1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Trojan-Spy.Win32.Ardamax.e

Discussion in 'Virus & Other Malware Removal' started by ACA529, Nov 10, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. ACA529

    ACA529 Thread Starter

    Joined:
    Nov 15, 2005
    Messages:
    6,117
    Hi,

    I just reformatted and somehow I managed to get a Trojan! How do I get rid of this? How do I make sure I'm completely clean?

    Here's what Kaspersky said:
    [​IMG]



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:03:40 PM, on 11/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\mspaint.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Andrew\Desktop\HiJackThis.exe

    O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 4084 bytes



    ComboFix 07-11-08.1 - Andrew 2007-11-10 22:39:57.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.706 [GMT -6:00]
    Running from: C:\Documents and Settings\Andrew\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
    .

    2007-11-10 22:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-10 21:58 <DIR> d-------- C:\Program Files\DAEMON Tools
    2007-11-10 21:51 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
    2007-11-10 16:14 <DIR> d-------- C:\Program Files\iTunes
    2007-11-10 16:14 <DIR> d-------- C:\Program Files\iPod
    2007-11-10 16:14 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Apple Computer
    2007-11-10 16:13 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
    2007-11-10 16:13 <DIR> d-------- C:\Program Files\QuickTime
    2007-11-10 16:13 <DIR> d-------- C:\Program Files\Common Files\Apple
    2007-11-10 16:13 <DIR> d-------- C:\Program Files\Apple Software Update
    2007-11-10 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
    2007-11-10 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2007-11-10 16:11 <DIR> d-------- C:\Downloads

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-11 04:40 378,144 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
    2007-11-11 04:40 29,984 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
    2007-11-11 04:18 --------- d-----w C:\Program Files\Steam
    2007-11-11 04:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-11-11 04:17 4,484 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
    2007-11-11 04:17 3,596 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
    2007-11-11 04:03 82,061 ----a-w C:\WINDOWS\system32\drivers\klick.dat
    2007-11-11 04:03 81,549 ----a-w C:\WINDOWS\system32\drivers\klin.dat
    2007-11-11 03:56 --------- d-----w C:\Program Files\FlashGet
    2007-11-10 21:53 --------- d-----w C:\Program Files\Xvid
    2007-11-10 21:38 --------- d-----w C:\Program Files\Kaspersky Lab
    2007-11-10 21:37 402,944 ----a-w C:\WINDOWS\system32AKV.exe
    2007-11-10 21:30 --------- d-----w C:\Program Files\Common Files\InstallShield
    2007-11-10 21:21 --------- d-----w C:\Program Files\microsoft frontpage
    2007-11-10 21:17 --------- d-----w C:\Program Files\Windows Media Connect 2
    2007-10-05 00:16 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
    2007-10-04 23:14 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
    2007-10-04 23:14 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
    2007-10-04 23:14 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
    2007-10-04 23:14 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
    2007-10-04 23:14 6,854,464 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
    2007-10-04 23:14 6,750,208 ----a-w C:\WINDOWS\system32\nvoglnt.dll
    2007-10-04 23:14 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
    2007-10-04 23:14 5,783,424 ----a-w C:\WINDOWS\system32\nv4_disp.dll
    2007-10-04 23:14 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
    2007-10-04 23:14 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
    2007-10-04 23:14 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
    2007-10-04 23:14 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
    2007-10-04 23:14 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
    2007-10-04 23:14 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
    2007-10-04 23:14 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
    2007-10-04 23:14 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
    2007-10-04 23:14 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
    2007-10-04 23:14 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
    2007-10-04 23:14 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
    2007-10-04 23:14 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
    2007-10-04 23:14 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
    2007-10-04 23:14 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
    2007-10-04 23:14 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
    2007-10-04 23:14 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
    2007-10-04 23:14 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
    2007-10-04 23:14 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
    2007-10-04 23:14 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
    2007-10-04 23:14 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
    2007-10-04 23:14 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
    2007-10-04 23:14 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
    2007-10-04 23:14 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2006-11-20 02:48 C:\WINDOWS\system32\HDAShCut.exe]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14]
    "nwiz"="nwiz.exe" [2007-10-04 17:14 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14]
    "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="C:\Program Files\Steam\Steam.exe" [2007-11-10 15:40]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 08:16]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

    R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-10 22:13:39 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-10 22:40:56
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-10 22:41:26
    .
    --- E O F ---
     
  2. ACA529

    ACA529 Thread Starter

    Joined:
    Nov 15, 2005
    Messages:
    6,117
    It seems to be copying itself to different files.

