Ardamax keylogger removal-HELP

First time post, starting off with an awful problem

Somehow in past week, I have picked up the infamous "ardamax" keylogger. I only noticed it since tues wed 3/2 when my xoftsoft pareto logic scan picked it up at the tail end of an entire system scan. Just to setup what I have and have done.... I am on a DSL LINE, use firefox as main browser, use a tunneler for browsing. However, my main free email, non-PGP is yahoo and I suspect it was picked up there somehow. I also already use alot of the posted scanning mal/ad/spy ware you have listed in your cleanup instructions.(spybot/spyhunter/spyware bouncer/ stinger/cc shredder,etc.

The first time the xoftsoft spyware picked up the keylogger in the scan my software went crazy, kept flickering as it seemed to reading multiple instrusions or files within this ardamax while still keeping the path on the screen. All of a sudden approx 41 "host files" popped up with all kinds of weird addresses and sites that I do not recognize or have never seen before.
I am able to quarantine all of them and get rid of them but everytime I run the software after being on line for awhile, even if I am not in Yahoo, they appear
In reading up on it on ardamax website, I am most concerned because it is such a stealth bugger that can have someone track and log my information and have both text and snapshots sent of history.Because it executes on startup, I do not know if the software is doing this and I am concerned for my privacy and safety.

I have emailed ardamax but no answer on uninstall instructions. Being a stealth keylogger, I have location of the file c:\documents and settings\owner\start menu\programs\startup\ardamax keylogger but when looking it over I see no files.

I found your site on 3/5 and ran your full test based on the 6/22 posting disabling spyware, malware, etc on before asking for help.
I disabled system restore, allowed hidden files to be seen, booted in safe mode, did all my diagnostic scans, downloaded some of your software you have posted in the tutorials. It took me about 4 hours to go end to end from your instructions, but to no avail. In safe mode, disconnected from my DSL a full scan of "hard drive c:\ " did not expose any ardamax kaylogger extensions( I think it is akl.exe extension).
Nothing shows up in task manager, or autostart entries in registry.

I need help, I feel frozen in the headlights, like a deer, afraid all my moves are being watched, logged and emailed back to someone....

I did run a hijack this as a last resort late 3/5 and have saved it but will send it upon someone's approval. I want to see if someone more knowledgable can help me first with any other work arounds to remove this ****dang thing..

thanks
JOhn

 

Re: Ardamax keylogger removal-part 2/ w HJT file

Hi

Sorry if I confused you. I faithfully followed all your initial instructions. I have also deleted spy hunter and spy bouncer. I use Windows XP with all current updates doenloaded, but not SP2, I am not too comfortable with SP2 yet.(separate conversation). I use DSL thru verizon with mcaffee virus scan and firewall. I also ise firefox/mozilla as my primary browser.

For the record, here is what I did to get to this message:
Ran all steps from "Read me first" files in sequence:
--disabled system restore
--enabled viewing of hidden files /folders/ extensions , unchecked hide file extensions for known types
--downloaded all the spyware tools and checked for updated versions against ones I already had.
Trendline online scan- gave me 1 positive check on the scan with system supported(I do not use IE brower generally). Balance of 3 java vendor/ java version/ java detecting gave me a red X
Symantic Security Check- gave me "sorry page not accesible"
Avert -clean, nothing listed
cc cleaner- no issues, set it default options to clean out temp files. Nothing unusual in my scan
AD-AWare SE- nothing came up, even with VX2 cleaner installed and run
SPYBOT- NOTHING
CW shredder- nothing
kill2me- nothing

Before running the HJT exe file I also did an additional scan with Bitdefender, trojan scan, A2, Avast( already had these 2 but made sure the versions were updated)- NOTHING
ADS apy- NOTHING

In safe mode, everything looked great, no connection out to internet yielded me no evidence of the keylogger.

