Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

rastmon.dll [RESOLVED]

Started by Dragnsfire , Nov 07 2005 01:44 PM

  • This topic is locked This topic is locked

#1
Dragnsfire
Posted 07 November 2005 - 01:44 PM

Dragnsfire

    Member

  • Member
  • PipPip
  • 49 posts
Hi! I am trying to disinfect my co-worker's computer and have the following problems:

1. Lots of pop-ups when connecting to the internet via IE
2. A new error message on the startup having to do with not finding the .dll for rastmon (which makes me think I did something right in all of the steps to clean up the comp.)
3. Panda Scan couldn't disinfect the items it found.

Here are my logs:

1. Panda Scan:


Incident Status Location

Spyware:spyware/marketscore No disinfected C:\WINNT\SYSTEM32\rk.bin
Spyware:spyware/surfsidekick No disinfected C:\WINNT\SYSTEM32\sav2.exe
Adware:adware/consumeralertsystemNo disinfected C:\PROGRAM FILES\System Files
Adware:adware/elitebar No disinfected C:\Documents and Settings\WK12\Favorites\Casino & Carrers
Adware:adware/addestroyer No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer
Adware:adware/virtualbouncer No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\VBouncer
Spyware:spyware/betterinet No disinfected Windows Registry
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINNT\etb\xml\images\casino.bmp
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINNT\etb\xml\images\dating.bmp
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINNT\etb\xml\images\virus.bmp
Adware:Adware/ConsumerAlertSystemNo disinfected C:\WINNT\pf78.exe
Adware:Adware/Popper No disinfected C:\WINNT\system32\93_app13.exe
Adware:Adware/QoolShown No disinfected C:\WINNT\system32\installer216.exe
Adware:Adware/Pacimedia No disinfected C:\WINNT\system32\sav2.exe


Two Ewido Scans (two due to the fact that it updated in the middle of my scan)

1:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:53:55 AM, 11/7/2005
+ Report-Checksum: 1DAEB3D7

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops\Clsid\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\\CLSID -> Spyware.VX2 : Cleaned with backup
[1624] C:\WINNT\system32\rastmon.dll -> Spyware.SafeSurfing : Error during cleaning
C:\Documents and Settings\WK12\Cookies\wk12@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\WK12\Cookies\wk12@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\WK12\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\WK12\Cookies\wk12@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\WK12\Local Settings\Temporary Internet Files\Content.IE5\48QIK1J8\mm[1].js -> Spyware.Chitika : Cleaned with backup


::Report End

2:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:14:07 AM, 11/7/2005
+ Report-Checksum: 875C70ED

+ Scan result:

[1624] C:\WINNT\system32\rastmon.dll -> Spyware.SafeSurfing : Error during cleaning
C:\WINNT\bsx32 -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3ABSPLAT.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3ACCUQ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3AMERS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3ASKNOW2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3CARQ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3CARQ2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3CCB.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3CHOCPBMM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3CHRISMORT.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3CREDITCARD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3DIRTYH.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3ENDOMET.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3FREECS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3FREEIPOD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3FREEIPOD2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3FREEXBOX.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3HAIRLOSS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3HYDRO.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3KAN1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3KAN10.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3KAN11.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3KAN12.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3KAN2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3KAN6.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3KAN7.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3LEXREPAIR.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3LMORON.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3LOWRATE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3MYDISH.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3MYINKS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3NETFLIX2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3ODYSSEY.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3PARTYPOKER.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3PASSION.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3PCHSWEEPS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3POP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3SPORTSINT.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3SUPERIOR.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASI3WEIGHTL.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASICLRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASIEPRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASIPP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASIRCPRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASISS2RE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\ASISSRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\bspace.html -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\SPECAUTO.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\SPECENTER.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPC.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPF.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPFAM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPFI.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPFIN.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPG.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPH.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPHL.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPJ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPMTV.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPN.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPR.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPSHOP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPSP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\bsx32\TMPW.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\Downloaded Program Files\pcs_0002.exe -> Spyware.Pacer : Cleaned with backup
C:\WINNT\rdafnynb.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\system32\APD123.exe -> Spyware.Pacer : Cleaned with backup
C:\WINNT\system32\dist001.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\WINNT\system32\MTE2ODM6ODoxNg.exe -> Spyware.ISearch : Cleaned with backup
C:\WINNT\system32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\WINNT\system32\__delete_on_reboot__rastmon.dll -> Spyware.SafeSurfing : Cleaned with backup


