from trusted websites and none of them are working. I have Service Pack 1, but I can't seem to install 1a, 2, or 3. I read that 3 needed 1a or 2 to be installed. I believe when I was trying to install 1a it said something about cryptographic tools not being installed, and when I tried to open administrative tools in the control to enable said cryptographic tools nothing comes up.

Sorry for bringing up more issues! I'll keep trying to get the updates working!

Pancake · Aug 25, 2011

Re: Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivir

As you are not running the Service Pack 2/3 we will save and run this download.It will copy the results to your clipboard. Will you copy and paste them back here please.
http://go.microsoft.com/fwlink/?linkid=52012

burningicecube · Aug 25, 2011

Re: Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivir

Here is the screenshot of the results from that test.

Thanks!

Edit - Sorry if you wanted the text instead of the screenshot, I wasn't logged in and read different instructions. I can run it again and copy the text if that would make things easier, thanks!

Pancake · Aug 26, 2011

Re: Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivir

You indicate there is the inability for downloading any updates? First I would like you to visit: http://support.microsoft.com/ph/9860 . This site is the Windows Genuine Advantage Solution Center and may provide you with recommendations for resolving your situation. Next visit the follow site and validate your computer @ http://www.genuine.com/genuine . Next click on "Validate Windows" in the upper right hand corner. Please follow the guidance and restart your computer. Try and update your computer again. What happens? Please provide any error codes or statements surrounding any validation failures and post back to us in this thread. Should this not resolve your problem please run the MGA diagnostic test and post the results. Below will provide you with guidance:

Download and run the utility at this link http://go.microsoft.com/fwlink/?linkid=52012 , then click the Windows tab, Copy to Clipboard, then paste the report into a New Post on this Forum.

Log in or Join Us

Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivirus

burningicecube Bronze Member

Hengis PCHF Manager

burningicecube Bronze Member

Attached Files:

OTL.Txt

Extras.Txt

aswMBR.txt

Google Advertisement

Pancake Security Team

burningicecube Bronze Member

Attached Files:

TDSSKiller.2.5.17.0_24.08.2011_19.28.20_log.txt

ComboFix.txt

Pancake Security Team

burningicecube Bronze Member

Attached Files:

mbr.log

Pancake Security Team

burningicecube Bronze Member

Pancake Security Team

burningicecube Bronze Member

Attached Files:

msupdate test results.JPG

Pancake Security Team

Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivirus

Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivirus

burningicecube Bronze Member

Hengis PCHF Manager

burningicecube Bronze Member

Attached Files:

Google Advertisement

Pancake Security Team

burningicecube Bronze Member

Attached Files:

Pancake Security Team

burningicecube Bronze Member

Attached Files:

Pancake Security Team

burningicecube Bronze Member

Pancake Security Team

burningicecube Bronze Member

Attached Files:

Pancake Security Team

Win32/Olmarik.TDL3 Trojan cannot be removed with ESET Antivirus

Useful Searches