However, yesterday once I was back in regular mode and system restored, I was doing some work. About 2 hrs into being online, I decided to scan my system again and Once again I picked up about 37 files when the ardamax keylogger was picked up by Xoftspy 4.10. This was right before I wrote my initial email to you.
So it looks as though all my work was not able to detect or cleanup the ardamax keylogger.

I logged into my system today and did some work online for 2 hrs. Prior to undertaking my entire re-scan of the system today using your instructions again, I ran Xoftspy v4.10 and it picked up approx 37 "host files" when the ardamax keylogger file location was picked up by the spy ware scan. I quarantined the suspect files, all are listed as being browser hijackers.

I am so frustrated, I am afraid I to use my system because I feel as though someone is either using my computer or lurking inside it and grabbing info. I also noticed that it seems to be slower, not sure if this is a symptom of the keylogger or not.
I can piece together so much info on this ardamax, does it basically infect your system and slow it down while hijacking it?

Anyway, hope the text file will help pinpoint something. I am not very technical and tried to have no processes or apps running when it ran today.

I truly appreciate your comments and help.

thanks

 

Well, as you can tell, I am pretty much a newbie when it comes to some minimal tech work. I am in process of updating windows( thought I was set to receive auto updates but obviously SP1 and beyond up to SP2 will be installed first.

Second, I apologize for my running the file from zip, thought I did it correctly.... I will redo and get back to you.

In the meantime, is there any words of wisdom from my HJT sent to you that can shed some light on whether you are seeing the keylogger?

If you do not answer, I understand, I will re-do all you requested and let you know.
Once all windows updates are done, do you want me to go back and do the end/end test(safe-mode, all scans, system restore disbable, etc) prior to sending you another HJT text file?

thanks

 

YOU ASKED....

Is the below R1 proxy setting required by Proxyconn accelerator?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
*******************************************

I use an anonymous tunneler which has the above settings to properly browse with Firefix/ Mozilla through the tunneler. I rarely use IE and have those settings in IE only when I use it directly with the tunneler(I try to stay away from active X scripting and have IE set to prompt me when scripts are being downloaded with IE)
I do not have a browser homepage default setup. Once my tunneler is connected to my DSL I click on one of the 2 NON-IE browsers. Sometimes when firefox/ mozilla is slow,freezes or is offline, I use IE directly with those settings. In a long winded way, does that make sense as to how the log shows that info?

Regarding ardamax... I have what might be a dumb question.... if I know the folder location on my "c" drive(c:\documents and settings\owner\start menu\programs\startup\ardamax keylogger) where the xoftspy spyware scan picks up the keylogger and when I look into the location, I see nothing, no ardamax files or any other... can I just delete folder somehow and wipe it out?
Or am I being too simplistic?

thanks

PS- I am doing this from work so my home PC updates for windows as you pointed out will have to be done later tonight.

 

One more thing to add... I also found suggestions from another thread about the Mcafee VIL info and found info on ardamax. I have the Mcafee firewall and virus scan always on, But part of your initial suggestions to me was not to have both avast and Mcafee. I will probably disconnect the mcafee as it seems to be less potent than avast( Mcafee came as part of my frewall package)....but they do give DAT downloads for ardamax and I will try to see if this helps. I already have auto download of virus scan updates but will download the DAT's for ardamax anyway and run the scan.
I will run the scan in safe mode with network support and see if it picks it up....

just thought I would add my 2 cents....

 

Thank you for being so patient with me.... I got home last night and downloaded approx 17 updates from windows for XP/IE, etc(Boy am I red-faced about missing all those). I also reset my system to receive updates on an auto basis.
--I also ran my xoftsoft spyware later last night after being online and there were 37 instances of spyware that were picked up....all 37 show as "CWS.home" with location of program as "host file" and type of spyware listed as browser hijacker. But what is funny, I am not seeing my browser being overtly hijacked.... not firefox, nor even IE... both will show my correctly setup homepage when clicked by me.
Does this mean it is running in background on my IE browser without me knowing it?