::Report End



HJT

Logfile of HijackThis v1.99.1
Scan saved at 11:33:06 AM, on 11/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\System Files\System.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\WK12\Desktop\Anti-Spyware Programs\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {BAA1B2BD-46A1-13D4-EC40-5735A73738BC} - C:\WINNT\aguiqidd.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINNT\system32\nsoCC.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINNT\system32\irasfjjp.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C5BEFB18-50AF-C65C-526B-139E85E29118} - C:\WINNT\aguiqidd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {6E89F18A-6FA9-3C3B-BB76-17AE9FEAB50E} - C:\WINNT\aguiqidd.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [System service76] C:\WINNT\etb\pokapoka76.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [irassync] C:\WINNT\system32\irasyncd.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [irassync] C:\WINNT\system32\irasyncd.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126618848593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe



I followed all the steps indicated, from AdAware and Spybot to Windows Updates. Please help! Thanks!!
  • 0

Advertisements

#2
Metallica
Posted 10 November 2005 - 02:36 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Please download LQfix.exe from one of the following locations:
  • http://www.downloads.subratam.org/LQfix.exe
    http://miekiemoes.geekstogo.com/tools/LQfix.exe

  • Save it to your desktop.
  • Double-Click LQfix.exe and click Next > Next > Install.
  • Leave the default settings, if you change them, the fix will Fail!
  • You need an active Internet Connection, so make sure your you're not blocking any connection now.
  • Now make sure the "Launch LQfix" box is checked.
  • Click the Finish button, after clicking the Finish button the fix will start.
  • Follow the on-screen prompts.
  • Your system will reboot afterwards.
  • Please be patient after the reboot, there is a script running in the background that needs to complete.
Run HijackThis and check the following items in HijackThis (that are still present).
Close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: (no name) - {BAA1B2BD-46A1-13D4-EC40-5735A73738BC} - C:\WINNT\aguiqidd.dll

O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINNT\system32\nsoCC.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINNT\system32\irasfjjp.dll (file missing)

O2 - BHO: (no name) - {C5BEFB18-50AF-C65C-526B-139E85E29118} - C:\WINNT\aguiqidd.dll

O3 - Toolbar: Search - {6E89F18A-6FA9-3C3B-BB76-17AE9FEAB50E} - C:\WINNT\aguiqidd.dll

O4 - HKLM\..\Run: [System service76] C:\WINNT\etb\pokapoka76.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [irassync] C:\WINNT\system32\irasyncd.exe

O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [irassync] C:\WINNT\system32\irasyncd.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

Reboot into safe mode and delete:
C:\Program Files\SurfSideKick 3 <= entire folder
C:\WINNT\system32\irasyncd.exe
C:\Program Files\Accoona <= entire folder
C:\WINNT\bsx32 <= entire folder

Boot back to normal and post a new HijackThis log.

Regards,
  • 0

#3
Dragnsfire
Posted 10 November 2005 - 03:38 PM

Dragnsfire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Well, no more error message on the start up! :-) One note, the things that you wanted me to delete were not present when I rebooted into Safe Mode. In any case, thank you and here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:31:58 PM, on 11/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\Documents and Settings\WK12\Desktop\Anti-Spyware Programs\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126618848593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe


Am I good to go?
  • 0

#4
Metallica
Posted 11 November 2005 - 12:31 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Log looks good. :tazz:

And if the files I made you look for were already gone that's a good sign too.

So if your computer is behaving, I'd say your good to go.

Please do have a look at my site about removing and preventing spyware.

Regards,
  • 0

#5
Dragnsfire
Posted 11 November 2005 - 08:13 PM

Dragnsfire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Thanks for all the help :tazz:. I think I'm going to have to give my co-workers a tutorial on preventing it...the new ones anyways.
  • 0

#6
Metallica
Posted 12 November 2005 - 03:53 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP