Can't get rid of suspected malware: rtdvgbk.exe

[jtmccabe]

On 3/14/17, I installed ImgBurn freeware on a Win7 PC and picked up a ton of malware. I think I've removed or crippled most of it via various removal and monitoring tools, but I am uneasy because it seems something is still lingering. The machine seems to run fine, but in Task Manager I see 1-2 instances of something called "client". I think I've found the name of the executable behind "client" (rtdvgbk.exe), but I can't find the actual file anywhere.

Norton Power Eraser was the only tool I tried that found and claimed to delete the last of the malware. But after each reboot, "client" still appears. I've re-run NPE a few times and it always finds the same things but fails to permanently delete them.

Below are some clues I found that might help someone help me. Thanks in advance for any ideas.

 

[COLGeek]

Use an offline scanner, like the AVG Rescue CD, to scan/clean your system.

https/www.avg.com/en-ww/download.prd-arl

Bitdefender and ESET have such scanners as well.

https/www.eset.com/int/support/sysrescue/

https/www.bitdefender.com/support/how-to-create-a-bitdefender-rescue-cd-627.html

 

[jtmccabe]

Use an offline scanner, like the AVG Rescue CD, to scan/clean your system.

https/www.avg.com/en-ww/download.prd-arl

Bitdefender and ESET have such scanners as well.

https/www.eset.com/int/support/sysrescue/

https/www.bitdefender.com/support/how-to-create-a-bitdefender-rescue-cd-627.html

Thanks for the advice. I'm trying the AVG Rescue CD now. I updated it with today's definitions and ran the first scan with the default settings. That didn't find anything, so now I'm doing a deeper scan with all the options enabled (e.g. scan inside archives, "paranoid mode", etc.). Looks like that will take a few hours.

Since my Google searches on some of the suspicious file names don't get any hits, I think I might be dealing with a brand new virus that most tools won't recognize. Either that, or I'm chasing a red herring and the system is virus-free.

Does my first screen shot above look suspicious to any experts out there, or is it possibly something harmless?

 

[COLGeek]

You might want to use a tool like Malwarebytes as well. The activity you show is certainly suspicious.

 

[jtmccabe]

You might want to use a tool like Malwarebytes as well. The activity you show is certainly suspicious.

I did try the Malwarebytes standard AV software. I noticed the "real-time web protection" kept getting turned off. I'd try to turn it on and it would immediately get turned off again. I tried some suggested fixes for that but nothing worked. I also tried Malwarebytes Anti-Rootkit and that didn't find anything.

I have McAfee Endpoint Security installed on the machine but it won't even run. The Sophos Virus Removal Tool installer does nothing when I try to run it. The common theme is this virus either disables or outsmarts every tool I try.

Microsoft Security Essentials seemed to run okay but didn't find anything. Same with Microsoft Malicious Software Removal Tool. I think that's all I've tried so far. Again, Norton Power Eraser has been the only tool that seemed to partially succeed.

I'll keep trying things and report back when there's any news.

 

[SumTingW0ng]

You might want to use a tool like Malwarebytes as well. The activity you show is certainly suspicious.

I did try the Malwarebytes standard AV software. I noticed the "real-time web protection" kept getting turned off. I'd try to turn it on and it would immediately get turned off again. I tried some suggested fixes for that but nothing worked. I also tried Malwarebytes Anti-Rootkit and that didn't find anything.

I have McAfee Endpoint Security installed on the machine but it won't even run. The Sophos Virus Removal Tool installer does nothing when I try to run it. The common theme is this virus either disables or outsmarts every tool I try.

Microsoft Security Essentials seemed to run okay but didn't find anything. Same with Microsoft Malicious Software Removal Tool. I think that's all I've tried so far. Again, Norton Power Eraser has been the only tool that seemed to partially succeed.

I'll keep trying things and report back when there's any news.

Boot into safe mode with networking to run disinfection tools or boot into live CD such as Kaspersky, Bitdefender, or Avast.

 

[jtmccabe]

Over the past few days, I tried the AVG Rescue CD a few more times (updating it before each scan) but it never found anything. Today I decided to try the Bitdefender Rescue CD and it found the items listed below. I think the system is finally clean now, since I no longer see any of the suspicious software running.

COLGeek, thanks again for your advice!

====================================================
= Logging started on Fri 23 Mar 2018 09:14:19 AM UTC
====================================================

List of objects to be scanned:
- /run/media/livecd/LocalDisk

Object '/run/media/livecd/LocalDisk/Users/Administrator/AppData/Local/dtshnbk/dtshnbk.exe' is infected with 'Gen:Variant.Johnnie.75314'
Object '/run/media/livecd/LocalDisk/Windows/musicality.exe' is infected with 'Trojan.GenericKD.30411670'
Object '/run/media/livecd/LocalDisk/Windows/System32/drivers/dwsuybeh.sys' is infected with 'Application.Agent.BKV'

==================================================
= Applying actions
==================================================
Object '/run/media/livecd/LocalDisk/Users/Administrator/AppData/Local/dtshnbk/dtshnbk.exe' has been deleted
Object '/run/media/livecd/LocalDisk/Windows/musicality.exe' has been deleted
Object '/run/media/livecd/LocalDisk/Windows/System32/drivers/dwsuybeh.sys' has been deleted

 

[COLGeek]

Sounds like you sorted it out. Well done!