Tech Support Forum - View Single Post - Windows Defender tells me I have ardamax keylogger, is it lying?

fredmh · 10-04-2006, 09:41 PM

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.

----------------------------------------

DOWNLOADS

ATF CLEANER

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

AVG ANTI-SPYWARE 7.5

Note: AVG has purchased Ewido. Please uninstall Ewido anti-spyware 4.0 using Add/Remove and install AVG A/S

Please download AVG Anti-Spyware 7.5

Install AVG Anti-Spyware 7.5.
Double-click the icon on Desktop to launch AVG A-S 7.5
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
I also recommend changing the "Update interval" to something more reasonable like 12 hours.

----------------------------------------

DISABLE ANTI-SPYWARE APPLICATIONS

Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system.

Windows Defender

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

Open Windows Defender.
Click on Tools>Options.
Scroll down and uncheck "Use real-time protection (recommended)".
After you uncheck this, click on the Save button and close Windows Defender.

DISABLE WEBROOT SPY SWEEPER

To disable SpySweeper Shields:

Open it, click -> Options over to the left then -> click the Program tab -> uncheck "Start Spy Sweeper at Windows startup".

Over to the left click "Shields":

Click Internet Explorer tab and uncheck all items.
Click Windows System tab and uncheck all items.
Click Hosts File tab and uncheck all items.
Click Startup Programs tab and uncheck all items.
Close SpySweeper.

----------------------------------------

FILE SUBMISSIONS

Please go to: VirusTotal

At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to this file in BOLD:

C:\WINDOWS\system32\Sys\Explorer.exe
Click "Open".
Then click the "Send" button at the top of the VirusTotal page.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply together with a new HijackThis log.

Please also take a peek inside this folder, and if there are any other files present, submit them to VirusTotal for scanning also. Then repeat as above.

C:\WINDOWS\system32\Sys

----------------------------------------

SAFE MODE RE-BOOT

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list).
In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

04 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\Sys\Explorer.exe
O20 - Winlogon Notify: winbee32 - winbee32.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

RUNNING SCANNERS

ATF CLEANER

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program

AVG Anti-Spyware 7.5

Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed)
This scan can take quite a while to run, so be prepared.
Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine.
Then click Apply all actions.

Once finished, click the Save report button, then click Save Report As and save it to your desktop.

Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will
reinfect your system or will not be cleaned properly.

----------------------------------------
SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

ON-LINE SCANS

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

Create an uninstall list:

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notepad file into your post

----------------------------------------

FOLLOW-UP

Please return and post these items:

AVG A/S scan
Panda scan
Uninstall list
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

10-04-2006, 09:41 PM	#4 (permalink)
fredmh Analyst, Security Team ; TSF Supporter Join Date: May 2006 Location: Phila,Pa Posts: 2,335 OS: XP	Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. ---------------------------------------- The fixes we will use are specific to your problems and should only be used for this issue on this machine. Please only use this topic to reply to. Do not start another thread. If any other issues arise let me know. The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end! Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more likely additional infections will result. ---------------------------------------- DOWNLOADS ATF CLEANER Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only AVG ANTI-SPYWARE 7.5 Note: AVG has purchased Ewido. Please uninstall Ewido anti-spyware 4.0 using Add/Remove and install AVG A/S Please download AVG Anti-Spyware 7.5 Install AVG Anti-Spyware 7.5. Double-click the icon on Desktop to launch AVG A-S 7.5 On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. I also recommend changing the "Update interval" to something more reasonable like 12 hours. ---------------------------------------- DISABLE ANTI-SPYWARE APPLICATIONS Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system. Windows Defender Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries. Open Windows Defender. Click on Tools>Options. Scroll down and uncheck "Use real-time protection (recommended)". After you uncheck this, click on the Save button and close Windows Defender. DISABLE WEBROOT SPY SWEEPER To disable SpySweeper Shields: Open it, click -> Options over to the left then -> click the Program tab -> uncheck "Start Spy Sweeper at Windows startup". Over to the left click "Shields": Click Internet Explorer tab and uncheck all items. Click Windows System tab and uncheck all items. Click Hosts File tab and uncheck all items. Click Startup Programs tab and uncheck all items. Close SpySweeper. ---------------------------------------- FILE SUBMISSIONS Please go to: VirusTotal At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to this file in BOLD: C:\WINDOWS\system32\Sys\Explorer.exe Click "Open". Then click the "Send" button at the top of the VirusTotal page. This will scan the file. Please be patient. Once scanned, copy and paste the results in your next reply together with a new HijackThis log. Please also take a peek inside this folder, and if there are any other files present, submit them to VirusTotal for scanning also. Then repeat as above. C:\WINDOWS\system32\Sys ---------------------------------------- SAFE MODE RE-BOOT Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ---------------------------------------- FIXES AND DELETIONS Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) 04 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\Sys\Explorer.exe O20 - Winlogon Notify: winbee32 - winbee32.dll (file missing) *Please remember to close all other windows, including browsers then click Fix checked.* ---------------------------------------- RUNNING SCANNERS ATF CLEANER Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program AVG Anti-Spyware 7.5 Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed) This scan can take quite a while to run, so be prepared. Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions. Once finished, click the Save report button, then click Save Report As and save it to your desktop. Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will reinfect your system or will not be cleaned properly. ---------------------------------------- SYSTEM RE-BOOT Reboot into Normal Mode. ---------------------------------------- ON-LINE SCANS Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan ---------------------------------------- Create an uninstall list: Open HiJackThis Click on the configure button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Copy and past the List from the notepad file into your post ---------------------------------------- FOLLOW-UP Please return and post these items: AVG A/S scan Panda scan Uninstall list A new HJT log run in Normal Mode Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode