Tech Support Forum - View Single Post - Windows Defender tells me I have ardamax keylogger, is it lying?

fullcircle · 10-05-2006, 06:32 PM

Hi fredmh

I've been through your list, doesn't look like defender was lying does it :-)

requested info follows

Virus Total scan for

C:\WINDOWS\system32\Sys\Explorer.exe

STATUS: FINISHEDComplete scanning result of "Explorer.exe", received in VirusTotal at 10.05.2006, 18:41:26 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.22 10.05.2006 HEUR/Malware
Authentium 4.93.8 10.05.2006 no virus found
Avast 4.7.892.0 10.05.2006 Win32:Ardamax-AG
AVG 386 10.04.2006 no virus found
BitDefender 7.2 10.05.2006 no virus found
CAT-QuickHeal 8.00 10.05.2006 no virus found
ClamAV devel-20060426 10.05.2006 no virus found
DrWeb 4.33 10.05.2006 no virus found
eTrust-InoculateIT 23.73.14 10.05.2006 no virus found
eTrust-Vet 30.3.3115 10.05.2006 no virus found
Ewido 4.0 10.05.2006 no virus found
Fortinet 2.82.0.0 10.05.2006 no virus found
F-Prot 3.16f 10.04.2006 no virus found
F-Prot4 4.2.1.29 10.04.2006 no virus found
Ikarus 0.2.65.0 10.05.2006 no virus found
Kaspersky 4.0.2.24 10.05.2006 no virus found
McAfee 4867 10.05.2006 New Malware.b
Microsoft 1.1603 10.05.2006 no virus found
NOD32v2 1.1791 10.05.2006 a variant of Win32/KeyLogger.Ardamax
Norman 5.80.02 10.05.2006 no virus found
Panda 9.0.0.4 10.04.2006 Application/Ardamax
Sophos 4.10.0 10.05.2006 no virus found
Symantec 8.0 10.04.2006 no virus found
TheHacker 6.0.1.092 10.05.2006 no virus found
UNA 1.83 10.05.2006 no virus found
VBA32 3.11.1 10.05.2006 no virus found
VirusBuster 4.3.7:9 10.05.2006 no virus found

Aditional Information
File size: 470528 bytes
MD5: 897d9baaec16e826271a294e3f76467b
SHA1: bcf3e07b97ba883e8c07c729682fd227bb5a5f5a

To save a bit of space here, there are two other files in that sys folder,

explorer.001
explorer.002

scans of both files came up with "no virus found"
___________________________________________

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:39:18 05/10/2006

+ Scan result:

S:\System Volume Information\_restore{F92C9E9C-D6E3-414B-BD8D-F2FCCA3149D8}\RP315\A0043495.exe -> Not-A-Virus.Hacktool.EvID : Cleaned with backup (quarantined).
H:\MP3 Toys 25\MP3Toys25Setup.exe -> Not-A-Virus.Monitor.Win32.Ardamax.k : Cleaned with backup (quarantined).

::Report end

________________________

Uninstall list

3D Calendar 5.0
Ad-Aware SE Personal
Adobe InDesign CS
Adobe Photoshop CS
Adobe Reader 7.0.5
Adobe Shockwave Player
Advanced Font Viewer 2.3
Advanced X Video Converter
Alien Skin Eye Candy 5 Impact
Alien Skin Eye Candy 5 Nature
Alien Skin Eye Candy 5 Textures
All To MP3 Converter 1.34.2
Aquarium Desktop
ArtIcons Pro
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audio Conversion Wizard 1.4
Audio DVD Creator 1.9.1.0
AVG Anti-Spyware 7.5
AVG Free Edition
Cambridge Advanced Learner's Dictionary
CloneDVDmobile
ConvertXtoDVD 2.0.13
CopyToDVD 4
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen Vision M
Diskeeper Professional Premier Edition
DivX
Dream Aquarium
DVD2one V2.0.5
DVD43 v3.7.0
EmEditor v3
Enterra Icon Keeper 1.0
FairStars Audio Converter 1.46
FUJIFILM USB Driver
GdiplusUpgrade
Google Earth Pro
Google Toolbar for Internet Explorer
Hauppauge WinTV Infrared Remote
Hauppauge WinTV Radio
Hauppauge WinTV2000
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
HP Memories Disc
HP Software Update
HTML-Kit
Ipswitch WS_FTP Professional 2006
J2SE Runtime Environment 5.0 Update 8
jv16 PowerTools 2005
JVC GC-A50
Kerio Personal Firewall
KODAK Camera Connection Software
KODAK Camera Connection Software Help
KODAK Memory Albums
KODAK One Touch to Better Pictures
KODAK Picture Software
KODAK Picture Transfer Software
KODAK Software Updater
Logitech Desktop Messenger
Logitech iTouch Software
Logitech MouseWare 9.79.1
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Calculator Plus
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
NATATA Anti-Spam Encoder 1.0
Nero 7 Demo
Ninotech Path Copy 4.0
overland
Panda ActiveScan
PestPatrol Corporate Edition v5
Photosmart 140,240,7200,7600,7700,7900 Series
PowerISO
Quick Batch File Compiler 2.0.7.0
Roxio Easy Media Creator 8 Suite
Roxio Easy Media Creator 9 Suite
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB925486)
Shareaza version 2.2.1.0
SightSpeed (remove only)
SoundMAXWDM
Spy Sweeper
Spybot - Search & Destroy 1.4
SpyHunter
SyncToy
System Requirements Lab
Tag&Rename 3.2
Tweak UI
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
User Profile Hive Cleanup Service
VideoLAN VLC media player 0.8.5
webcamXP (remove only)
WinAVIVideoConverter
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
XoftSpy

