Solved

Removal tools for Keylog-Ardamax.dll, W32/Autorun.worm.gen!job, Generic!atr

Posted on 2008-06-24
6
5,282 Views
Last Modified: 2013-12-06
My laptop infected by these virus and Trojan as mention below.

1) Keylog-Ardamax.dll,
2) W32/Autorun.worm.gen!job,
3)  Generic!atr

Kindly see the attach file for hijackthis log, Combofix.log and SDfix.log


After-combofix-and-SDfix-run-hij.log
Beforehijackthis.log
Comofix.log
SDFIX.log
0
Comment
Question by:rajasekarramasamy
6 Comments
 
LVL 3

Expert Comment

by:cholmskov
ID: 21863578

http://www.scanspyware.net/info/Ardamax.htm

Delete the following directories

%programsdir%\ARDAMAX KEYLOGGER
ARDAMAX KEYLOGGER LITE
%programfilesdir%\NSK
Ardamax Keylogger
%programfilesdir%\ARDAMAX KEYLOGGER LITE
 

Delete the following files

NSK.00*
AKV.EXE
NSK.EXE
QS.HTML
%programfilesdir%\NSK\TRAY.GIF
MENU.GIF
%programfilesdir%\NSK\NSK.CHM
LICENSE.TXT
%programfilesdir%\NSK\UNINSTALL.EXE
kh.dll
il.dll
akl.exe
%programfilesdir%\Ardamax Keylogger\AKV.exe
%programfilesdir%\Ardamax Keylogger\qs.html
%programfilesdir%\Ardamax Keylogger\AKL.chm
akl.001
akl.002
%programfilesdir%\Ardamax Keylogger\akv.ini
tray.gif
menu.gif
license.txt
%programfilesdir%\Ardamax Keylogger\Uninstall.exe
KH.DLL
%programfilesdir%\ARDAMAX KEYLOGGER LITE\AKL.CHM
AKL.EXE
%programfilesdir%\ARDAMAX KEYLOGGER LITE\akl.klf
UNINSTALL.EXE
%programfilesdir%\ARDAMAX KEYLOGGER LITE\LICENSE_LITE.TXT
HELP.LNK
%programsdir%\ARDAMAX KEYLOGGER\LOG VIEWER.LNK
%programsdir%\ARDAMAX KEYLOGGER\ARDAMAX KEYLOGGER.LNK
%programsdir%\ARDAMAX KEYLOGGER LITE\HELP.LNK
ARDAMAX KEYLOGGER LITE.LNK
 

Delete the following registry keys

ARDAMAX KEYLOGGER LITE
akl.exe
ARDAMAX KEYLOGGER
ARDAMAX KEYLOGGER LITE
 

Delete the following registry values

NSK


Also do the following:

Webroot Spysweeper

Download it here:

http://www.sabethacomputing.com/downloads.html

Webroot Spysweeper 14 day Trial

Update the defs and do a sweep.

Also check this out:

Ewido download:

www.ewido.net/en

Update it and run a complete scan.

Check out to make sure you don't have any viruses as well:

housecall.trendmicro.com

www.pandasoftware.com/activescan
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 21864583
Fix these items from your hijackthis list.
C:\PROGRA~1\COMMON~1\COMPUW~1\NMDBInfo.EXE

This process is one of compuware software component to remove trojans/keyloggers.. but it actually affects your pc by installing some unwanted files.

O4 - HKCU\..\Run: [NMDBInfo] C:\PROGRA~1\COMMON~1\COMPUW~1\NMDBInfo.EXE /Automation

Then follow removal as it applies to the Mcafee Enterprise antivirus installed on your computer....

http://vil.nai.com/vil/pups/configuration.aspx

0
 

Author Comment

by:rajasekarramasamy
ID: 21880894
Hi cholmskov,

In my laptop there is no " ARDAMAX" directory and files as u mention mention above.

0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 3

Expert Comment

by:cholmskov
ID: 21881257
Then are you sure it's still there rajase ?, that the antivirus didnt remove it ??

Could you run a new hijackthis and post it please ?
0
 

Author Comment

by:rajasekarramasamy
ID: 21882602
HI cholmskov,

Check my new hijackthis log file from attach file.
hijackthis.log
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 125 total points
ID: 21888496
Do you use Remote Admin (Radmin)? I don't see it in your Hijackthis log, but Gmer catchme is detecting Radmin reg entries which it can't enumerate completely as shown in the SDFix log.

If you don't use Radmin, then I would delete the relevant reg entries --> [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0]
As it could be these nasties:
http://www.ggreat.com/virnews/Worm@W32.Rahack-e.htm
http://www.symantec.com/security_response/print_writeup.jsp?docid=2003-101410-2713-99
http://ca.com/us/securityadvisor/pest/pest.aspx?id=453096740


I would also delete this key:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2db1b1fc-4198-11dd-bb71-00085c871838}]
G:\regsvr.exe <-- and this.


And I would run this tool, the tool also creates a harmless autorun.inf in every partition to stop the malicious autorun.inf from being created.
Download and follow the prompts:
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

12 Steps to a more secure Internet experience (http://tekblog.teksquisite.com/) Everyone who is a licensed driver initially had to pass a driving test that consisted of taking:    1. a written test    2. a road test    3. a vision test Le…
PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question