You wrote that perhaps I need to look in the install/uninstall programs and be logged in as admin.

--Here is where I show my lack of knowledge... I am listed as "owner", and not administrator for my system with XP, at least when I check task manager, there is no other person setup... how do I establish myself as "administrator" with full rights to install/uninstall programs? Guess with one computer, I never thought to be admin to myself....But if you think it is another area to help then I will. Sorry to ask what might be such a simplistic question...

John

 

Sorry to keep bugging you but would it benefit me at this point to run process explorer and see if the keylogger would show up? I am not sure if this bugger stays invisible to all except "ADMIN" but figured it was worth a shot. I read on some other threads about using this and wanted your opinion before venturing into an area I have not used before....

 

Sorry to be so dense... but in regards to logging as ADMIN while in safemode....I have had this computer for 4 yrs and to be quite honest, have probably forgotten what I used to setup my system as far as usernames /passwords when logging on.... on startup it boots up and does not prompt me for a user/password(I am the only user), taking me right to full startup and desktop.
Is there a way for me to have the system tell me what it has registered as my user name and password so I can retrieve it? How during boot up does someone view the user/password info that allows them to log in?

Also, if I do retrieve my username and password in order to setup myself as admin... could someone else have retrieved the info and changed it?

Still extremely angry (with myself) because I cannot blame anyone for this, I am the only user)

 

Cool Web Search / Ardamax- are they related?

OK.. you guys will deserve a big donation(and all the booze we both can finish in one sitting) if we can get to the bottom of this one...
I already have a post running on removing the ardamax keylogger..... but something else has been happening that until right now, I never treated as a possible separate problem.

Everytime xoftspy v4.10 SCANS the folder/ file and finds ardamax in c:\documents and settings\owner\start menu\programs\startup\ardamax keylogger it goes crazy, rapidly appearing/disappearing for about 15 sec and then approx 37 files appear in the xoftspy log... all show CWS.HOST as name, with browser hijacker as the file type. It has done this each time I run xoftspy since first noticing the ardamax keylogger.

OK... here is my dummy action, I would just click them and delete them through xoftsoft, thinking in my own pea-brained logic they are somehow related to ardamax...

Well of course it has dawned on me from reading your great forum(plug plug), CWS is a hijacker and ardamax is keylogger... But is it possible that they are intertwined together to create my problem?

Nothing goofy has been going on to prompt me to see some of the websites showing up from CWS.
I never received any warning signs on having the 37 files from CWS. I so rarely use IE in any search (yahoo or google) functions where a browser re-direct may have occured. I am a firefox user over a tunneler and browse mostly through it. Of course the reality is I have these two things and need to eradicate them with extreme prejudice.

I noticed that cwsshredder has a list of CWS names it attacks but I did not see the CWS.HOST name appear.... am I beta victim for CWS?

I realize now, I enabled in IE my active x settings to allow for safe scripts downloads with prompts, I actually had IE set so tight that many pages did not load at all that were IE compatible. My tunneler recommends no MS scripts at all, so in my frustration of not being able to load pages, I must have lessened my security. Once I fix these issues(with your help) I am putting IE back to tight active x controls which and use it only through a tunnel.

OK... enough explaining.
I have alot of work to do.
I will go back and follow your instructions from your tutorial and let you know what I find prior to posting any hijack this logs

Just wanted to hear from anyone if my 2 issues are related or are stand alone issues?

thanks

 

Sorry to continue stumbling....I kept the CWS thread separate because I am not savvy enough to know if I have one large problem with 2 parts or 2 separate problems .. so thanks for merging them

I checked my settings and I am listed as owner/adminstrator of my computer and I was not able to see any other entries (as if someone had set up someone else as "admin" who would running my system behind the scenes). So at least, I established that I am the Owner/administrator....