____________________________________

PANDA ACTIVE SCAN REPORT

Incident Status Location
Potentially unwanted tool:Application/Ardamax Not disinfected C:\WINDOWS\system32\Sys\Explorer.exe
___________________________________________________

NEW HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 01:28:07, on 06/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\InternetProgs\WindowsDefenderBeta2\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Utils\AVG Anti-Spyware 7.5\guard.exe
D:\INTERN~1\AVG\avgamsvr.exe
D:\INTERN~1\AVG\avgupsvc.exe
D:\INTERN~1\AVG\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
D:\Utils\DisKeeper\DkService.exe
D:\InternetProgs\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
D:\InternetProgs\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
D:\InternetProgs\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
D:\Utils\Logitech\iTouch\iTouch.exe
D:\Utils\Logitech\MouseWare\system\em_exec.exe
D:\InternetProgs\SunJava5.0_08\bin\jusched.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
D:\Utils\HP7660\HP Software Update\HPWuSchd2.exe
D:\CDWriting\Roxio9\Media Experience\DMXLauncher.exe
D:\InternetProgs\WindowsDefenderBeta2\MSASCui.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Utils\CreativeMediaSource\Detector\CTDetect.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Utils\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
D:\Utils\WinTV\Ir.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\HPZipm12.exe
D:\InternetProgs\Personal Firewall 4\kpf4gui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\Utils\EmEditor\EMEDITOR.EXE
D:\Utils\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\InternetProgs\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\InternetProgs\SunJava5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] D:\Utils\HP7660\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Enterra Icon Keeper] "D:\Utils\Icon Keeper\IcnKeepr.exe" ssp /s
O4 - HKLM\..\Run: [AVG7_CC] D:\INTERN~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Utils\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Utils\DisKeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\InternetProgs\SunJava5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Utils\HP7660\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DMXLauncher] "D:\CDWriting\Roxio9\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\InternetProgs\WindowsDefenderBeta2\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Utils\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Creative Detector] D:\Utils\CreativeMediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] D:\Utils\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [3DCal32@3DCAL32.INI] D:\Utils\3DCal32\3DCal32.exe /C D:\Utils\3DCal32\3DCAL32.INI
O4 - Global Startup: AutoStart IR.lnk = D:\Utils\WinTV\Ir.exe
O4 - Global Startup: Shortcut to E-mail.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\InternetProgs\SunJava5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\InternetProgs\SunJava5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152527656912
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...61/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\system32\textwareilluminatorbaseProtocol.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Utils\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\INTERN~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\INTERN~1\AVG\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\INTERN~1\AVG\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Utils\DisKeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - D:\InternetProgs\Personal Firewall 4\kpf4ss.exe
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\InternetProgs\Spy Sweeper\WRSSSDK.exe

