Solved

Removal tools for Keylog-Ardamax.dll, W32/Autorun.worm.gen!job, Generic!atr

Posted on 2008-06-24
6
5,286 Views
Last Modified: 2013-12-06
My laptop infected by these virus and Trojan as mention below.

1) Keylog-Ardamax.dll,
2) W32/Autorun.worm.gen!job,
3)  Generic!atr

Kindly see the attach file for hijackthis log, Combofix.log and SDfix.log


After-combofix-and-SDfix-run-hij.log
Beforehijackthis.log
Comofix.log
SDFIX.log
0
Comment
Question by:rajasekarramasamy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 3

Expert Comment

by:cholmskov
ID: 21863578

http://www.scanspyware.net/info/Ardamax.htm

Delete the following directories

%programsdir%\ARDAMAX KEYLOGGER
ARDAMAX KEYLOGGER LITE
%programfilesdir%\NSK
Ardamax Keylogger
%programfilesdir%\ARDAMAX KEYLOGGER LITE
 

Delete the following files

NSK.00*
AKV.EXE
NSK.EXE
QS.HTML
%programfilesdir%\NSK\TRAY.GIF
MENU.GIF
%programfilesdir%\NSK\NSK.CHM
LICENSE.TXT
%programfilesdir%\NSK\UNINSTALL.EXE
kh.dll
il.dll
akl.exe
%programfilesdir%\Ardamax Keylogger\AKV.exe
%programfilesdir%\Ardamax Keylogger\qs.html
%programfilesdir%\Ardamax Keylogger\AKL.chm
akl.001
akl.002
%programfilesdir%\Ardamax Keylogger\akv.ini
tray.gif
menu.gif
license.txt
%programfilesdir%\Ardamax Keylogger\Uninstall.exe
KH.DLL
%programfilesdir%\ARDAMAX KEYLOGGER LITE\AKL.CHM
AKL.EXE
%programfilesdir%\ARDAMAX KEYLOGGER LITE\akl.klf
UNINSTALL.EXE
%programfilesdir%\ARDAMAX KEYLOGGER LITE\LICENSE_LITE.TXT
HELP.LNK
%programsdir%\ARDAMAX KEYLOGGER\LOG VIEWER.LNK
%programsdir%\ARDAMAX KEYLOGGER\ARDAMAX KEYLOGGER.LNK
%programsdir%\ARDAMAX KEYLOGGER LITE\HELP.LNK
ARDAMAX KEYLOGGER LITE.LNK
 

Delete the following registry keys

ARDAMAX KEYLOGGER LITE
akl.exe
ARDAMAX KEYLOGGER
ARDAMAX KEYLOGGER LITE
 

Delete the following registry values

NSK


Also do the following:

Webroot Spysweeper

Download it here:

http://www.sabethacomputing.com/downloads.html

Webroot Spysweeper 14 day Trial

Update the defs and do a sweep.

Also check this out:

Ewido download:

www.ewido.net/en

Update it and run a complete scan.

Check out to make sure you don't have any viruses as well:

housecall.trendmicro.com

www.pandasoftware.com/activescan
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 21864583
Fix these items from your hijackthis list.
C:\PROGRA~1\COMMON~1\COMPUW~1\NMDBInfo.EXE

This process is one of compuware software component to remove trojans/keyloggers.. but it actually affects your pc by installing some unwanted files.

O4 - HKCU\..\Run: [NMDBInfo] C:\PROGRA~1\COMMON~1\COMPUW~1\NMDBInfo.EXE /Automation

Then follow removal as it applies to the Mcafee Enterprise antivirus installed on your computer....

http://vil.nai.com/vil/pups/configuration.aspx

0
 

Author Comment

by:rajasekarramasamy
ID: 21880894
Hi cholmskov,

In my laptop there is no " ARDAMAX" directory and files as u mention mention above.

0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 3

Expert Comment

by:cholmskov
ID: 21881257
Then are you sure it's still there rajase ?, that the antivirus didnt remove it ??

Could you run a new hijackthis and post it please ?
0
 

Author Comment

by:rajasekarramasamy
ID: 21882602
HI cholmskov,

Check my new hijackthis log file from attach file.
hijackthis.log
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 125 total points
ID: 21888496
Do you use Remote Admin (Radmin)? I don't see it in your Hijackthis log, but Gmer catchme is detecting Radmin reg entries which it can't enumerate completely as shown in the SDFix log.

If you don't use Radmin, then I would delete the relevant reg entries --> [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0]
As it could be these nasties:
http://www.ggreat.com/virnews/Worm@W32.Rahack-e.htm
http://www.symantec.com/security_response/print_writeup.jsp?docid=2003-101410-2713-99
http://ca.com/us/securityadvisor/pest/pest.aspx?id=453096740


I would also delete this key:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2db1b1fc-4198-11dd-bb71-00085c871838}]
G:\regsvr.exe <-- and this.


And I would run this tool, the tool also creates a harmless autorun.inf in every partition to stop the malicious autorun.inf from being created.
Download and follow the prompts:
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Viruses etc. and W8 and W10 12 94
EmsisoftAntiMalware is it trusted reliable 4 66
FSRREMOS 7 105
windows 10 - uninstall Mc Afee asks for password 9 37
As more computers now shipped with 64-bit version of Windows, more users are now using this Operating System.  So it's important to be aware how some 32-bit diagnostic tool works on these systems, so we know what to expect when analyzing the logs an…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question