PDA

View Full Version : Win32/Olmarik trojan


Adolfo
2009-09-18, 20:26
Hello all.

I am unable to get rid of Win32/Olmarik.

My ESET NOD32 has detected it, together with Win32/Kryptik.ZS, but it is unable to clean the first.

I have tried Spybot Search and Destroy, Malwarebytes and Spyware Doctor, but I have not been able to clean the computer.

Could anybody please help me? I would be very grateful.

Thank you in advance for your help.

I have already made a copy of my system registry with ERUNT

This is my HJT registry.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:03:33, on 18/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\Archivos de programa\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\acer\eRecovery\Monitor.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=c:\windows\explorer.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [egui] "C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SmartRAM] "C:\Archivos de programa\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Archivos de programa\ERUNT\AUTOBACK.EXE
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.6.0_10) -
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Archivos de programa\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Archivos de programa\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Archivos de programa\Spyware Doctor\pctsSvc.exe

--
End of file - 4354 bytes
Blade81
2009-09-22, 09:18
Hi,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.


Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
Adolfo
2009-09-23, 10:46
Hello.

Thank you for the replay.

Finally, I decided to re-install the operative system after things got worse during the weekend.

Thank you very much for the reply, and sorry for not advice before.

Adolfo
Blade81
2009-09-23, 15:36
Ok. Thanks for letting us know.

I'll close this one.