I am having trouble getting TDS to remove the following: Live trojan found (in process memory): RAT.RADS.gen File: C:\WINDOWS\System32\OboAkh0.exe Live trojan found: RAT.RADS.gen File: C:\WINDOWS\System32\Hpx2p.exe I have taken a hijackthis dump which is attached - I am sure that there are all sorts of things still lurking after having removed over 400 hits in Spybot! Can you help show what is restarting this trojan? Regards David
Hi ukwiz, Apart from the fact that your HJT log needs a good looking at by an expert as there is malware that even I can see, you should do a TDS scan from safe mode. Safe mode can be reached by pressing F8 a few times just BEFORE windows starts or as POST ends. An expert should look at your file but they may suggest that you use one of the other sites mentioned here: https://www.wilderssecurity.com/showthread.php?t=42148 Pilli
Hi there, do you remember when all this started? Would going back to an older restore point be an option? Maybe had been better to run the HJT log before the SpyBotS&D but ok, it's done. For the HJT file: guess you would prefer to make a folder on that J:\ for HJT and the backup files it creates with the fixes, as on a whole partition they might get lost easily. Anyway, first to Pilli's suggestion for the safe mode scan i guess.
I'd suggest you kill these running processes with the TDS process list C:\documents and settings\adam\local settings\temp\rIM0.exe C:\WINDOWS\System32\OboAkh0.exe C:\WINDOWS\System32\Hpx2p.exe Then fix these entries and reboot R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fcxmhpvblcpdr.com/0OVeJHlmKLBMoJkM/2/si1LyrtaPAfnDBGQPRcQrXOc3KZnEw5W6ely6uUyEZclG.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file) R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file) O2 - BHO: (no name) - SOFTWARE - (no file) O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file) O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file) O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O4 - HKLM\..\Run: [2QA68XP4C66PNY] C:\WINDOWS\System32\Qdxb4jKR.exe O4 - HKLM\..\Run: [playxd] C:\WINDOWS\System32\playxd.exe O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Sophie\LOCALS~1\Temp\app27.tmp O4 - HKLM\..\Run: [vneoklukdypy] C:\WINDOWS\System32\xjsengm.exe O4 - HKLM\..\Run: [error remote] C:\PROGRA~1\CURBWA~1\INTERNETRULEUP.exe O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe O4 - HKLM\..\Run: [rIM0] C:\documents and settings\adam\local settings\temp\rIM0.exe O4 - HKLM\..\Run: [Rect Bat Funk Type] C:\Documents and Settings\All Users\Application Data\Grey Name Rect Bat\rect junk.exe O4 - HKLM\..\Run: [qs4X37e] skdstr.exe O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe You will need to get your log analysed after this, but at least this will stop SOME of the junk I'd appreciate you sending me those EXE and DLL files mentioned if you can, there is an email address in my profile or use submit @ diamondcs.com.au
SmileyCentral and Messenger Plus add nasty stuff too. It's all so nice and they come with so many "extras" ...........
Thanks to all - will try various bits. It is one of my customers machines - they complained that internet access was slow, crashed often, and had porn popups all over the place. I had managed to get rid of a lot before posting this! I will use HijackThis to remove as much as I can as suggested by Gavin (after saving the exes and dlls). Regards David
As many files as I found - I had done some work with Trojan Remover - on their way to you Gavin, and latest Hijackthis output attached.
Hi ukwiz! A couple of suggestions for the last HJT log. First, please open Add/Remove programs and uninstall New.Net or NewDotNet from there if listed. If not listed go here to get the uninstaller http://www.newdotnet.com/#remove Reboot computer when done Open 'Add/Remove Programs' in the Control Panel. Select the 'My Search Bar' (MySearch variant), 'MyWay Speed Bar' (MyWay) or 'My Web Search Bar' (MyWeb) entry and click 'Remove'. For the MyWeb variant, be sure to also remove 'Fun Web Products Easy Installer'. Also try to uninstall TV Media POP (People OnPage) DPI (Adware based media viewer by The Delfin Project) ClipGenie (adware downloader) Bargain Buddy Reboot computer when done You also seem to have a peper infection there (aslo called sandbox trojan) Run this tool to try to get rid of it http://downloads.subratam.org/PeperFix.exe You also need to update your HiJackThis since you don’t have the newest version. (1.98.2) Download it from here: http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip Mirrors http://computercops.biz/downloads-cats-14-10-10.html http://www.subratam.org/?page=removal http://www.zerosrealm.com/index.php?page=downloads After doing all of the above post a new log using HJT 1.98.2
Hi lappen Thanks very much for the reply. I did as much of the above as I could find, and here is the latest HJT log Regards David
Well, I tried to send the files, but as some contain trojans I am unable to get them through my mail server! I tried zipping them, but no go. Anyone have any ideas how I might be able to send them? Maybe I will try rar, zip and rar again Tried zip, rar, zip - AV on server still threw it out (and also AVG mail client)
Hi ukwiz, Try password protecting the zip's? 1.Open Windows Explorer. 2.Locate the suspicious file or files. 3.If there is only one file, then right-click the file, and then click "Add to zip." 4.Click I agree. 5.Click New. 6.Change the "Create" location to Desktop, type Submission and then click OK. 7.Click Options and then Password. 8.Type infected and then click OK. Reenter the same password, and then click OK again. 9.You should see a zip file named Submission.zip on the Desktop. 10.If you want to submit more than one file, then do the following for each file. 11.Locate the file and then right-click the file, and click "Add to zip." 12.Click I agree. 13.Click Open. 14.Change the "Create" location to Desktop, locate and click Submission.zip and then click Open. 15.Click Add. http://service1.symantec.com/SUPPORT/nav.nsf/docid/1999052109284606?OpenDocument&ExpandSection=2
Ok there is still alot of junk there Could you please do this and after that post a new HJT I asume that you have done some or all of the instructions before but please do it again before we start to clean with HJT Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example C:\WINDOWS\Temp\ C:\Temp\ C:\Documents and Settings\username\Local Settings\Temp\ Also delete your Temporary Internet Files, be sure to also select delete all offline content. Do a virus scan here. If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply. Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT First use Spybot S&D. (Version 1.3) Spybot Unzip, and update. Install the updates and run. Delete all that it marks in red. Reboot Then it’s time for Ad-Aware [SE build 1.03 Or version 6 build 181) Ad-Aware Install and update by using the globe icon. Restart your computer and run Ad-Aware. Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer. Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware How To Setup Spybot SD and Ad-Aware Then post a new HJT log as a reply to this topic.