Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Need help removing Ardamax Keylogger

  1. #1
    Join Date
    Oct 2011
    Posts
    7

    Exclamation Need help removing Ardamax Keylogger

    Hello,
    I received a call from my dad today saying that he has a virus on his PC. From what he told me I thought it was the Windows XP Recovery virus.
    He mentioned that all his files had disappeared along with desktop icons. I had dealt with that virus before so I gave him the steps to remove it over the phone.
    I had him run the Malwarebyte's scan, and the results were devastating. I can't remember the exact number ( 50+ thousand ) files were infected. I had him read
    me one and it turned out to be Ardamax Keylogger. To be honest, i'm not sure that PC has ever been cleaned properly. Nor did it have sufficient security.
    Anyway...I am looking for instructions to tell my dad to hopefully get rid of the virus and recover/Un-hide his files.
    I talked him through the "View hidden files/folders" steps. I don't want my parents to lose all of their important files..mainly pictures and emails.
    Any help is greatly appreciated.

    Thanks!

  2. #2
    Join Date
    Mar 2008
    Location
    London England
    Posts
    103
    Hi -check suggestion here.
    How to Remove Ardamax Keylogger.
    http://www.ehow.com/how_5486160_remo...keylogger.html

    First make sure you set a System Restore point.
    Click Start button>run.
    Type
    %SystemRoot%\system32\restore\rstrui.exe
    Click OK.
    Click Create a restore point.
    Next .
    Type a name [date] for the restore point> click Create
    Once created>Click Close.

    Download - update - scan with.
    SuperAntiSpyware.
    http://www.superantispyware.com
    HitmanPro.
    http://www.surfright.nl/en/hitmanpro
    Remove all that they find.

    Let us know the result.

    I am not a Hjt log expert - but if they can send you one, say by email, I will take a look at it.

    Hijack this 2.04
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
    • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


    Also post the Uninstall Log.
    Start HijackThis.
    At the bottom right hand corner>under Others stuff.
    Click on Config.
    Then Misc Tools.
    Then Uninstall Manager.
    Save List>paste the list in your next post.
    Last edited by S Templar; 10-24-2011 at 06:35 AM.

  3. #3
    Join Date
    Oct 2011
    Posts
    7
    @S Templar:
    I followed the instructions however none of the processes or reg keys were found. Hitman didn't find anything either.
    I ran a scan using HJT and here are the results:


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 323 PM, on 11/18/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Google\Update\1.3.21.79\GoogleCrashHandler.e xe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Lexmark 2300 Series\ezprint.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\WINDOWS\system32\lxcgcoms.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [RECGUARD] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
    O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItS khGTkg"&"inst=NzctNjE0MzQ0Mjk0LUZQOSs2LU4xRisxLVRC OSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUYxME0xME QrMS1MSUMrNzctRkwxMCsxLVNQMSsxLVNQMVRCKzEtU1VEKzEt UzFJKzEtU1UzKzEtVFVHKzMtRERUKzE2NjU4LUREMTBGKzEtU1 QxMEZBUFArMS1GMTBNMTJBVCsyLUYxME0xMkErMS1GMTBNMTJB QisxLVUxMCsxLUYxME0xMkFUQisx"&"prod=90"&"ver=10.0. 1411
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - http://dlm.tools.akamai.com/dlmanage...ex-2.2.5.0.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O20 - AppInit_DLLs: c:\windows\system32\tarileri.dll dunusoze.dll c:\windows\system32\gukehere.dll
    O21 - SSODL: yilafibes - {e99f66ac-d871-4bcb-8361-c280b13671c8} - (no file)
    O21 - SSODL: bumerepar - {493aebab-8c22-4e83-a665-e41aa3d8d85a} - (no file)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - Unknown owner - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe (file missing)
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jdk1.6.0_14\bin\jqs.exe (file missing)
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe

    --
    End of file - 9872 bytes

  4. #4
    Join Date
    Mar 2008
    Location
    London England
    Posts
    103
    Looks like the Malwarebyte's scan - removing 50+ thousand files, has done the job.
    Edit
    [I can't see problems in your Hjt log.]

    These can be removed using Hjt log - put a tick next to them - click Fix.

    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O21 - SSODL: yilafibes - {e99f66ac-d871-4bcb-8361-c280b13671c8} - (no file)
    O21 - SSODL: bumerepar - {493aebab-8c22-4e83-a665-e41aa3d8d85a} - (no file)
    O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - Unknown owner - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe (file missing)
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jdk1.6.0_14\bin\jqs.exe (file missing)
    Last edited by S Templar; 11-18-2011 at 09:21 PM.

  5. #5
    Join Date
    Oct 2011
    Posts
    7
    Malwarebyte's found 50+ thousand infected files. None of them could be removed. The program shuts down when I try and fix
    any.

  6. #6
    Join Date
    Mar 2008
    Location
    London England
    Posts
    103
    Is MalwareBytes up to date - latest version - downloaded latest definition files.

    Run the scan in Safe Mode - Tap F8 as the Pc is starting up.
    Do the same with SuperAntiSpyware.
    Last edited by S Templar; 11-18-2011 at 09:22 PM.

  7. #7
    Join Date
    Mar 2008
    Location
    London England
    Posts
    103
    Your Hjt log looks clean - but also run an online scan to cover all options.

    Panda Activescan | Free Online Antivirus | Free Virus Disinfection - Panda Security
    http://www.pandasecurity.com/homeuse...ns/activescan/

  8. #8
    Join Date
    Mar 2008
    Location
    London England
    Posts
    103
    It looks like Avast Anti-Virus was installed when Avg Anti-virus program, was still active.
    That may have caused a conflict [maybe] and a confusion as they were each trying to read the same and different defintion files - the system was infected.

    Avg - get a final uninstall on the next reboot.

    O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninst...feedback-appf?

  9. #9
    Join Date
    Oct 2011
    Posts
    7
    I ran the Malwarebyte's scan again and nothing was found. I have not been able to fix anything so I am not sure how it went
    from picking up 50+ thousand threats to picking up 0. I am going back to University for a couple days for an exam but I will be back on Tuesday. This is very aggravating.

  10. #10
    Join Date
    Mar 2008
    Location
    London England
    Posts
    103
    Are you sure that your dad - did not remove all infected files the first time.
    If the MalwareBytes scan says no Malware found - then they must be gone.

    MalwareBytes - SuperAntiSpyware - HitmanPro are able to remove most, if not all Malware etc.
    If you are still concerned about Ardamax Keylogger - check the registry.

    Start button>Run>Type
    regedit
    Enter

    Under - HKEY_LOCAL_MACHINE
    Look for.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Ardamax Keylogger
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\NSK
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\App Paths\akl.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\Ardamax Keylogger

    Under - HKEY_CURRENT_USER
    Look for.
    HKEY_CURRENT_USER\Software\Ardamax Keylogger Lite

    Edit
    Make no changes while in the Registry report back if you find anything.
    Last edited by S Templar; 11-20-2011 at 05:28 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •