"rasdisk.exe"

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mattwier, Dec 1, 2004.

  1. mattwier

    mattwier Private E-2

    Hi everyone! My name's Matt Wier. I'm normally pretty good with deleting spyware and stuff but I'm stumpped here. whenever I run my computer there is a process running called "rasdisk.exe" wich takes up anywhere between 80,000kb to at one time 180,000kb. I went into msconfig and can't find it anywhere there and also searched my whole computer for it and still found nothing. I also ran AdAware and also found nothing. Any help is appreciated! :)
     
  2. PhilliePhan

    PhilliePhan Guest

    Hi Matt,

    You likely have a StopGuard/Virtumundo infection.

    Take a look at the threads in this link and try Symantec's removal tool (also in the link):

    READ ME: Virtumundo Problems/Resolution Threads

    Please post back and let us know how effective the removal tool is. Also, let us know if you need further assistance.

    Best luck :)
    PP
     
  3. mattwier

    mattwier Private E-2

    Thanks Phillie Phan (what's your real name if you don't mind me asking, otherwise I won't remember who you are! lol) I'll go ahead and try that link.
     
  4. PhilliePhan

    PhilliePhan Guest

    PP works fine in this Forum :cool:
     
  5. mattwier

    mattwier Private E-2

    Okay, I ran the program that the link provided, the first time that I let it run it said it deleted it and that I needed to restart. After the re-boot I checked and rasdisk.exe was still running as a process so I ran the program again, and it said it was deleted but did not say I needed to restart that time, so I'm hoping it worked!
     
  6. PhilliePhan

    PhilliePhan Guest

    Hi Matt,

    Give the tool a couple of shots, making sure to follow Symantec's instructions carefully (I really have't read them yet, myself lol).

    If problems persist, attach a HijackThis Log as per these instructions:

    Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

    If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    Sometimes there are a few remnants that need to be dealt with. Somebody will take a look when they get a chance. I may get a chance to check back in the wee hours.

    Best luck :)
    PP
     
  7. mattwier

    mattwier Private E-2

    Okay Phillip.... I ran HijackThis and this is what I got...
     

    Attached Files:

    Last edited by a moderator: Dec 1, 2004
  8. PhilliePhan

    PhilliePhan Guest

    Hi Matt,

    You have a lot of malware that needs to be removed! I am heading out the door in a few minutes (Contrary to popular belief, I have a life! ;) )

    If nobody else takes a look, I'll try to work through it for you when I get a chance to check back.

    PP :)

    ***In the meantime, you'd be well served to take a spin through the Cleanup Tutorial HERE:

    READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

    Then, Attach a fresh HJT log.
     
  9. mattwier

    mattwier Private E-2

    Thanks for your help so far PP! :) I haven't really been concerned about malware until I started getting rasdisk.exe ; I should have some time tomorrow morning before I go to school to take a look. Thanks!
     
  10. mattwier

    mattwier Private E-2

  11. PhilliePhan

    PhilliePhan Guest

    Hi Matt,

    Sorry I didn't get back to you sooner. Its tough to budget my free time for this forum - Got real ife to deal with, you know :cool:

    This is my generic fix for Stopguard/Virtumundo-related malware infections. I have had a lot of success with it, but there have been some failures as well.

    ALSO NOTE that the tough part is nailing that pesky running process that always springs back to life. To do this, I use the Delete a File on Reboot option in HijackThis. If you do this successfully, that process will be Deleted before it ever gets a chance to run! This should work every time. Please make sure to enter the correct path for the file to be deleted. If, for some reason, you are not able to delete the file in question, please try again before posting back.

    ANYHOO:
    Please print out these instructions so that you can operate with All Browser Windows CLOSED. Please follow the instructions very carefully - Do them in the exact order given.

    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    FIRST:
    Look in C: > WINDOWS > PREFETCH & Delete rasdisk.exe ( or any rasdisk or ksidsar entries) if found. If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

    ALSO: take a look inside the C:\WINDOWS\Tasks Folder for any backups (rasdisk.bak & ksidsar.bak etc. . . ) – Note that they will probably be Hidden Files – Delete the ones that allow you to do so.

    NOW:
    Run HijackThis and Check the Boxes for the Following:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)

    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)

    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)

    O2 - BHO: CATLEvents Object - {30279F2D-1A38-4785-97D4-5C3508BDB289} - C:\DOCUME~1\Matt\LOCALS~1\Temp\ksidsar.dat

    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll

    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)

    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll

    O2 - BHO: (no name) - {D7BD6859-CC64-4FED-98B5-1292133CFBD6} - C:\WINDOWS\System32\iwpmontr.dll

    O2 - BHO: (no name) - {EFF80427-F837-4B74-8834-BAF18E0553FD} - (no file)

    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)

    O3 - Toolbar: SuperBar - {16595D16-77AD-45C2-8C29-58095B5E3B10} - (no file)

    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

    O4 - HKLM\..\Run: [*diskodbc] C:\WINDOWS\addins\diskodbc.exe

    O4 - HKLM\..\Run: [*rasdisk] C:\WINDOWS\Tasks\rasdisk.exe

    O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe

    O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe

    O4 - HKCU\..\RunServices: [Winstart] C:\windows\winstart32.exe

    O4 - HKCU\..\RunServices: [1c198] C:\windows\system\1c198.com

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=d5ce257857a083868c1f46

    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501031120/BundleOuter2501031120.EXE

    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab

    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab


    Click FIX and then, while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, Enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\Tasks\rasdisk.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

    You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click OKAY and DO NOT REBOOT AGAIN.

    While in Safe Mode, navigate to and DELETE the following, if found:

    C:\WINDOWS\System32\mscb.dll
    C:\WINDOWS\System32\iwpmontr.dll
    C:\WINDOWS\System32\sndcfg16.exe
    C:\windows\winstart32.exe
    C:\WINDOWS\System32\msbe.dll
    C:\windows\system\1c198.com
    C:\WINDOWS\System32\nvms.dll

    THEN:
    Use Windows Explorer to run a search of your computer for:

    rasdisk
    ksidsar
    bkinst
    diskodbc
    cbdoksid


    and DELETE the related files. (We especially want to get rid of rasdisk.ini & rasdisk.dat & rasdisk.bak AND ksidsar.ini & ksidsar.dat & ksidsar.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL. So, when you find them, search the associated folders carefully for any hidden remnants!

    NEXT:
    Run CCleaner and Spybot S&D and have Spybot fix what it finds.

    Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.

    Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions.

    You may want to try running the Symantec tool again, as well.
    Also, AFTER you get all cleaned up, you should go to Windows Updates and get Updated.

    I will try to check back when I get a chance.

    Best luck :)
    PP
     
  12. mattwier

    mattwier Private E-2

    Thanks so much PP! :) I'm now completly rasdisk.exe free! :) I've just reccommended this forum to my 'home' forum @ www.atlanticsunairways.com we're the best virtual airline on the web, check us out if you like flight simulator - tell 'em I sent 'ya :cool:
     

    Attached Files:

  13. PhilliePhan

    PhilliePhan Guest

    Hi Matt,

    You're Welcome! Happy to help :)

    I'll have to check out Atlanticsun!

    Hey, you attached your original HJT log again. If you want me to take a look at your new one, just attach it & give me a shout.

    Best,
    PP
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds