RAT.RADS.gen

Discussion in 'Trojan Defence Suite' started by ukwiz, Aug 12, 2004.

Thread Status:
Not open for further replies.
  1. ukwiz

    ukwiz Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    7
    I am having trouble getting TDS to remove the following:
    Live trojan found (in process memory): RAT.RADS.gen
    File: C:\WINDOWS\System32\OboAkh0.exe

    Live trojan found: RAT.RADS.gen
    File: C:\WINDOWS\System32\Hpx2p.exe

    I have taken a hijackthis dump which is attached - I am sure that there are all sorts of things still lurking after having removed over 400 hits in Spybot!

    Can you help show what is restarting this trojan?

    Regards
    David
     

    Attached Files:

  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi ukwiz, Apart from the fact that your HJT log needs a good looking at by an expert as there is malware that even I can see, you should do a TDS scan from safe mode. Safe mode can be reached by pressing F8 a few times just BEFORE windows starts or as POST ends.

    An expert should look at your file but they may suggest that you use one of the other sites mentioned here: https://www.wilderssecurity.com/showthread.php?t=42148

    Pilli
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, do you remember when all this started? Would going back to an older restore point be an option?
    Maybe had been better to run the HJT log before the SpyBotS&D but ok, it's done.

    For the HJT file: guess you would prefer to make a folder on that J:\ for HJT and the backup files it creates with the fixes, as on a whole partition they might get lost easily.

    Anyway, first to Pilli's suggestion for the safe mode scan i guess.
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I'd suggest you kill these running processes with the TDS process list

    C:\documents and settings\adam\local settings\temp\rIM0.exe
    C:\WINDOWS\System32\OboAkh0.exe
    C:\WINDOWS\System32\Hpx2p.exe

    Then fix these entries and reboot

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fcxmhpvblcpdr.com/0OVeJHlmKLBMoJkM/2/si1LyrtaPAfnDBGQPRcQrXOc3KZnEw5W6ely6uUyEZclG.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

    O2 - BHO: (no name) - SOFTWARE - (no file)

    O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll

    O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
    O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll


    O4 - HKLM\..\Run: [2QA68XP4C66PNY] C:\WINDOWS\System32\Qdxb4jKR.exe

    O4 - HKLM\..\Run: [playxd] C:\WINDOWS\System32\playxd.exe

    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun

    O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Sophie\LOCALS~1\Temp\app27.tmp
    O4 - HKLM\..\Run: [vneoklukdypy] C:\WINDOWS\System32\xjsengm.exe

    O4 - HKLM\..\Run: [error remote] C:\PROGRA~1\CURBWA~1\INTERNETRULEUP.exe
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
    O4 - HKLM\..\Run: [rIM0] C:\documents and settings\adam\local settings\temp\rIM0.exe
    O4 - HKLM\..\Run: [Rect Bat Funk Type] C:\Documents and Settings\All Users\Application Data\Grey Name Rect Bat\rect junk.exe

    O4 - HKLM\..\Run: [qs4X37e] skdstr.exe

    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

    You will need to get your log analysed after this, but at least this will stop SOME of the junk :) I'd appreciate you sending me those EXE and DLL files mentioned if you can, there is an email address in my profile or use submit @ diamondcs.com.au
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    SmileyCentral and Messenger Plus add nasty stuff too. It's all so nice and they come with so many "extras" ........... :ninja:
     
  6. ukwiz

    ukwiz Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    7
    Thanks to all - will try various bits. It is one of my customers machines - they complained that internet access was slow, crashed often, and had porn popups all over the place. I had managed to get rid of a lot before posting this!

    I will use HijackThis to remove as much as I can as suggested by Gavin (after saving the exes and dlls).

    Regards David
     
  7. ukwiz

    ukwiz Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    7
    As many files as I found - I had done some work with Trojan Remover - on their way to you Gavin, and latest Hijackthis output attached.
     

    Attached Files:

  8. lappen

    lappen Spyware Fighter

    Joined:
    Mar 8, 2004
    Posts:
    39
    Location:
    Stockholm, Sweden
    Hi ukwiz!

