RADS.gen and sudo su for WinXP?!

Discussion in 'Trojan Defence Suite' started by KC, Mar 8, 2004.

Thread Status:
Not open for further replies.
  1. KC

    KC Guest

    TDS found RADS.gen... can't delete... process respawns and deletion is not permitted. how do you elevate privileges to delete a runing process's file?
     
  2. KC

    KC Guest

    elaboration...

    perhaps I should elaborate, cause I've never seen this forum take more than half an hour to respond to my call for help... TDS-3 found the Remote Access Trojan - RADS.gen I selected kill process and delete file... it returned that it could kill the process but the file could not be deleted as it was in use. I see that the process respawns immediately after being killed. SOOOO.... How do I perform a BRUTE file delete in Windows XP ? The file is in my System32 and I believe it is morphing its file name each time...
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi KC & welcome. If you know the location of the file boot into safe mode. If you do not know how to do it? Pressing F8 often after a restart when the pc has nearly gone thorough it's start up screen should bring up a menu so that you can select Safe mode. Once in safe mode navigate to to where the file is and delete it.
    .
    If that is successful and you are happy working in the registry do a search for the file name you have just deleted and delet it's key.

    Remember always back up your registry first.

    If you are running XP or ME you can use System Restore from within the help and support centre. This is OK providing you have a restore point from before you were infected , doing a system restore does not affect any documents or work you have done since the restore point was created :)

    HTH Pilli
     
  4. kc

    kc Registered Member

    Joined:
    Mar 8, 2004
    Posts:
    9
    Location:
    So-Cal USA
    Outstanding! Thanks again to the forum... and of course to Pilli on this occaision!

    A further question for you... I originally referenced Linux/UNIX based power move of boosting yourself to root status so you could delete a file regardless of its status... there's no way to do this with Windows (XP or otherwise) is there?

    One last question for now... could you site a good reference which explains exactly how code respawns itself and generally addresses that issue. I have some limited coding experience (C, C++, Basic, Q-Basic, Visual Basic, Pascal, HTML, batch, various scripting...) and am curious how that works...

    Thanks again, Gurus...
    KC
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Glad we could help :)

    Linux has that ability but alas XP does not As far as I know the only way is safe mode though if you are the Admin most services can be stopped using the management console but not all as some services start very early in the boot up process. Safe mode however, only boots essntial system services.

    There you have me beat :) And I would only be guessing ass I am no programmer but I am certain that someone else will respond soon.
     
  6. kc

    kc Registered Member

    Joined:
    Mar 8, 2004
    Posts:
    9
    Location:
    So-Cal USA
    Thanks again, Pilli... I will hope for a coder to happen by...
    kc
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi KC and welcome as a member now and with so many programming skills. You could have not deleted the file but zip it and use some of your skills to determine the file and get loose on it with your skills and analysers and debuggers and whatever needed to know what and how and snipe it all inside out etc etc etc Maybe you would find some valuable answers that way.
    Anyway, do i understand well it was running and that on a registered TDS system with exec protection on?
    Are you sure it was a real positive identification or could there have been any doubts on the malicity of the file?
    In that case it could help to submit a sample to the TDS lab to be very sure, if you like submit@diamondcs.com.au (i never delete a new alert without sending a copy there first)

    I wonder if Port Explorer could be of more help here: it could if the thing was connecting via internet, like rats do more time, don't they?

    In the DCS products free tools page are dellater which could be of help too, there is a test kill tool as well --forgot it's name, but i've seen somebody using it to kill stubborn applications too, in TDS process list it could have been killed maybe if possible before deleting it, so Whit the killing it from safe mode you have several ways to get rid of it. Any ideas if it did any harm to your system?
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi again KC, I am remiss :(
    Jooske is quite correct, I did forget to ask you to submit the file :) Of course it may be in your recycle bin in which case please zip it up and send it to DCS.

    Thanks. Pilli :)
     
  9. kc

    kc Registered Member

    Joined:
    Mar 8, 2004
    Posts:
    9
    Location:
    So-Cal USA
    I can merely say to that, that I hope to be able to do so tommorrow night... the file in question was on a computer in a college computer lab... the lab is used for networking students and is basically open for abuse, as the school's network is on the OTHER side of the pix firewall and other various goodies. I believe someone in the security class downloaded this file as a tag-along to a piece of spyware. Perhaps the class was experimenting on ways to get spyware... and subsequently on ways to remove it. Regardless, the "experiment" (or mistake is more like it) was still on the computer when I wanted to use it.

    Without hesitation I downloaded my toolkit! TDS-3 and Spybot to begin with... Spybot to remove all the general trash and TDS to clinch the job. spybot was getting its butt whooped after removing over 80 threats of various forms, and not being able to handle the last 10 or so.

    Enter TDS! As expected, TDS identified about 12 threats and I was able to delete all but 3 of them. Of the remaining three, I was able to delete 2 from the command line. This last little bugger eluded me. And, unfortunately no one posted till the class has now long since ended.

    The file will likely still be there. As there are 6 removable hard disks for each computer and the lab's computers generally aren't cleaned up but once a semester unless its done as a class.

    Jooske! Of course I'd like to split this puppy and examine it, but I'm only a second year Physics Major! :) I am maintaining progress towards a double major in Computer Science, however, either way, I am merely a few feet past "Amateur" LOL perhaps I will see more advanced machine language in the next year or two! I will, however "Ethereal" it to death and try to devise what it's doing and where it's listening/advertising to, etc.

    (any good suggestions for some documentation on how this thing respawns?)