Hope this is what you require

thanks

fullcircle

10-05-2006, 06:32 PM	#5 (permalink)
fullcircle Registered User Join Date: Oct 2006 Posts: 8 OS: XP	Hi fredmh I've been through your list, doesn't look like defender was lying does it :-) requested info follows Virus Total scan for C:\WINDOWS\system32\Sys\Explorer.exe STATUS: FINISHEDComplete scanning result of "Explorer.exe", received in VirusTotal at 10.05.2006, 18:41:26 (CET). Antivirus Version Update Result AntiVir 7.2.0.22 10.05.2006 HEUR/Malware Authentium 4.93.8 10.05.2006 no virus found Avast 4.7.892.0 10.05.2006 Win32:Ardamax-AG AVG 386 10.04.2006 no virus found BitDefender 7.2 10.05.2006 no virus found CAT-QuickHeal 8.00 10.05.2006 no virus found ClamAV devel-20060426 10.05.2006 no virus found DrWeb 4.33 10.05.2006 no virus found eTrust-InoculateIT 23.73.14 10.05.2006 no virus found eTrust-Vet 30.3.3115 10.05.2006 no virus found Ewido 4.0 10.05.2006 no virus found Fortinet 2.82.0.0 10.05.2006 no virus found F-Prot 3.16f 10.04.2006 no virus found F-Prot4 4.2.1.29 10.04.2006 no virus found Ikarus 0.2.65.0 10.05.2006 no virus found Kaspersky 4.0.2.24 10.05.2006 no virus found McAfee 4867 10.05.2006 New Malware.b Microsoft 1.1603 10.05.2006 no virus found NOD32v2 1.1791 10.05.2006 a variant of Win32/KeyLogger.Ardamax Norman 5.80.02 10.05.2006 no virus found Panda 9.0.0.4 10.04.2006 Application/Ardamax Sophos 4.10.0 10.05.2006 no virus found Symantec 8.0 10.04.2006 no virus found TheHacker 6.0.1.092 10.05.2006 no virus found UNA 1.83 10.05.2006 no virus found VBA32 3.11.1 10.05.2006 no virus found VirusBuster 4.3.7:9 10.05.2006 no virus found Aditional Information File size: 470528 bytes MD5: 897d9baaec16e826271a294e3f76467b SHA1: bcf3e07b97ba883e8c07c729682fd227bb5a5f5a To save a bit of space here, there are two other files in that sys folder, explorer.001 explorer.002 scans of both files came up with "no virus found" ___________________________________________ --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 22:39:18 05/10/2006 + Scan result: S:\System Volume Information\_restore{F92C9E9C-D6E3-414B-BD8D-F2FCCA3149D8}\RP315\A0043495.exe -> Not-A-Virus.Hacktool.EvID : Cleaned with backup (quarantined). H:\MP3 Toys 25\MP3Toys25Setup.exe -> Not-A-Virus.Monitor.Win32.Ardamax.k : Cleaned with backup (quarantined). ::Report end ________________________ Uninstall list 3D Calendar 5.0 Ad-Aware SE Personal Adobe InDesign CS Adobe Photoshop CS Adobe Reader 7.0.5 Adobe Shockwave Player Advanced Font Viewer 2.3 Advanced X Video Converter Alien Skin Eye Candy 5 Impact Alien Skin Eye Candy 5 Nature Alien Skin Eye Candy 5 Textures All To MP3 Converter 1.34.2 Aquarium Desktop ArtIcons Pro ATI - Software Uninstall Utility ATI Catalyst Control Center ATI Display Driver Audio Conversion Wizard 1.4 Audio DVD Creator 1.9.1.0 AVG Anti-Spyware 7.5 AVG Free Edition Cambridge Advanced Learner's Dictionary CloneDVDmobile ConvertXtoDVD 2.0.13 CopyToDVD 4 Creative MediaSource Creative Removable Disk Manager Creative System Information Creative Zen Vision M Diskeeper Professional Premier Edition DivX Dream Aquarium DVD2one V2.0.5 DVD43 v3.7.0 EmEditor v3 Enterra Icon Keeper 1.0 FairStars Audio Converter 1.46 FUJIFILM USB Driver GdiplusUpgrade Google Earth Pro Google Toolbar for Internet Explorer Hauppauge WinTV Infrared Remote Hauppauge WinTV Radio Hauppauge WinTV2000 HijackThis 1.99.1 Hotfix for Windows Media Format SDK (KB902344) Hotfix for Windows XP (KB896344) HP Memories Disc HP Software Update HTML-Kit Ipswitch WS_FTP Professional 2006 J2SE Runtime Environment 5.0 Update 8 jv16 PowerTools 2005 JVC GC-A50 Kerio Personal Firewall KODAK Camera Connection Software KODAK Camera Connection Software Help KODAK Memory Albums KODAK One Touch to Better Pictures KODAK Picture Software KODAK Picture Transfer Software KODAK Software Updater Logitech Desktop Messenger Logitech iTouch Software Logitech MouseWare 9.79.1 Macromedia Flash Player 8 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB886903) Microsoft .NET Framework 2.0 Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Calculator Plus Microsoft Office XP Professional with FrontPage Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348) NATATA Anti-Spam Encoder 1.0 Nero 7 Demo Ninotech Path Copy 4.0 overland Panda ActiveScan PestPatrol Corporate Edition v5 Photosmart 140,240,7200,7600,7700,7900 Series PowerISO Quick Batch File Compiler 2.0.7.0 Roxio Easy Media Creator 8 Suite Roxio Easy Media Creator 9 Suite Security Update for Microsoft .NET Framework 2.0 (KB917283) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901190) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB916281) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB925486) Shareaza version 2.2.1.0 SightSpeed (remove only) SoundMAXWDM Spy Sweeper Spybot - Search & Destroy 1.4 SpyHunter SyncToy System Requirements Lab Tag&Rename 3.2 Tweak UI Update for Windows XP (KB894391) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB900930) Update for Windows XP (KB904942) Update for Windows XP (KB908531) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) User Profile Hive Cleanup Service VideoLAN VLC media player 0.8.5 webcamXP (remove only) WinAVIVideoConverter Windows Defender Windows Defender Signatures Windows Installer 3.1 (KB893803) Windows Live Messenger Windows Live Sign-in Assistant Windows Media Connect Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 10 Hotfix - KB895316 Windows Media Player 11 Windows Media Player 11 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 WinRAR archiver XoftSpy ____________________________________ PANDA ACTIVE SCAN REPORT Incident Status Location Potentially unwanted tool:Application/Ardamax Not disinfected C:\WINDOWS\system32\Sys\Explorer.exe ___________________________________________________ NEW HijackThis Log Logfile of HijackThis v1.99.1 Scan saved at 01:28:07, on 06/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe D:\InternetProgs\WindowsDefenderBeta2\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE D:\Utils\AVG Anti-Spyware 7.5\guard.exe D:\INTERN~1\AVG\avgamsvr.exe D:\INTERN~1\AVG\avgupsvc.exe D:\INTERN~1\AVG\avgemc.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\system32\drivers\dcfssvc.exe D:\Utils\DisKeeper\DkService.exe D:\InternetProgs\Personal Firewall 4\kpf4ss.exe C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe D:\InternetProgs\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\system32\svchost.exe D:\InternetProgs\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\hphmon05.exe D:\Utils\Logitech\iTouch\iTouch.exe D:\Utils\Logitech\MouseWare\system\em_exec.exe D:\InternetProgs\SunJava5.0_08\bin\jusched.exe C:\Program Files\UPHClean\uphclean.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE D:\Utils\HP7660\HP Software Update\HPWuSchd2.exe D:\CDWriting\Roxio9\Media Experience\DMXLauncher.exe D:\InternetProgs\WindowsDefenderBeta2\MSASCui.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe D:\Utils\CreativeMediaSource\Detector\CTDetect.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe D:\Utils\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe D:\Utils\WinTV\Ir.exe C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\system32\HPZipm12.exe D:\InternetProgs\Personal Firewall 4\kpf4gui.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe D:\Utils\EmEditor\EMEDITOR.EXE D:\Utils\HijackThis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\InternetProgs\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\InternetProgs\SunJava5.0_08\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HPHUPD05] D:\Utils\HP7660\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe O4 - HKLM\..\Run: [Enterra Icon Keeper] "D:\Utils\Icon Keeper\IcnKeepr.exe" ssp /s O4 - HKLM\..\Run: [AVG7_CC] D:\INTERN~1\AVG\avgcc.exe /STARTUP O4 - HKLM\..\Run: [zBrowser Launcher] D:\Utils\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Utils\DisKeeper\DkIcon.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\InternetProgs\SunJava5.0_08\bin\jusched.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [HP Software Update] D:\Utils\HP7660\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [DMXLauncher] "D:\CDWriting\Roxio9\Media Experience\DMXLauncher.exe" O4 - HKLM\..\Run: [Windows Defender] "D:\InternetProgs\WindowsDefenderBeta2\MSASCui.exe" -hide O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Utils\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Creative Detector] D:\Utils\CreativeMediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [LDM] D:\Utils\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [3DCal32@3DCAL32.INI] D:\Utils\3DCal32\3DCal32.exe /C D:\Utils\3DCal32\3DCAL32.INI O4 - Global Startup: AutoStart IR.lnk = D:\Utils\WinTV\Ir.exe O4 - Global Startup: Shortcut to E-mail.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\InternetProgs\SunJava5.0_08\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\InternetProgs\SunJava5.0_08\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152527656912 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...61/mcfscan.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\system32\textwareilluminatorbaseProtocol.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Utils\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\INTERN~1\AVG\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\INTERN~1\AVG\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\INTERN~1\AVG\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe O23 - Service: Diskeeper - Diskeeper Corporation - D:\Utils\DisKeeper\DkService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - D:\InternetProgs\Personal Firewall 4\kpf4ss.exe O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\InternetProgs\Spy Sweeper\WRSSSDK.exe Hope this is what you require thanks fullcircle