I am having trouble getting TDS to remove the following:
Live trojan found (in process memory): RAT.RADS.gen
File: C:\WINDOWS\System32\OboAkh0.exe

Live trojan found: RAT.RADS.gen
File: C:\WINDOWS\System32\Hpx2p.exe

I have taken a hijackthis dump which is attached - I am sure that there are all sorts of things still lurking after having removed over 400 hits in Spybot!

Can you help show what is restarting this trojan?

Regards
David

Hi ukwiz, Apart from the fact that your HJT log needs a good looking at by an expert as there is malware that even I can see, you should do a TDS scan from safe mode. Safe mode can be reached by pressing F8 a few times just BEFORE windows starts or as POST ends.

An expert should look at your file but they may suggest that you use one of the other sites mentioned here: http://www.wilderssecurity.com/showthread.php?t=42148

Pilli

Hi there, do you remember when all this started? Would going back to an older restore point be an option?
Maybe had been better to run the HJT log before the SpyBotS&D but ok, it's done.

For the HJT file: guess you would prefer to make a folder on that J:\ for HJT and the backup files it creates with the fixes, as on a whole partition they might get lost easily.

Anyway, first to Pilli's suggestion for the safe mode scan i guess.

I'd suggest you kill these running processes with the TDS process list

C:\documents and settings\adam\local settings\temp\rIM0.exe
C:\WINDOWS\System32\OboAkh0.exe
C:\WINDOWS\System32\Hpx2p.exe

Then fix these entries and reboot

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fcxmhpvblcpdr.com/0OVeJHlmKLBMoJkM/2/si1LyrtaPAfnDBGQPRcQrXOc3KZnEw5W6ely6uUyEZclG.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

O2 - BHO: (no name) - SOFTWARE - (no file)

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll

O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll


O4 - HKLM\..\Run: [2QA68XP4C66PNY] C:\WINDOWS\System32\Qdxb4jKR.exe

O4 - HKLM\..\Run: [playxd] C:\WINDOWS\System32\playxd.exe

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun

O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Sophie\LOCALS~1\Temp\app27.tmp
O4 - HKLM\..\Run: [vneoklukdypy] C:\WINDOWS\System32\xjsengm.exe

O4 - HKLM\..\Run: [error remote] C:\PROGRA~1\CURBWA~1\INTERNETRULEUP.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [rIM0] C:\documents and settings\adam\local settings\temp\rIM0.exe
O4 - HKLM\..\Run: [Rect Bat Funk Type] C:\Documents and Settings\All Users\Application Data\Grey Name Rect Bat\rect junk.exe

O4 - HKLM\..\Run: [qs4X37e] skdstr.exe

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

You will need to get your log analysed after this, but at least this will stop SOME of the junk :) I'd appreciate you sending me those EXE and DLL files mentioned if you can, there is an email address in my profile or use submit @ diamondcs.com.au

SmileyCentral and Messenger Plus add nasty stuff too. It's all so nice and they come with so many "extras" ........... :lurking:

Thanks to all - will try various bits. It is one of my customers machines - they complained that internet access was slow, crashed often, and had porn popups all over the place. I had managed to get rid of a lot before posting this!

I will use HijackThis to remove as much as I can as suggested by Gavin (after saving the exes and dlls).

Regards David

As many files as I found - I had done some work with Trojan Remover - on their way to you Gavin, and latest Hijackthis output attached.

Hi ukwiz!

A couple of suggestions for the last HJT log.

First, please open Add/Remove programs and uninstall New.Net or NewDotNet from there if listed.

If not listed go here to get the uninstaller http://www.newdotnet.com/#remove

Reboot computer when done

Open 'Add/Remove Programs' in the Control Panel. Select the 'My Search Bar' (MySearch variant), 'MyWay Speed Bar' (MyWay) or 'My Web Search Bar' (MyWeb) entry and click 'Remove'. For the MyWeb variant, be sure to also remove 'Fun Web Products Easy Installer'.

Also try to uninstall
TV Media
POP (People OnPage)
DPI (Adware based media viewer by The Delfin Project)
ClipGenie (adware downloader)
Bargain Buddy

Reboot computer when done

You also seem to have a peper infection there (aslo called sandbox trojan)

Run this tool to try to get rid of it
http://downloads.subratam.org/PeperFix.exe

You also need to update your HiJackThis since you don’t have the newest version. (1.98.2) Download it from here:

http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

Mirrors
http://computercops.biz/downloads-cats-14-10-10.html
http://www.subratam.org/?page=removal
http://www.zerosrealm.com/index.php?page=downloads

After doing all of the above post a new log using HJT 1.98.2

Hi lappen

Thanks very much for the reply.

I did as much of the above as I could find, and here is the latest HJT log

Regards
David

-{ Quote: "As many files as I found - I had done some work with Trojan Remover - on their way to you Gavin, and latest Hijackthis output attached." }-
Well, I tried to send the files, but as some contain trojans I am unable to get them through my mail server!
I tried zipping them, but no go.
Anyone have any ideas how I might be able to send them?
Maybe I will try rar, zip and rar again

Tried zip, rar, zip - AV on server still threw it out (and also AVG mail client)

Disable your AV on the server whilst you send then re-enable? ;D

Hi ukwiz,
Try password protecting the zip's?

1.Open Windows Explorer.
2.Locate the suspicious file or files.
3.If there is only one file, then right-click the file, and then click "Add to zip."
4.Click I agree.
5.Click New.
6.Change the "Create" location to Desktop, type Submission and then click OK.
7.Click Options and then Password.
8.Type infected and then click OK. Reenter the same password, and then click OK again.
9.You should see a zip file named Submission.zip on the Desktop.
10.If you want to submit more than one file, then do the following for each file.
11.Locate the file and then right-click the file, and click "Add to zip."
12.Click I agree.
13.Click Open.
14.Change the "Create" location to Desktop, locate and click Submission.zip and then click Open.
15.Click Add.


http://service1.symantec.com/SUPPORT/nav.nsf/docid/1999052109284606?OpenDocument&ExpandSection=2

-{ Quote: "Hi lappen

Thanks very much for the reply.

I did as much of the above as I could find, and here is the latest HJT log

Regards
David" }-

Ok there is still alot of junk there

Could you please do this and after that post a new HJT

I asume that you have done some or all of the instructions before but please do it again before we start to clean with HJT

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files (http://mvps.org/winhelp2002/delcache.htm), be sure to also select delete all offline content.

Do a virus scan here (http://housecall.trendmicro.com/).
If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply.

Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT

First use Spybot S&D. (Version 1.3)
Spybot (http://www.safer-networking.org/index.php?lang=en&page=download)
Unzip, and update. Install the updates and run. Delete all that it marks in red.
Reboot

Then it’s time for Ad-Aware [SE build 1.03 Or version 6 build 181)
Ad-Aware (http://www.lavasoftusa.com/software/adaware/)
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
How To Setup Spybot SD and Ad-Aware (http://www.zerosrealm.com/index.php?page=scanning)

Then post a new HJT log as a reply to this topic.