Solved

Removal tools for Keylog-Ardamax.dll, W32/Autorun.worm.gen!job, Generic!atr

Posted on 2008-06-24
6
5,276 Views
Last Modified: 2013-12-06
My laptop infected by these virus and Trojan as mention below.

1) Keylog-Ardamax.dll,
2) W32/Autorun.worm.gen!job,
3)  Generic!atr

Kindly see the attach file for hijackthis log, Combofix.log and SDfix.log


After-combofix-and-SDfix-run-hij.log
Beforehijackthis.log
Comofix.log
SDFIX.log
0
Comment
Question by:rajasekarramasamy
6 Comments
 
LVL 3

Expert Comment

by:cholmskov
ID: 21863578

http://www.scanspyware.net/info/Ardamax.htm

Delete the following directories

%programsdir%\ARDAMAX KEYLOGGER
ARDAMAX KEYLOGGER LITE
%programfilesdir%\NSK
Ardamax Keylogger
%programfilesdir%\ARDAMAX KEYLOGGER LITE
 

Delete the following files

NSK.00*
AKV.EXE
NSK.EXE
QS.HTML
%programfilesdir%\NSK\TRAY.GIF
MENU.GIF
%programfilesdir%\NSK\NSK.CHM
LICENSE.TXT
%programfilesdir%\NSK\UNINSTALL.EXE
kh.dll
il.dll
akl.exe
%programfilesdir%\Ardamax Keylogger\AKV.exe
%programfilesdir%\Ardamax Keylogger\qs.html
%programfilesdir%\Ardamax Keylogger\AKL.chm
akl.001
akl.002
%programfilesdir%\Ardamax Keylogger\akv.ini
tray.gif
menu.gif
license.txt
%programfilesdir%\Ardamax Keylogger\Uninstall.exe
KH.DLL
%programfilesdir%\ARDAMAX KEYLOGGER LITE\AKL.CHM
AKL.EXE
%programfilesdir%\ARDAMAX KEYLOGGER LITE\akl.klf
UNINSTALL.EXE
%programfilesdir%\ARDAMAX KEYLOGGER LITE\LICENSE_LITE.TXT
HELP.LNK
%programsdir%\ARDAMAX KEYLOGGER\LOG VIEWER.LNK
%programsdir%\ARDAMAX KEYLOGGER\ARDAMAX KEYLOGGER.LNK
%programsdir%\ARDAMAX KEYLOGGER LITE\HELP.LNK
ARDAMAX KEYLOGGER LITE.LNK
 

Delete the following registry keys

ARDAMAX KEYLOGGER LITE
akl.exe
ARDAMAX KEYLOGGER
ARDAMAX KEYLOGGER LITE
 

Delete the following registry values

NSK


Also do the following:

Webroot Spysweeper

Download it here:

http://www.sabethacomputing.com/downloads.html

Webroot Spysweeper 14 day Trial

Update the defs and do a sweep.

Also check this out:

Ewido download:

www.ewido.net/en

Update it and run a complete scan.

Check out to make sure you don't have any viruses as well:

housecall.trendmicro.com

www.pandasoftware.com/activescan
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 21864583
Fix these items from your hijackthis list.
C:\PROGRA~1\COMMON~1\COMPUW~1\NMDBInfo.EXE

This process is one of compuware software component to remove trojans/keyloggers.. but it actually affects your pc by installing some unwanted files.

O4 - HKCU\..\Run: [NMDBInfo] C:\PROGRA~1\COMMON~1\COMPUW~1\NMDBInfo.EXE /Automation

Then follow removal as it applies to the Mcafee Enterprise antivirus installed on your computer....

http://vil.nai.com/vil/pups/configuration.aspx

0
 

Author Comment

by:rajasekarramasamy
ID: 21880894
Hi cholmskov,

In my laptop there is no " ARDAMAX" directory and files as u mention mention above.

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 3

Expert Comment

by:cholmskov
ID: 21881257
Then are you sure it's still there rajase ?, that the antivirus didnt remove it ??

Could you run a new hijackthis and post it please ?
0
 

Author Comment

by:rajasekarramasamy
ID: 21882602
HI cholmskov,

Check my new hijackthis log file from attach file.
hijackthis.log
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 125 total points
ID: 21888496
Do you use Remote Admin (Radmin)? I don't see it in your Hijackthis log, but Gmer catchme is detecting Radmin reg entries which it can't enumerate completely as shown in the SDFix log.

If you don't use Radmin, then I would delete the relevant reg entries --> [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0]
As it could be these nasties:
http://www.ggreat.com/virnews/Worm@W32.Rahack-e.htm
http://www.symantec.com/security_response/print_writeup.jsp?docid=2003-101410-2713-99
http://ca.com/us/securityadvisor/pest/pest.aspx?id=453096740


I would also delete this key:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2db1b1fc-4198-11dd-bb71-00085c871838}]
G:\regsvr.exe <-- and this.


And I would run this tool, the tool also creates a harmless autorun.inf in every partition to stop the malicious autorun.inf from being created.
Download and follow the prompts:
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

As more computers now shipped with 64-bit version of Windows, more users are now using this Operating System.  So it's important to be aware how some 32-bit diagnostic tool works on these systems, so we know what to expect when analyzing the logs an…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now