News:

So the widespread use of emojis these days kinda makes forum smileys pointless, yeah?

Main Menu

Win32/Ardamax

Started by Killer360, November 19, 2007, 09:03:57 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Killer360

November 19, 2007, 09:03:57 PM
Recently Kaspersky and Windows Defender have been detecting "Win32/Ardamax" which I believe is a keylogger. How would I go about getting rid of this? Every time I quarantine it, it manages to create itself again.

Anyone here know any security tools I can remove this bugger with?


Thanks.

Newby

#1
November 19, 2007, 09:09:27 PM
Where's it creating itself? Temporarily remove write permissions to that folder if it's not that important?
- Newby
http://www.x86labs.org

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote from: Rule on June 30, 2008, 01:13:20 PM
Quote from: CrAz3D on June 30, 2008, 10:38:22 AM
I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Killer360

#2
November 19, 2007, 09:12:57 PM
Quote from: Newby on November 19, 2007, 09:09:27 PM
Where's it creating itself? Temporarily remove write permissions to that folder if it's not that important?
It's creating itself everywhere:

deleted: Trojan program Trojan-Spy.Win32.Ardamax.e   File: C:\System Volume Information\_restore{6266DC8F-C35B-468E-AC12-296E6D4F50B6}\RP5\A0000091.exe

deleted: Trojan program Trojan-Spy.Win32.Ardamax.e   File: C:\RECYCLER\S-1-5-21-1177238915-1035525444-682003330-1003\Dc4.exe


deleted: Trojan program Trojan-Spy.Win32.Ardamax.e   File: C:\WINDOWS\SYSTEM32TWEG.EXE


etc, etc, etc...

Thanks for your reply.

Newby

#3
November 19, 2007, 09:14:08 PM
Reformat. Best option. You can't trust the system once it has been compromised. :|
- Newby
http://www.x86labs.org

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote from: Rule on June 30, 2008, 01:13:20 PM
Quote from: CrAz3D on June 30, 2008, 10:38:22 AM
I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Killer360

#4
November 19, 2007, 09:15:15 PM
I agree, that would certainly be the best option. But, sadly, I just finished transferring my files from my other computer over to this one the other day. I would have to start all over again.

I'll keep checking security forums to see if any of my posts get replies.


Thanks again.

iago

#5
November 19, 2007, 09:28:31 PM
Disable system restore. Delete the trojan. Empty recycle bin. Reboot. Check again.

It looks like most of the regenerated ones you asked about are on the system restore or in the recycle bin. By cleaning those up, you might get it.

But Newby's right, once you're infected, you can never be sure it's gone.
Print
Go Up Pages1
User actions