"Malicious software warning", then costant BSODs

piemanmoo said:

yesterday everything was good and fine, when suddenly I got a bubble notification saying there was a possibly of some malicious software.

Since the PC seems to be crashing in about a minute or so, obviously you won't be able to do a normal AV scan. So:

Boot into safe mode - with networking (to give you internet access)

open a browser and run:

ESET Online Virus Scanner | ESET

And see if it picks up any nasties.

Also download and install MBAM


Run MBAM in safemode as well.


The crash dumps all show system files which doesn't point to a specific culprit. Essentially the BSOD code doesn't matter that much.


See how you go after running the scans.

MBAM found a few threats, but choosing to delete them required me to restart, lauching windows out of safemode where it thereupon crashed again.


As for the online scan, it also found some threats, listed below:

C:\ProgramData\Microsoft\Windows\DRM\AAC1.tmp Win64/Olmarik.AH trojan cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Windows\DRM\AAC2.tmp Win64/Olmarik.AH trojan cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Windows\DRM\CFE1.tmp Win64/Olmarik.AH trojan cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Windows\DRM\CFE2.tmp Win64/Olmarik.AH trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.04.2012_23.31.54\mbr0000\tdlfs0000\tsk0000.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.04.2012_23.31.54\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AD trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.04.2012_23.31.54\mbr0000\tdlfs0000\tsk0002.dta Win32/Olmarik.AYH trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.04.2012_23.31.54\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AG trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.04.2012_23.31.54\mbr0000\tdlfs0000\tsk0004.dta a variant of Win32/Rootkit.Kryptik.KS trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.04.2012_23.31.54\mbr0000\tdlfs0000\tsk0005.dta Win64/Olmarik.AF trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.04.2012_23.31.54\mbr0000\tdlfs0000\tsk0009.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.04.2012_23.31.54\mbr0000\tdlfs0000\tsk0010.dta Win64/Olmarik.X trojan cleaned by deleting - quarantined


I will give it a try in normal mode and see if this time it's fixed anything
edit- It did not

Fair chance it's still infected.

With the mbam threats, just let it detect them in safemode and then you can manually navigate and delete the threats yourself, rather than having mbam fail in normal mode.



It might be a good idea to have this thread moved to the security area where the folks are more used to cleaning systems might have a few more ideas on how to remove the infection.

(My personal method would be to back up my data and then do a fresh installation. However that method is not for everyone).

Good to hear mate. Fingers crossed that's nailed it :)