Olmarik.RF Trojan Virus

Slid · Dec 4, 2009

Located in: C:\WINDOWS\System32\DRIVERS\atapi.sys
Size: 96512
Reason: Win32/Olmarik.RF virus
Count: 2

That's what I get when I scan my PC with ESET NOD32 Antivirus, and Malwarebytes Anti-Malware. I think it is also blocking my Internet connection, because no browser or program I have can acess the Internet. Please help =\

TimW · Dec 6, 2009

Welcome to Major Geeks!
First try this:

Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.

Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

Follow the instructions to type in "delete" when it asks you what to do when if finds something.

When done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents in your next reply.

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide

and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****

Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.

To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:

Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.

Slid · Dec 6, 2009

I will not be able to post the logs till Friday, sorry.
I understand what to do and I will do it as soon as possible.

TimW · Dec 8, 2009

Not a problem. I will be here.

Slid · Dec 11, 2009

19:19:55:29 5020 ForceUnloadDriver: NtUnloadDriver error 2
19:19:55:29 5020 ForceUnloadDriver: NtUnloadDriver error 2
19:19:55:29 5020 ForceUnloadDriver: NtUnloadDriver error 2
19:19:55:29 5020 main: Driver KLMD successfully dropped
19:19:55:49 5020 main: Driver KLMD successfully loaded
19:19:55:49 5020
Scanning Registry ...
19:19:55:109 5020 ScanServices: Searching service UACd.sys
19:19:55:109 5020 ScanServices: Open/Create key error 2
19:19:55:109 5020 ScanServices: Searching service TDSSserv.sys
19:19:55:109 5020 ScanServices: Open/Create key error 2
19:19:55:109 5020 ScanServices: Searching service gaopdxserv.sys
19:19:55:109 5020 ScanServices: Open/Create key error 2
19:19:55:109 5020 ScanServices: Searching service gxvxcserv.sys
19:19:55:109 5020 ScanServices: Open/Create key error 2
19:19:55:109 5020 ScanServices: Searching service MSIVXserv.sys
19:19:55:109 5020 ScanServices: Open/Create key error 2
19:19:55:119 5020 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000
19:19:55:119 5020 UnhookRegistry: Kernel local addr: A40000
19:19:55:179 5020 UnhookRegistry: KeServiceDescriptorTable addr: AC3220
19:19:55:259 5020 UnhookRegistry: KiServiceTable addr: A4B6A8
19:19:55:259 5020 UnhookRegistry: NtEnumerateKey service number (local): 47
19:19:55:259 5020 UnhookRegistry: NtEnumerateKey local addr: ADC5A4
19:19:55:269 5020 KLMD_OpenDevice: Trying to open KLMD device
19:19:55:269 5020 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
19:19:55:269 5020 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
19:19:55:269 5020 KLMD_ReadMem: Trying to ReadMemory 0x804DCC49[0x4]
19:19:55:269 5020 UnhookRegistry: NtEnumerateKey service number (kernel): 47
19:19:55:269 5020 KLMD_ReadMem: Trying to ReadMemory 0x804E27C4[0x4]
19:19:55:269 5020 UnhookRegistry: NtEnumerateKey real addr: 805735A4
19:19:55:269 5020 UnhookRegistry: NtEnumerateKey calc addr: 805735A4
19:19:55:269 5020 UnhookRegistry: No SDT hooks found on NtEnumerateKey
19:19:55:269 5020 KLMD_ReadMem: Trying to ReadMemory 0x805735A4[0xA]
19:19:55:269 5020 UnhookRegistry: Splicing found on NtEnumerateKey
19:19:55:269 5020 KLMD_WriteMem: Trying to WriteMemory 0x805735A4[0xA]
19:19:55:269 5020 UnhookRegistry: NtEnumerateKey (Splicing) unhooked successfully
19:19:55:269 5020
Hidden service detected: seneka
Type "delete" (without quotes) to delete it: 19:20:15:198 5020
19:20:15:198 5020 DeleteEvilService: seneka: ImagePath = C:\WINDOWS\system32\drivers\senekakgfjojat.sys
19:20:15:198 5020 File C:\WINDOWS\system32\drivers\senekakgfjojat.sys will be deleted on next reboot
19:20:15:198 5020 RegNode SYSTEM\CurrentControlSet\Services\seneka will be deleted on next reboot
19:20:15:198 5020
Scanning Kernel memory ...
19:20:15:198 5020 KLMD_OpenDevice: Trying to open KLMD device
19:20:15:198 5020 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
19:20:15:198 5020 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
19:20:15:208 5020 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86FA64A0
19:20:15:208 5020 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
19:20:15:208 5020 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 86FDD030
