Author Topic: Win32/Ardamax  (Read 2343 times)

0 Members and 1 Guest are viewing this topic.

Offline Killer360

  • Hero Member
  • *****
  • Posts: 752
    • View Profile
Win32/Ardamax
« on: November 19, 2007, 09:03:57 pm »
Recently Kaspersky and Windows Defender have been detecting "Win32/Ardamax" which I believe is a keylogger. How would I go about getting rid of this? Every time I quarantine it, it manages to create itself again.

Anyone here know any security tools I can remove this bugger with?


Thanks.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Win32/Ardamax
« Reply #1 on: November 19, 2007, 09:09:27 pm »
Where's it creating itself? Temporarily remove write permissions to that folder if it's not that important?
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Killer360

  • Hero Member
  • *****
  • Posts: 752
    • View Profile
Re: Win32/Ardamax
« Reply #2 on: November 19, 2007, 09:12:57 pm »
Where's it creating itself? Temporarily remove write permissions to that folder if it's not that important?
It's creating itself everywhere:

deleted: Trojan program Trojan-Spy.Win32.Ardamax.e   File: C:\System Volume Information\_restore{6266DC8F-C35B-468E-AC12-296E6D4F50B6}\RP5\A0000091.exe

deleted: Trojan program Trojan-Spy.Win32.Ardamax.e   File: C:\RECYCLER\S-1-5-21-1177238915-1035525444-682003330-1003\Dc4.exe


deleted: Trojan program Trojan-Spy.Win32.Ardamax.e   File: C:\WINDOWS\SYSTEM32TWEG.EXE


etc, etc, etc...

Thanks for your reply.


Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Win32/Ardamax
« Reply #3 on: November 19, 2007, 09:14:08 pm »
Reformat. Best option. You can't trust the system once it has been compromised. :|
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Killer360

  • Hero Member
  • *****
  • Posts: 752
    • View Profile
Re: Win32/Ardamax
« Reply #4 on: November 19, 2007, 09:15:15 pm »
I agree, that would certainly be the best option. But, sadly, I just finished transferring my files from my other computer over to this one the other day. I would have to start all over again.

I'll keep checking security forums to see if any of my posts get replies.


Thanks again.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Win32/Ardamax
« Reply #5 on: November 19, 2007, 09:28:31 pm »
Disable system restore. Delete the trojan. Empty recycle bin. Reboot. Check again.

It looks like most of the regenerated ones you asked about are on the system restore or in the recycle bin. By cleaning those up, you might get it.

But Newby's right, once you're infected, you can never be sure it's gone.