Now to answer your other points
--I have never knowingly downloaded or installed a keylogger, especially one such as this which scares the heck out of me. I am the only user of the system so I suspect due to my own igonorance, I installed it from clicking on some web site ....I still believe that somehow ardamax and the cool web search 37 files are inter-related but not sure how.
--As a side note, the names of the 37 CWS files come up as CWS.HOMEPAGE not HOST as I mentioned yesterday. I will check the file extensions from CWShredder to see if these are there.

--Also, even as administrator, I am not able to see in "install/uninstall" any ardamax software to get rid of? So I am not sure where else to look?
--I will go back today sometime and redo all your tutorial instructions and see where it gets me. I want to rerun your instructions from top to bottom and see where it gets me. I will report back.

 

I have been having tremendous problems in past 2 days... my connection through my DSL (VERIZON) is working but anytime I try to direct connect to IE or have my firefox work through the metropipe tunnel, the system goes nowhere.
I actually had to bring out a paid tech person(from geeksoncall- personally he thinks you guys rock--I do ) to try and see what the heck can be done. I had the new beta version of the MS tool from Giant installed but the system kept freezing up about 40% of way through the scan.
He tried to run trend micro from IE and also firefox, no luck connecting.

Tried to run shredder but it found no variant of CWS.

It is as if the "infection" knows what is coming. He thought that this extremely slow internet was possibly related to those 37 CWS browser hijackers working.

I am still going to try and do an end to end from tutorial, but in past 2 days my ability to get on internet after connecting with DSL has been limited to approx 15-25 min and then no success re-connecting....arrgh..

Here is what I plan to do>>.

I plan to talk to verizon on the outside chance there is something going on from their end, I mean up through tues/wed of this I was able to connect and work both in IE and firefox.
I was not sure if anyone else is having known issues with Verizon in Phila metro region. I know they have been working in my area(Chesco) to upgrade DSL to 1.5mgs but not sure if the ongoing upgrade is affecting me.


Here are my questions--if I am unsuccessful in connecting to the internet(sending this email from work) would it be alright to do everything I can do from your instructions and post a HJT log?
--I did from your instructions have 17 windows updates installed when I could still use IE successfully. Is there anything else I need to look at prior to executing your instructions again? ( I am thinking if I cannot connect to the internet, I will not be able to update any spyware programs and possibly post log until I can come back to work.)

--You questioned in your online checking of my first HJT scan:
Is the below R1 proxy setting required by Proxyconn accelerator?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
I answered you that it was my settings from my privacy tunnel so I can use firefox through the tunnel instead of going out to internet directly. Now my question== I read on doxdesk.com about CWS and it mentions specifically on one variant description of CWS:
CoolWebSearch/SvcHost: a Hosts file hijacker, which works in a rather unusual way (probably to avoid being detected by anti-hijacker tools). Its targeted sites (Yahoo Search, MSN Search and all countries’ versions of Google) are set in the Hosts file to point to ‘localhost’ (127.0.0.1). Since the local host (the computer the browser is running on) is most often not running a web server, this results in an error page; it is this error page that is then hijacked to the CWS site slawsearch.com.

--I noticed the same proxy setting as what metropipe tunnel asks for when settings up firefox as main broswer, 127.0.0.1.... --is this a common proxy setting or perhaps did we stumble on something? I only have it loaded in for firefox/mozilla, IE has it but "unchecked" in connections tab because of all the acitve x script issues I had by blocking all scripts except by prompt.


--From your merging of the two threads I had... are we assuming the CWS issue and keylogger are possibly related? still am so unsure and yesterday the geeksoncall tech was not able to extract that file but did see the location and folder/file come up with xoftsoy just like when I run the scan.

CWS.hostname seems to be a variant of the CWS parasite.... any chance I have been infected with something new?

--geeksoncall suspected xofspy had something to do with the keylogger or CWS but prior to approx 3/1 i had never seen either and ran xoftspy everyday, and it was clean.

