Win32:Ardamax-gen

[skywreck]

Would appreciate info on the above.

Thanks in advance


Joakim

[DavidR]

What was the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

Well to start with -gen signatures are generic, designed to detect a family rather than an individual virus/trojan. There are also many different names as there is no standardisation for malware naming, see this translated page Ardamax-gen this gives a number of aliases which you can also search for.

Secondly a google search for Ardamax-gen returns many hits and this is how we find the information to answer your questions, hint

One is in the avast forum and it seems you missed a bit of the malware name, Win32:Ardamax-gen [Tool], the important bit being [tool] as this could also be a keylogger tool.

Ardamax is a commercial keylogger. One of the features described on their web site might apply to you (assuming you didn't install this):

"Engine Builder - creates a customized Ardamax Keylogger engine file. You can email this file to your target for remote monitoring. "

The web site is here

http://www.ardamax.com/keylogger.html

Does this ring any bells ?

Lastly I have never bothered to go looking for myself for what a virus or trojan does so long it is detected and dealt with. If I experience any issues with it then I find out more about it to be able to fully deal with it, that usually entails searches on the file name, virus name and any aliases to gather the information. This can be a long process so I don't do it very often, I also rarely have any viruses/malware to detect.

[skywreck]

Thanks for your reply. There was a [Tool] after the Win32:Ardamax-gen.
Avast has cleaned it without problem and I have scanned everything afterwards
and all OK. I was just curious. I did a Google search using Win32:Ardamax-gen
but didn't get much info out of it. I guess I should have left Win32: out of the
search parameters.

Cheers

[DavidR]

No problem, welcome to the forums.

Searching just on virus names doesn't seem to reveal much in any case because of this non-standardisation of virus names and as you say using different permutations of the virus name helps. However, searching on the infected file names is often more effective in bringing information, which not only can point to an infection but, could also point to a legitimate program use (like in the case of a tool).

You never did say what the file name and location was or if the quoted text about Ardamax keylogger program rang any bells ?

The reason we ask questions is to try and give detailed advice/help.

[cruiser85]

hi
 actually i have d/led 'buddy spy setup' from www.buddy-spy.com.......i have read that 'Yahoo Buddy Check 1.0.2'  contains this 'Win32:Ardamax-gen [tool]' virus.....
zone alarm is installed on my comp and is working fine...so can i install this buddy spy setup
it seems this virus is a logger trojan(wat exactly is that??) ....so thought it could be on any of these  buddy checks ..

thanks
cruiser

[DavidR]

You have to decide if the tool has a legitimate purpose and if so exclude it from scans (see below).

Check the link/s in my post reply #1 above or do a google search, but generally a key-logger does just that, records your key strokes, what it does with them is the 64,000 dollar question.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.