ESS don't see Ardamax Trojan . Why?

[greenfly]

I have downloaded one aplication on my desktop computer were i have installed KIS 0.7. In fase of download KIS stopped the download because the file was infected with Ardamax Trojan.

On my laptop , were i have installed ESS , i tryed to download the same file , and ESS had non see anything.. I have send the infected file to virustotal and Jotty to analyse ,, there is the photo in att.

I runned the infected file, and ESS >nothing.

In HJT log i found and clean a lot of infected temp files......

I feel disappointed.....

Edit: Screenshot removed per the forum policy

[Marcos]

Again, it's mostly an installer with encrypted files attached. It's very likely that the keylogger itself would be detected upon extraction when the files are decrypted.

[greenfly]

Quote:

Originally Posted by Marcos

Again, it's mostly an installer with encrypted files attached. It's very likely that the keylogger itself would be detected upon extraction when the files are decrypted.

Noup... i have installed the program,, nothing detected.

edit : sorry, now the infected files are detected......,, but is to late > i'm allready infected.....maad

[Bubba]

Quote:

Originally Posted by greenfly

I have downloaded one aplication on my desktop

Was that "aplication" the Ardamax Keylogger program ?

[greenfly]

Yap....

Quote:

Originally Posted by greenfly

Noup... i have installed the program,, nothing detected.

edit : sorry, now the infected files are detected......,, but is to late > i'm allready infected.....maad

Pictures say it all

[Marcos]

http://www.ardamax.com/downloads/setup_akl.exe a variant of Win32/KeyLogger.Ardamax application connection terminated - quarantined Threat was detected upon access to web by the application: C:\Program Files\Opera\Opera.exe.

[Bubba]

Quote:

Originally Posted by greenfly

but is to late > i'm allready infected.....maad

Is it now "detected" because you re-adjusted your settings to monitor Potentially unsafe applications, which is enabled by default ?

[greenfly]

Is not that program , I have downloaded "Fraps" from Rapidshare. I'm not sure that i can post the link Rules.....maybe in private??

We can see the "thing" is detect . Boot in Safe Mode and run a scan (Start -> Program -> ESET -> ESET Smart Security) . Confirm with YES and the ESET Command line scanner will start scanning and cleaning

However , if you suspect something is undetected or there is a problem in its cleaning , send information to ESET ThreatLab -> samples@eset.com .

[greenfly]

Can't boot in safe modeXP, because i have Dualboot with Vista ,and there is no options to enter in XP safe mod,, only Vista safe mod on which i have AVG free installed...

You can boot in XP Safe Mode:

1st way:
Just after you choose your OS (a.k.a. Microsoft Windows XP) , start pressing multiple times F8 , which will lead you to the Advanced menu where you can choose to enter Safe Mode . The fact you have mode than one OS installed doesn't really matter

2nd way:
Open Start -> Run -> type msconfig , press ENTER . In the "boot" tab , check "Safe boot" (you can change other options , too) , confirm the changes and restart . This way you'll enter Safe Mode . In order to start in Normal mode again , you must uncheck the "Safe boot" in msconfig.


Another way to clean the XP partition is to enter Windows Vista and run ESET Online scanner from www.eset.com/onlinescan
Make sure to first run IE7 as administrator