Ardamax Keylogger?

[Dollie]

I found a nasty little program called the Ardamax Keylogger on one of my workstations. I just happened to look at the virus scan window at the right time and spotted the word "keylogger", restarted the scan and spotted "Ardamax" the 2nd time around.

It's completely invisible, it does not show up in Add/Remove programs. The only info I can find is that it's a nifty little keylogger. I have NO idea where this could have come from, how long it has been on the machine, etc.

I found info on Symantec's site, but it involves removing the program and registry files. I cannot locate anything on this machine.

It is installed in one of these two invis directories:
%Program Files%\Ardamax Keylogger Lite
%Program Files%\Ardamax Keylogger

The settings within the program allow the user to make the software completely invisible, and something/someone has done this.

Anyone know how to remove this piece of garbage??

Thanks in advance!

 

[erikhertzel]

It's probably something a user installed on the machine, but it can be removed pretty easily.

I would run the following and update it and do a complete system scan.

http://www.ewido.net/en/

If that doesn't work, here is a manual way to remove this keylogger:

http://labs.paretologic.com/spyware.aspx?remove=Ardamax

Hope this helps,

Erik

 

[tazuk]

Based on Symantec's Info it looks as thought you should be able to use the Ardamax uninstaller to remove it (before checking removal by examining registry keys etc).

Disclaimer - I haven't tackled this type of infection personally, but I've done a bit of reading and I'd suggest starting with:

1. Are you able to make the tray icon visible using the Ctrl+Alt+Del+H combination mentioned by Symantec? There may be control / invisibility ooptions within the software, and you may be able to locate the email address / FTP settings that the keylogger is using for outward transmission.

2. If unable to remove visibility using program options, then try running the %ProgramFiles%\Ardamax Keylogger\Uninstall.exe directly via the Start-Run dialog. Assuming this is successful, use the Symantec information to check for orphaned / sneaky registry entries still remaining.

Let us know how you get on..

HTH

TazUk

Blue-screening PCs since 1998

 

[Dollie]

Because this little beauty has been installed on a fairly new system (less than 1 yr old), I'd really like to find out *where* it came from, who is receiving the log files, etc.

tazuk, the actual tray icon command is Ctrl+Alt+Shift+Del. And it doesn't work. Whatever installed it and controls the settings has made it impossible to get into normally.

I think I may actually ghost the machine, remove the spyware, and at a later time do some digging/destruction and see what I can find out.

Something like this is really worrysome because of the work the person does and passwords that have been typed in (all network passwords now need to be changed, thankyouverymuch).

Thanks so much for your help. I'm going to go tackle this now and see what works!

 

[erikhertzel]

You may be able to contact the company that makes Ardamax directly and see if they have a way in that you don't know of. Just a thought. Keep us posted.

Erik

 

[Dollie]

erikhertzel,

Unfortunately, the removal instructions listed at the link you provided assume that the software was installed properly and is not designated as "hidden".

The "Invisibility" section of the software (from a screenshot on their site) shows that you can do the following: hide the tray icon, hide it from Ctrl+Alt+Del, remove shortcuts from Start menu, remove from the uninstallation list, hide the program folder, hide the program from windows startup list.

The only proof I have that this software is even on the system is because I saw the directory shoot by when a virus scan was running. A visual search doesn't find it at all.

This is today's albatross for me, and it's going to drive me nuts till I figure it out