I am so frustrated, I am considering the option to have the OS uninstalled from my home computer and have the tech install XP w/SP2. He felt that it would wipe everything clean and be back to normal, with SP2 now as an upgrade.... but to me it would seem that to just wipe out the OS and rebuild it means the keylogger/hijacker won (and it cost me some bucks to show I lost).
I just would like YOUR PROFESSIONAL OPINION if you think this is a notable solution. I like my current system, I am in process of receiving a new laptop in next 2 weeks but would like to salvage my desktop and use it as a spare.
I am leaning towards saying scr** it and letting them do it because I will have a clean machine loads of data and files I use but do not want to attempt to copy over.

Your thoughts... sorry to be so long winded.

 

Re: Ardamax keylogger removal-status 3/14

Hi Chaslang

I wanted to keep you updated because you have been so willing to help me with my multiple requests. I have gotten somewhere with this issue and wanted to tell you what I did

1) regarding your message #18. I tried to run secpol.msc and it says" cannot find" so I was unable to continue (tried over period of 3 days- fri-sun)
2) I ran a new end/end test again on 3/13 based on your tutorial --will post results. I will post the HJT log if you will ok it. But before I do, I wanted to give you what I did

Parameters for 3/13 run through
A) Updated OS thru XP SP1a as of last week. SP2 will be installed tues 3/14 after updating all my HP drivers for compatability and downloading the patch/fix MS Has published for HP system restore.
B) System restore off
C) Point 2 on tutorial N/A - did not find any of 3
D) Can view all hidden files
Booted into Safe mode, except as noted
E) Trend Micro online- had to run in normal mode, with non-java setup. No issues reported
f) Symantec Security-normal mode, could not connect to internet in safe. Nothing reported for security or virus
G) CCleaner- tried to run, cuts out approx 1/2 way through in safe/normal mode. (tried both modes just in case)
H) Ad-Aware( my version was 25 days old as I had not updated prior to running in safe-mode, was not able to connect to verizon in safe-mode)
Found nothing
I) VX2- clean
J) Spybot- with immunize set to "on". Found remains of two other spyware to remove( spyhunter and spyware nuker, removed both)
K) Ran CWShredder.... both in safe/normal... found nothing on CWS variants
L) ran KILL2ME -nothing ( ran it only because I was not familiar enough to know what it specifically targeted- told you early on I am not too technical)
M) ADS- nothing
N) Ran MS Antispyware Beta in safe(given to me by geeksoncall) and it found nothing today* ( Ran it on friday 3/11 in safe and it found / isolated the CWS and supposedly deleted it--more to come)
O) Avast 4.6- nothing
P) Stinger would not run for me in safe-mode, had to run it in normal mode. Nothing found
Q) created HJT log file for 3_13 --will post if approved
R) logged into your forum after doing all the above, saw your message and downloaded the specific SPY SWEEPER from your link you sent. It seemed to be a "smaller" version of the one I thought I used from your tutorial? (seemed smaller only because the number of "definitions" seemed less than I remember,something like 40K definitions VS 69K I remember.
Ran spysweeper in normal mode and it picked up the CWS right away.
I quarantined it and deleted it.
--I will tonight re-run the spysweeper in safe-mode with restore off to see what it picks up.
I know you wanted to see the log, and I can post the actual address that came up listed for CWS...

Regarding ARDAMAX... I appreciate the Pareto logic tutorial. I have written to them again(so far ignored) to get removal instructions.
I also downloaded explorerXP from your email and will look it over. I tried to go into the location and it showed nothing in the folder....weird

Regarding CWS overall, seems to be reappearing so perhaps when I ran the spysweeper in safe mode it will not be there. But you will probably know better when you look over my HJT log.

I will post my results from spysweeper and the HJT log from 3/13 if you want. May not see it for another 6-7 hrs based on work..

thanks again.