?
Solved

Removal tools for Keylog-Ardamax.dll, W32/Autorun.worm.gen!job, Generic!atr

Posted on 2008-06-24
6
Medium Priority
?
5,297 Views
Last Modified: 2013-12-06
My laptop infected by these virus and Trojan as mention below.

1) Keylog-Ardamax.dll,
2) W32/Autorun.worm.gen!job,
3)  Generic!atr

Kindly see the attach file for hijackthis log, Combofix.log and SDfix.log


After-combofix-and-SDfix-run-hij.log
Beforehijackthis.log
Comofix.log
SDFIX.log
0
Comment
Question by:rajasekarramasamy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 3

Expert Comment

by:cholmskov
ID: 21863578

http://www.scanspyware.net/info/Ardamax.htm

Delete the following directories

%programsdir%\ARDAMAX KEYLOGGER
ARDAMAX KEYLOGGER LITE
%programfilesdir%\NSK
Ardamax Keylogger
%programfilesdir%\ARDAMAX KEYLOGGER LITE
 

Delete the following files

NSK.00*
AKV.EXE
NSK.EXE
QS.HTML
%programfilesdir%\NSK\TRAY.GIF
MENU.GIF
%programfilesdir%\NSK\NSK.CHM
LICENSE.TXT
%programfilesdir%\NSK\UNINSTALL.EXE
kh.dll
il.dll
akl.exe
%programfilesdir%\Ardamax Keylogger\AKV.exe
%programfilesdir%\Ardamax Keylogger\qs.html
%programfilesdir%\Ardamax Keylogger\AKL.chm
akl.001
akl.002
%programfilesdir%\Ardamax Keylogger\akv.ini
tray.gif
menu.gif
license.txt
%programfilesdir%\Ardamax Keylogger\Uninstall.exe
KH.DLL
%programfilesdir%\ARDAMAX KEYLOGGER LITE\AKL.CHM
AKL.EXE
%programfilesdir%\ARDAMAX KEYLOGGER LITE\akl.klf
UNINSTALL.EXE
%programfilesdir%\ARDAMAX KEYLOGGER LITE\LICENSE_LITE.TXT
HELP.LNK
%programsdir%\ARDAMAX KEYLOGGER\LOG VIEWER.LNK
%programsdir%\ARDAMAX KEYLOGGER\ARDAMAX KEYLOGGER.LNK
%programsdir%\ARDAMAX KEYLOGGER LITE\HELP.LNK
ARDAMAX KEYLOGGER LITE.LNK
 

Delete the following registry keys

ARDAMAX KEYLOGGER LITE
akl.exe
ARDAMAX KEYLOGGER
ARDAMAX KEYLOGGER LITE
 

Delete the following registry values

NSK


Also do the following:

Webroot Spysweeper

Download it here:

http://www.sabethacomputing.com/downloads.html

Webroot Spysweeper 14 day Trial

Update the defs and do a sweep.

Also check this out:

Ewido download:

www.ewido.net/en

Update it and run a complete scan.

Check out to make sure you don't have any viruses as well:

housecall.trendmicro.com

www.pandasoftware.com/activescan
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 21864583
Fix these items from your hijackthis list.
C:\PROGRA~1\COMMON~1\COMPUW~1\NMDBInfo.EXE

This process is one of compuware software component to remove trojans/keyloggers.. but it actually affects your pc by installing some unwanted files.

O4 - HKCU\..\Run: [NMDBInfo] C:\PROGRA~1\COMMON~1\COMPUW~1\NMDBInfo.EXE /Automation

Then follow removal as it applies to the Mcafee Enterprise antivirus installed on your computer....

http://vil.nai.com/vil/pups/configuration.aspx

0
 

Author Comment

by:rajasekarramasamy
ID: 21880894
Hi cholmskov,

In my laptop there is no " ARDAMAX" directory and files as u mention mention above.

0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 3

Expert Comment

by:cholmskov
ID: 21881257
Then are you sure it's still there rajase ?, that the antivirus didnt remove it ??

Could you run a new hijackthis and post it please ?
0
 

Author Comment

by:rajasekarramasamy
ID: 21882602
HI cholmskov,

Check my new hijackthis log file from attach file.
hijackthis.log
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 375 total points
ID: 21888496
Do you use Remote Admin (Radmin)? I don't see it in your Hijackthis log, but Gmer catchme is detecting Radmin reg entries which it can't enumerate completely as shown in the SDFix log.

If you don't use Radmin, then I would delete the relevant reg entries --> [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0]
As it could be these nasties:
http://www.ggreat.com/virnews/Worm@W32.Rahack-e.htm
http://www.symantec.com/security_response/print_writeup.jsp?docid=2003-101410-2713-99
http://ca.com/us/securityadvisor/pest/pest.aspx?id=453096740


I would also delete this key:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2db1b1fc-4198-11dd-bb71-00085c871838}]
G:\regsvr.exe <-- and this.


And I would run this tool, the tool also creates a harmless autorun.inf in every partition to stop the malicious autorun.inf from being created.
Download and follow the prompts:
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question