19:20:15:208 5020 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FDD030
19:20:15:208 5020 KLMD_ReadMem: Trying to ReadMemory 0x86FDD030[0x38]
19:20:15:208 5020 DetectCureTDL3: DRIVER_OBJECT addr: 86FA64A0
19:20:15:208 5020 KLMD_ReadMem: Trying to ReadMemory 0x86FA64A0[0xA8]
19:20:15:208 5020 KLMD_ReadMem: Trying to ReadMemory 0xE17E8FE0[0x208]
19:20:15:208 5020 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:20:15:208 5020 DetectCureTDL3: IrpHandler (0) addr: F7569BB0
19:20:15:208 5020 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (2) addr: F7569BB0
19:20:15:208 5020 DetectCureTDL3: IrpHandler (3) addr: F7563D1F
19:20:15:208 5020 DetectCureTDL3: IrpHandler (4) addr: F7563D1F
19:20:15:208 5020 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (9) addr: F75642E2
19:20:15:208 5020 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (14) addr: F75643BB
19:20:15:208 5020 DetectCureTDL3: IrpHandler (15) addr: F7567F28
19:20:15:208 5020 DetectCureTDL3: IrpHandler (16) addr: F75642E2
19:20:15:208 5020 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (22) addr: F7565C82
19:20:15:208 5020 DetectCureTDL3: IrpHandler (23) addr: F756A99E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
19:20:15:208 5020 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
19:20:15:208 5020 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
19:20:15:208 5020 KLMD_ReadMem: DeviceIoControl error 1
19:20:15:208 5020 TDL3_StartIoHookDetect: Unable to get StartIo handler code
19:20:15:208 5020 TDL3_FileDetect: Processing driver: Disk
19:20:15:208 5020 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
19:20:15:208 5020 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
19:20:15:208 5020 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
19:20:15:218 5020 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 86FA7AB8
19:20:15:218 5020 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FA7AB8
19:20:15:218 5020 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 86FCE4D0
19:20:15:218 5020 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FCE4D0
19:20:15:218 5020 KLMD_ReadMem: Trying to ReadMemory 0x86FCE4D0[0x38]
19:20:15:218 5020 DetectCureTDL3: DRIVER_OBJECT addr: 86F9F628
19:20:15:218 5020 KLMD_ReadMem: Trying to ReadMemory 0x86F9F628[0xA8]
19:20:15:218 5020 KLMD_ReadMem: Trying to ReadMemory 0xE17795A0[0x208]
19:20:15:218 5020 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
19:20:15:218 5020 DetectCureTDL3: IrpHandler (0) addr: F74966F2
19:20:15:218 5020 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (2) addr: F74966F2
19:20:15:218 5020 DetectCureTDL3: IrpHandler (3) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (4) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (14) addr: F7496712
19:20:15:218 5020 DetectCureTDL3: IrpHandler (15) addr: F7492852
19:20:15:218 5020 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (22) addr: F749673C
19:20:15:218 5020 DetectCureTDL3: IrpHandler (23) addr: F749D336
19:20:15:218 5020 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
19:20:15:218 5020 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
19:20:15:218 5020 KLMD_ReadMem: Trying to ReadMemory 0xF7493864[0x400]
19:20:15:218 5020 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
19:20:15:218 5020 TDL3_FileDetect: Processing driver: atapi
19:20:15:228 5020 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
19:20:15:228 5020 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
19:20:15:228 5020 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
19:20:15:248 5020
Completed

Results:
19:20:15:248 5020 Infected objects in memory: 0
19:20:15:248 5020 Cured objects in memory: 0
19:20:15:248 5020 Infected objects on disk: 1
19:20:15:248 5020 Objects on disk cured on reboot: 0
19:20:15:248 5020 Objects on disk deleted on reboot: 1
19:20:15:258 5020 Registry nodes deleted on reboot: 1
19:20:15:258 5020

Thank you, sorry it took a while.

TimW · Dec 13, 2009

Please read this:
HOW TO: Attach Items To Your Post

I need the other requested logs from running the Read and Run First instructions I gave you a link to.

Log in or Sign up

Olmarik.RF Trojan Virus

Slid Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Slid Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Slid Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member