Another RAT.RADS.gen infection

Hi,

I've had a Trojan infection for a couple of weeks now, and I can't seem to get rid of it. I've run Symantec's Anti-Virus (Corporate Edition) with the most current update. I've run it in "regular" mode as well as safe mode. I've run spybot and adaware 6.0 again with the latest updates. I finally ran TDS-3, and it was able to find the trojan. However, I have not been successful removing it. Every time I start up, the thing kicks off again. I can use the task manager to end the process tree, and that appears to get rid of it until I start up the next time. Any idea how I can get rid of this thing?

Oh, one more wrinkle. For some reason, my PC wants to power off all by itself at random intervals. So, I have not been able to successfully complete a whole TDS-3 scan. I don't know if that's a function of the trojan or not.

Thanks,
Bret

 

HI Bretsky, welcome to forums.

I presume you did try to kill it via TDS *after* you stopped the running process via TM?

That was not clear in your post, just that you ended the process and that got rid of it until start up next time.

Do your scan with TDS, note the path first, then kill process in TM and try delete via TDS if you already haven't done that. [If the path mentions somewhere in it recycler/restore then you cannot delete via this method. If not, and still does not delete, try booting in Safe Mode and then open TM, kill process and try scan with TDS.

SAFE MODE HERE

If path was for system restore and running ME or XP, turn it off, reboot, turn it back on, make new restore point and it should be gone.

SYSTEM RESTORE FOR XP
WIN ME SYSTEM RESTORE

I would try that unless someone else has a better idea

TAS

 

Hey Taz,

Well, I tried ending the processes via TM and then using TDS-3 to delete the files. It does get rid of them, but as soon as I reboot, they come right back. Here's a little more background on this thing.

First, all of the suspect files are located in c:\windows\system32. They have random names like biepnw4m.exe, jitt.exe, tvi9.exe, zubxk.exe, etc. The other intersting thing is that they are always in pairs. When I reboot, there will be two of them running. So, I start up TDS-3, and during it's mutex memory scan, it identifies them. I go into TM, select each in turn and press the end process button. They immediately disappear, and within a second or two, another task begins, taking it's place. Sometimes it has the same name as the task just cancelled, sometimes not. Once I have ended the processes identified by TDS-3, I select and delete them using TDS-3. However, now I have two more tasks running.

Now, if I select one of the tasks, and click the End Process Tree button, no new task is spawned.

Any other ideas?

By the way, if I start up in safe mode, the processes do not kick off. That's probably because when I start up in safe mode I have to use the administrator user name and password instead of my own. So, the mutex memory scan doesn't pick anything up. As I mentioned before, my PC keeps powering off so I am not able to complete a full system scan in safe mode before my machine powers off. Frustrating to say the least!

Bretzky

 

If you have the latest database, TDS should detect all files on disk and you can delete them all. If there are any which are detected in memory by the .gen signature but not on disk in a FILE SCAN, please send a couple of samples to us so we can add the newer version

Can you post a log from ASViewer in your user account ? or a HijackThis log, or both

http://www.diamondcs.com.au/index.php?page=asviewer

Make sure all autostarts are showing, in the menu tick the 3 options at the top

 

Hey Gavin,

Being a Star Wars fan myself, I have to just say I love your avatar!

Attached is a copy of my asviewer log. Hopefully it has some useful info for you. I just want to reiterate that I have not been able to run a complete system scan using TDS-3 because my computer powers off before it can complete. I don't know why this is happening.

Anyway, let me know if you see anything in the asviewer.

Thanks,
Bretzky

OK, how do I insert my asviewer output?

 

Gavin,

Just an FYI, it's after midnight in Wisconsin, so I'm going to bed. I'll check out any response you may have tomorrow.

Thanks Again,
Bretzky

 

Hey,

One last FYI. I was able to get rid of the trojan using some software called Trojan Remover. It was an Adware.Quadro trojan. The Trojan Remover software found the process that was executing at startup as well as all of the associated exe files in the windows\system32 directory. I think I'm all better!

Thanks for your suggestions.

Bretzky

 

Hi,

Glad you got rid of it, yes its known as RADS and Quadrogram too, and could also be the "peper" trojan installed with something called memorywatcher.. it looks like it ! If you did install that, it might pay to be careful what "free" goodies you install in future - and quickly skim the license agreement on these things !

This looks like an adware in your log, you could remove it. Right-click the entry and choose delete registry value, it wont restart after reboot. And if you can, send the file to us for analysis and addition as an adware

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fv.exe
C:\documents and settings\bmeissner\local settings\temp\fv.exe

 

Gavin,

Thanks for the additional 'heads-up' on the fv.exe. I deleted the registery entry for it as well as the program itself. Here is a copy of it as you requested. I've changed it's extension from .exe to .txt.

Thanks for your help,
Bretzky