keylogged

August 4th, 2016

Ok, so here’s the thing
Someone injected 3 viruses in my computer.
All 3 are Ardamax viruses, so basically its recording all my keystrokes and my passwords and probobally mailing it to someone.
My trend micro and Lavasoft ad-aware detect it and delete it, but the next time i reboot they are still present.
Is there any good way to remove the spywares?
Also is there any way i can come to know that to which email id the strokes are being mailed to?
Thanks in advance

Answer #1
Install good security like, Kaspersky or nod32.
Answer #2
Just use a good AV suite (Avira/Bitdefender/Kaspersky) WITH a firewall.
Then deny all suspiscious web access, this way even if the app is running it couldn’t send the data to the hacker.
However, the log is stored somewhere on your computer, just edit it with fake datas and allow it to be sent.
With any good firewall or Wireshark, it will tell you which email is the hacker’s one. then just report it to the mail admin.
Answer #3
How to trace it? No idea. But to clean it up, like said, get either Kaspersky or NOD32 . I prefer NOD32 because it doesn’t have blacklisted keys and it’s lighter on the system. And install Registry Mechanic as well.
Clean + defrag you registry then start a full system scan with NOD32 on safe mode
Answer #4

kyuubi92 wrote: Select all

How to trace it? No idea. But to clean it up, like said, get either Kaspersky or NOD32 . I prefer NOD32 because it doesn’t have blacklisted keys and it’s lighter on the system. And install Registry Mechanic as well.
Clean + defrag you registry then start a full system scan with NOD32 on safe mode
Yeah, would be the safest way to remove everything.
I can highly recommend NOD32 myself, but it’s a matter of preference tbh.
Answer #5
Kaspersky.
Then install Keyscrambler.
Answer #6
What i usualy do is just run the a/v find the file path of the infected item. open safe mode. delete the wee ~ censored ~
Answer #7

Matsumoto wrote: Select all

Just use a good AV suite (Avira/Bitdefender/Kaspersky) WITH a firewall.
Then deny all suspiscious web access, this way even if the app is running it couldn’t send the data to the hacker.
However, the log is stored somewhere on your computer, just edit it with fake datas and allow it to be sent.
With any good firewall or Wireshark, it will tell you which email is the hacker’s one. then just report it to the mail admin.
Well, the spywares are deleted successfully even in safe mode. But as i said, they re-appear in the next reboot.
Installing another AV would not be preferable, since trend micro is already installed and two AV’s are always worse than one AV.
Finding the log file is a good option, but where to start would be a problem.
PS- I know kaspersky is a great AV, but again the problem is that Trend micro is already installed, and as i said one AV is better than two. Two AV”s always conflict with each other and never let each other run properly.
Answer #8
What i usualy do is just run the a/v find the file path of the infected item. open safe mode. delete the wee ~censored~
I did exactly the same thing, i even deleted the infected registeries.
I also ran the AV in safe mode, and even it deleted the infected files.
But the next time i start in normal mode, the files come up again.
Answer #9
Uninstall the anti-viruses you have on right now. Sometimes you get infected anti-viruses so there’s no use deleting whats installed on your system (since it found a way in ). Do as I said in my last reply and it should work fine. 95% sure.
Answer #10
You can try a bootable cd approach, like AVs in Hiren’s boot cd, Avira Rescue disk, Dr.Web rescue disk or ultimate boot cd for win (ubcd4win).
And by Kaspersky they mean uninstall your current AV and install it.
Answer #11

kyuubi92 wrote: Select all

Uninstall the anti-viruses you have on right now. Sometimes you get infected anti-viruses so there’s no use deleting whats installed on your system (since it found a way in ). Do as I said in my last reply and it should work fine. 95% sure.
Okie dokie… Trying it right now.. will report back if it works or not.
The reason im reluctant to uninstall my current AV, is because it a legal version and it is an office scan client. Office scan clients are never possible to be removed entirely since they are linked with your entire network.
So i guess, ill try installing NOD32 on top of the current AV
Answer #12
I’ll help you remove it just do the following:
Please download the current version of HijackThis from here.
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

Answer #13
I'll help you remove it just do the following:
Please download the current version of HijackThis from here.
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


Ok, posting it back as soon as possible.
Thanks
Edit: Here’s the log http://~ Dead file host ~/files/244508891/hijackthis.log.
Since there was a lot of text, i didnt consider it appropriate to post it here, instead i uploaded it on RS. Since its just 13kb, so there wont be any waiting time and it wont disturb your normal downloads.
So, now whats next ?
Answer #14

  • Open HijackThis.
  • Choose “Do a system scan only”
  • Check the boxes in front of these lines:

    O2 – BHO: (no name) – {02478D38-C3F9-4efb-9B51-7695ECA05670} – (no file)
    If you don’t recognize this IP fix it as well:
    O17 – HKLM\System\CCS\Services\Tcpip\..\{1A652BFC-45FA-42B3-8400-E39A43CFE76F}: NameServer = 208.57.222.222 208.67.220.220

  • Press “Fix Checked”
  • Close Hijack This.
  • Download combofix from either of these two links:
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    http://subs.geekstogo.com/ComboFix.exe

1. If you are using Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to “Always ask me where to Save the files”.
2. During the download, rename Combofix to Combo-Fix as follows:
Image
Image
3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.
See here for how to disable your AV..

    http://www.bleepingcomputer.com/forums/index.php?showtopic=114351

  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It’s strongly recommended to have the Recovery Console installed before doing any malware removal.***

  • Allow combofix to run
  • Post C:\combofix.txt back here.
    Note:
    Do not mouseclick combofix’s window whilst it’s running. That may cause it to stall.