    A couple of suggestions for the last HJT log.

    First, please open Add/Remove programs and uninstall New.Net or NewDotNet from there if listed.

    If not listed go here to get the uninstaller http://www.newdotnet.com/#remove

    Reboot computer when done

    Open 'Add/Remove Programs' in the Control Panel. Select the 'My Search Bar' (MySearch variant), 'MyWay Speed Bar' (MyWay) or 'My Web Search Bar' (MyWeb) entry and click 'Remove'. For the MyWeb variant, be sure to also remove 'Fun Web Products Easy Installer'.

    Also try to uninstall
    TV Media
    POP (People OnPage)
    DPI (Adware based media viewer by The Delfin Project)
    ClipGenie (adware downloader)
    Bargain Buddy

    Reboot computer when done

    You also seem to have a peper infection there (aslo called sandbox trojan)

    Run this tool to try to get rid of it
    http://downloads.subratam.org/PeperFix.exe

    You also need to update your HiJackThis since you don’t have the newest version. (1.98.2) Download it from here:

    http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

    Mirrors
    http://computercops.biz/downloads-cats-14-10-10.html
    http://www.subratam.org/?page=removal
    http://www.zerosrealm.com/index.php?page=downloads

    After doing all of the above post a new log using HJT 1.98.2
     
  9. ukwiz

    ukwiz Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    7
    Hi lappen

    Thanks very much for the reply.

    I did as much of the above as I could find, and here is the latest HJT log

    Regards
    David
     

    Attached Files:

  10. ukwiz

    ukwiz Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    7
    Well, I tried to send the files, but as some contain trojans I am unable to get them through my mail server!
    I tried zipping them, but no go.
    Anyone have any ideas how I might be able to send them?
    Maybe I will try rar, zip and rar again

    Tried zip, rar, zip - AV on server still threw it out (and also AVG mail client)
     
    Last edited: Aug 13, 2004
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Disable your AV on the server whilst you send then re-enable? :D
     
  12. Mr. Hrmm

    Mr. Hrmm Guest

    Hi ukwiz,
    Try password protecting the zip's?

    1.Open Windows Explorer.
    2.Locate the suspicious file or files.
    3.If there is only one file, then right-click the file, and then click "Add to zip."
    4.Click I agree.
    5.Click New.
    6.Change the "Create" location to Desktop, type Submission and then click OK.
    7.Click Options and then Password.
    8.Type infected and then click OK. Reenter the same password, and then click OK again.
    9.You should see a zip file named Submission.zip on the Desktop.
    10.If you want to submit more than one file, then do the following for each file.
    11.Locate the file and then right-click the file, and click "Add to zip."
    12.Click I agree.
    13.Click Open.
    14.Change the "Create" location to Desktop, locate and click Submission.zip and then click Open.
    15.Click Add.


    http://service1.symantec.com/SUPPORT/nav.nsf/docid/1999052109284606?OpenDocument&ExpandSection=2
     
  13. lappen

    lappen Spyware Fighter

    Joined:
    Mar 8, 2004
    Posts:
    39
    Location:
    Stockholm, Sweden
    Ok there is still alot of junk there

    Could you please do this and after that post a new HJT

    I asume that you have done some or all of the instructions before but please do it again before we start to clean with HJT

    Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
    C:\WINDOWS\Temp\
    C:\Temp\
    C:\Documents and Settings\username\Local Settings\Temp\
    Also delete your Temporary Internet Files, be sure to also select delete all offline content.

    Do a virus scan here.
    If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply.

    Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT

    First use Spybot S&D. (Version 1.3)
    Spybot
    Unzip, and update. Install the updates and run. Delete all that it marks in red.
    Reboot

    Then it’s time for Ad-Aware [SE build 1.03 Or version 6 build 181)
    Ad-Aware
    Install and update by using the globe icon. Restart your computer and run Ad-Aware.
    Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

    Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
    How To Setup Spybot SD and Ad-Aware

    Then post a new HJT log as a reply to this topic.
     
Thread Status:
Not open for further replies.