    I just got another warning about it a few minutes ago,

    deleted: Trojan program Trojan-Spy.Win32.Ardamax.e File: C:\System Volume Information\_restore{6266DC8F-C35B-468E-AC12-296E6D4F50B6}\RP5\A0000091.exe

    Last night when Kaspersky first warned me about this, my computer shutdown without any warning. It shutdown strangely, like it was connected through a network. It had this box that said Windows XP in it and it looked as though my computer was on some network??? It got me confused.

    And just now I browsed the C: drive and some strange folder appeared. No idea what it's connected to.
     

    Attached Files:

  3. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    That folder is created by ComboFix.

    You can delete it.

    Flush your System Restore:
    Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405


    Run another KASPERSKY and post the results.
     
  4. ACA529

    ACA529 Thread Starter

    Joined:
    Nov 15, 2005
    Messages:
    6,117
    Hi,

    Thanks for your help. Kaspersky takes a long time to complete a full system scan. Could I use SAS instead?
     
  5. ACA529

    ACA529 Thread Starter

    Joined:
    Nov 15, 2005
    Messages:
    6,117
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/11/2007 at 06:35 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3342
    Trace Rules Database Version: 1343

    Scan type : Complete Scan
    Total Scan Time : 00:13:37

    Memory items scanned : 359
    Memory threats detected : 0
    Registry items scanned : 3352
    Registry threats detected : 0
    File items scanned : 15394
    File threats detected : 3

    Adware.Tracking Cookie
    C:\Documents and Settings\Andrew\Cookies\[email protected][2].txt
    C:\Documents and Settings\Andrew\Cookies\[email protected][1].txt
    C:\Documents and Settings\Andrew\Cookies\[email protected][1].txt
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Looks fine. How is it running now? Any problems?
     
  7. ACA529

    ACA529 Thread Starter

    Joined:
    Nov 15, 2005
    Messages:
    6,117
    Nope, no problems. Just wanted to do some banking online yesterday but I thought I'd better hold off so I make sure I don't actually have a keylogger... :)

    Thanks for your help.

    P.S. Do you know where I could have gotten this from?
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Can't say where you picked it up. Likely just surfing around and hit on an infected page.
     
  9. ACA529

    ACA529 Thread Starter

    Joined:
    Nov 15, 2005
    Messages:
    6,117
    Ok, so I'm completely clean now?

    Thanks for all your help.
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Logs look good to me. If you are not having any problems I would say you are good to go.

    :)
     
  11. ACA529

    ACA529 Thread Starter

    Joined:
    Nov 15, 2005
    Messages:
    6,117
    Ok, so I installed Windows Defender today and it showed up again!

    [​IMG]

    This thing still hasn't left yet.
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

    Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • In the Processes group click ALL
    • In the Win32 Services group click ALL
    • In the Driver Services group click ALL
    • In the Registry group click ALL
    • In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
    • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is UNCHECKED
    • In the File String Search group select ALL
    • in the Additional scans sections please press select ALL
    • Now click the Run Scan button on the toolbar.
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
    Please post the resulting log here as an attachment.

    • Click on the orange Post a Reply! button
    • scroll down to Manage Attachments
    • Click in the box that says Upload File from your Computer
    • Click the Browse... button and find the file then click open
    • Click the Upload button
    • Wait until you see Current Attachment and your file name
    • Click on Close this window
    • Then submit the reply.
     
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I see you have deleted your response, did you fix the problem?
     
  14. ACA529

    ACA529 Thread Starter

    Joined:
    Nov 15, 2005
    Messages:
    6,117
    Yes, it was fixed. I did 3 scans and now it's gone. Sorry for the confusion... I had a flight and didn't have time to continue.
     
  15. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    No problem, just checking.

    (y)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/650429

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice