Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5310
  • Last Modified:

Removal tools for Keylog-Ardamax.dll, W32/Autorun.worm.gen!job, Generic!atr

My laptop infected by these virus and Trojan as mention below.

1) Keylog-Ardamax.dll,
2) W32/Autorun.worm.gen!job,
3)  Generic!atr

Kindly see the attach file for hijackthis log, Combofix.log and SDfix.log


After-combofix-and-SDfix-run-hij.log
Beforehijackthis.log
Comofix.log
SDFIX.log
0
rajasekarramasamy
Asked:
rajasekarramasamy
1 Solution
 
cholmskovCommented:

http://www.scanspyware.net/info/Ardamax.htm

Delete the following directories

%programsdir%\ARDAMAX KEYLOGGER
ARDAMAX KEYLOGGER LITE
%programfilesdir%\NSK
Ardamax Keylogger
%programfilesdir%\ARDAMAX KEYLOGGER LITE
 

Delete the following files

NSK.00*
AKV.EXE
NSK.EXE
QS.HTML
%programfilesdir%\NSK\TRAY.GIF
MENU.GIF
%programfilesdir%\NSK\NSK.CHM
LICENSE.TXT
%programfilesdir%\NSK\UNINSTALL.EXE
kh.dll
il.dll
akl.exe
%programfilesdir%\Ardamax Keylogger\AKV.exe
%programfilesdir%\Ardamax Keylogger\qs.html
%programfilesdir%\Ardamax Keylogger\AKL.chm
akl.001
akl.002
%programfilesdir%\Ardamax Keylogger\akv.ini
tray.gif
menu.gif
license.txt
%programfilesdir%\Ardamax Keylogger\Uninstall.exe
KH.DLL
%programfilesdir%\ARDAMAX KEYLOGGER LITE\AKL.CHM
AKL.EXE
%programfilesdir%\ARDAMAX KEYLOGGER LITE\akl.klf
UNINSTALL.EXE
%programfilesdir%\ARDAMAX KEYLOGGER LITE\LICENSE_LITE.TXT
HELP.LNK
%programsdir%\ARDAMAX KEYLOGGER\LOG VIEWER.LNK
%programsdir%\ARDAMAX KEYLOGGER\ARDAMAX KEYLOGGER.LNK
%programsdir%\ARDAMAX KEYLOGGER LITE\HELP.LNK
ARDAMAX KEYLOGGER LITE.LNK
 

Delete the following registry keys

ARDAMAX KEYLOGGER LITE
akl.exe
ARDAMAX KEYLOGGER
ARDAMAX KEYLOGGER LITE
 

Delete the following registry values

NSK


Also do the following:

Webroot Spysweeper

Download it here:

http://www.sabethacomputing.com/downloads.html

Webroot Spysweeper 14 day Trial

Update the defs and do a sweep.

Also check this out:

Ewido download:

www.ewido.net/en

Update it and run a complete scan.

Check out to make sure you don't have any viruses as well:

housecall.trendmicro.com

www.pandasoftware.com/activescan
0
 
Mohammed HamadaSenior IT ConsultantCommented:
Fix these items from your hijackthis list.
C:\PROGRA~1\COMMON~1\COMPUW~1\NMDBInfo.EXE

This process is one of compuware software component to remove trojans/keyloggers.. but it actually affects your pc by installing some unwanted files.

O4 - HKCU\..\Run: [NMDBInfo] C:\PROGRA~1\COMMON~1\COMPUW~1\NMDBInfo.EXE /Automation

Then follow removal as it applies to the Mcafee Enterprise antivirus installed on your computer....

http://vil.nai.com/vil/pups/configuration.aspx

0
 
rajasekarramasamyAuthor Commented:
Hi cholmskov,

In my laptop there is no " ARDAMAX" directory and files as u mention mention above.

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
cholmskovCommented:
Then are you sure it's still there rajase ?, that the antivirus didnt remove it ??

Could you run a new hijackthis and post it please ?
0
 
rajasekarramasamyAuthor Commented:
HI cholmskov,

Check my new hijackthis log file from attach file.
hijackthis.log
0
 
rpggamergirlCommented:
Do you use Remote Admin (Radmin)? I don't see it in your Hijackthis log, but Gmer catchme is detecting Radmin reg entries which it can't enumerate completely as shown in the SDFix log.

If you don't use Radmin, then I would delete the relevant reg entries --> [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0]
As it could be these nasties:
http://www.ggreat.com/virnews/Worm@W32.Rahack-e.htm
http://www.symantec.com/security_response/print_writeup.jsp?docid=2003-101410-2713-99
http://ca.com/us/securityadvisor/pest/pest.aspx?id=453096740


I would also delete this key:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2db1b1fc-4198-11dd-bb71-00085c871838}]
G:\regsvr.exe <-- and this.


And I would run this tool, the tool also creates a harmless autorun.inf in every partition to stop the malicious autorun.inf from being created.
Download and follow the prompts:
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now