adamax keylogger - regedit will not run

byounker · 16 Sep 2015

Hit by some ugly malware that seems to prevent me from running regedit or malwarebytes. gangnamgame.net pops up after a reboot as well as adamax keylogger.When I try to run either one of them nothing at all happens. No errors, no window or anything. The spyware is adamax keylogger which I only know because it shows up every time in the task window and gangnamgame.net launches itself in firefox. I need to run regedit to remove it but I'm guessing the malware itself is what is preventing me from doing so.

I'm not a pc novice and am very aware of all of the BS out there but this one has really done me in.

Any help would be greatly appreciated.

Borg 386 · 16 Sep 2015

Try one of the fixes listed here & see if one of these will restore access to the registry. If you have no luck with this in normal mode, you may wish to try some of these scanners/suggestions in safe mode.

5 Ways To Re-enable Registry Editor When Disabled By Virus

Another suggestion is to use RKill to try & terminate the process, then run malware scanners to try to remove it. Do NOT reboot after running RKill.

RKill Download

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly removed.

Suggested scanners would be Malwarebytes, AdwCleaner & TDSSKiller to be sure you don't have a rootkit.

Another option is the one listed here, d/l Autoruns by Sysinternals & use the program to kill it from there.

Remove gangnamgame.net pop-up on startup (Uninstall Guide)

Other Sysinternals tools that may help.

RegJump

Process Explorer

Process Explorer

The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.

WhyMe · 16 Sep 2015

Borg 386 said:

...

Wow! Pretty comprehensive answer. Nice post!

@byounker,
Please take note that some of the 'smarter' infections may attempt to prevent you from downloading or installing the necessary tools for disinfection. In which case you would need to rename the file in question to fool the infection into thinking it is ok.

simrick · 16 Sep 2015

WhyMe said:

Wow! Pretty comprehensive answer. Nice post!

@byounker,
I might add, if you need to, there is a rescue disk available from Kaspersky which runs at boot (outside the OS) and may help clear things up enough for you to get control again.

Borg 386 · 17 Sep 2015

WhyMe said:

Please take note that some of the 'smarter' infections may attempt to prevent you from downloading or installing the necessary tools for disinfection. In which case you would need to rename the file in question to fool the infection into thinking it is ok.

Yepperz, good point. I forgot to mention RKill is available to d/l with different file names to allow it to run when some of these PIA's have blocked certain files from running.

Below are a list of RKill download links using different filenames. We offer RKill under different filenames because some malware will not allow processes to run unless they have a certain filename. Therefore when attempting to run RKill, if a malware terminates it please try a different filename offered below.