    My first reaction upon realization that I had more than rookie spy-ware on that particular system was to unplug all network connections so it couldn't download anything further. I then cleaned out as much of the system as possible while waiting for further instructions from the experts on Wilders...

    To all, these systems in this ONE PARTICULAR lab room are treated ike play toys... there's no telling who, when, where, why, etc... Fun! ;-)

    I'm rambling...

    Thanks so much!
    kc
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    kc,

    well deserved kharma cookie for your efforts! ;)

    regards.

    paul
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    KC, There is some very useful information on the DCS website that may be of interest to you regarding how some of thes nasties work, here is the link:

    http://www.diamondcs.com.au/processguard/index.php?page=attacks

    I hope this may help in your quest, in fact the whole DCS site has may technical items that may be of interest to you. :)
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If your nasty connects you might love to spy on it's packets with Port Explorer socket spy enabled, so easy and readable what it's doing and where etc.

    You surely will love to have a cd with the DCS arsenal of programs and tools to go through the system and whole network, get out all the cookies everywhere etc.

    I ever spoiled a few hours in a basic scool network, so that was all rather innocent stuff but still....... now they use ghost too, but not that frequently either.
     
  13. kc

    kc Registered Member

    Joined:
    Mar 8, 2004
    Posts:
    9
    Location:
    So-Cal USA
    New problem... I arrived in class this morning to find that someone has downloaded some sort of crack file that Diamond has obviously defeated. The only problem is, no matter how many times I uninstall and delete things here, I keep getting an illegal keyfile error...

    Somebody tell me how to get TDS up again... I dont care if it's only the free trial version... I just wanna nab this lil nasty so I can upload it to Diamond, clean this machine, and be done...

    kc

    PS attached is a text readme from the useless crack that has ruined my morning

    PPS Its kinda funny how many free spyware busters people have downloaded and tried on this machine... the desktop is a MESS with downloads and icons and blah blah blah


    * Thanks, saved a copy to submit to DCS, and removed it here as we don't allow even readme files related to cracked software. (forum TOS) *
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    KC,
    not seeing an attached file, but if you have it please submit to submit@diamondcs.com.au or support@diamondcs.com.au to deal with it!
    Maybe you can do something in safe mode? Locate the thing, zip and set ready for submission.
     
  15. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi KC, Make sure that the TDS keyfile is in the main TDS folder TDS3.KF should be about 5KB.
    If it is damaged or corrupt, hopefully you will have a safe copy of it somewhere, if not you will have to contact support@diamondcs.co.au with your original email address for a new key.
    Also if you can, is there a restore point that could put you back to before the error occurred?
     
  16. kc

    kc Registered Member

    Joined:
    Mar 8, 2004
    Posts:
    9
    Location:
    So-Cal USA
    I cant run TDS-3! someone else here downloaded a crack file that Diamond has implemented a defeat and lock out for. I cant load it. I cant reinstall it... I get the same error... illegal keyfile. I need TDS to identify the nasty before I can upload.
     
  17. kc

    kc Registered Member

    Joined:
    Mar 8, 2004
    Posts:
    9
    Location:
    So-Cal USA
    I was only using a free download. I uninstalled TDS-3 and then reinstalled it and it still claims a bad keyfile. So there must be a resident registry entry... kinda the way they disable the trial version after the 30 days is up... even if you reinstall, TDS knows you've had it for more than 30 days. In this case, TDS knows, an attempt was made to cheat / crack TDS-3, so it's disabled....
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    It might work again with a real keyfile available from the developer?
     
  19. kc

    kc Registered Member

    Joined:
    Mar 8, 2004
    Posts:
    9
    Location:
    So-Cal USA
    aww, come on Ms. Beta Tester... ;-) Where's the reg tweak? I do NOT have $99 right now... I even live in my van on the edge of campus, here... that's how BROKE I am...
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I don't even have a van, how's that!?

    Thought it was less then $50? Ah you go for the whole Action pack at once. And CS and PG and........ and ... and lots of very fine tools on the free products pages.
     
  21. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    KC, You do not honestly expect us to condone such actions surely? Developers have homes to keep and family's to feed, they cannot do it if ppl take the bread from their mouths. Though maybe you were only jesting ;)

    Your college facility could buy the licences maybe? :D
     
  22. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Drop me an email and we will sort it out.. or did you already email support yesterday ?

    Thanks :)
     
  23. kc

    kc Registered Member

    Joined:
    Mar 8, 2004
    Posts:
    9
    Location:
    So-Cal USA
    Pilli... condone such actions?! I wasn't jesting, however I believe you've misinterpretted me in the first place... I don't wanna crack the full TDS program... just restore it to its original, semi-crippled free-trial download state. This is pretty much entirely an education experiment... personal little learning experience. But! I don't wanna have to page through a few billion lines of info trying to find what Diamond did to "flag" TDS as "tampered with" on this particular machine... just so that I can continue my lil nasty hunt!
    I've been gone for almost a week... so... now I will be emailing support, I suppose...
    Thanks for your vigilance, though... as well as your assistance. All of you! :)
     
  24. kc

    kc Registered Member

    Joined:
    Mar 8, 2004
    Posts:
    9
    Location:
    So-Cal USA
    Gavin,
    Your email is hidden here.
    Sent wilders.org IM.
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    support@diamondcs.com.au or gavin@diamondcs.com.au and Gavin will get your email. Infected/suspicious files to submit@diamondcs.com.au please!
     
Thread Status:
Not open for further replies.