TheTechGuide Forum
General Category => Tech Clinic => Topic started by: Ibnu Salman on July 12, 2006, 11:58:30 PM
-
i have a problem with my computer, there a file name ida.exe, every time i insert a diskette or flashdrive the file copy itself to it. i use avira antivir but it seem it doesn't recognize it. i try using the hijackthis this is the log
=============================================================================
Logfile of HijackThis v1.99.1
Scan saved at 11:20:32, on 13/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\Update_OB\realsched.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ida.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ida.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Documents and Settings\User\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com (http://\"http://www.dell.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com\")
F2 - REG:system.ini: Shell=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ida] C:\WINDOWS\system32\ida.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinMessenger StartUp.lnk = C:\Program Files\WinMessenger\WinMesgr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://wits.worldbank.org (http://\"http://wits.worldbank.org\")
O15 - Trusted IP range: http://192.86.99.9 (http://\"http://192.86.99.9\")
O16 - DPF: {0A2233AD-E771-11D2-973D-00104B15E56F} (ToinbWTR Class) - http://stat.kita.net/include/toinbocx/toinbtr.cab (http://\"http://stat.kita.net/include/toinbocx/toinbtr.cab\")
O16 - DPF: {1F57AEAD-DB12-11D2-A4F9-00608CEBEE49} (ToinbWGrid Class) - http://stat.kita.net/include/toinbocx/toinbgrid.cab (http://\"http://stat.kita.net/include/toinbocx/toinbgrid.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3267EA0D-B5D8-11D2-A4F9-00608CEBEE49} (ToinbWData Class) - http://stat.kita.net/include/toinbocx/toinbdata.cab (http://\"http://stat.kita.net/include/toinbocx/toinbdata.cab\")
O16 - DPF: {37D13B2F-E5EB-11D2-973D-00104B15E56F} (ToinbWReport Class) - http://stat.kita.net/include/toinbocx/toinbrep.cab (http://\"http://stat.kita.net/include/toinbocx/toinbrep.cab\")
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.com/ist/softwares/v4.0/0006_adult.cab (http://\"http://www.tbcode.com/ist/softwares/v4.0/0006_adult.cab\")
O16 - DPF: {9C9AB433-EA85-11D2-A4F9-00608CEBEE49} (ToinbWBind Class) - http://stat.kita.net/include/toinbocx/toinbbind.cab (http://\"http://stat.kita.net/include/toinbocx/toinbbind.cab\")
O16 - DPF: {B5F6727A-DD38-11D2-973D-00104B15E56F} (ToinbWChart Class) - http://stat.kita.net/include/toinbocx/toinbchart.cab (http://\"http://stat.kita.net/include/toinbocx/toinbchart.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE11FB27-0A8D-4C76-B27D-51E5288B3CF2}: NameServer = 202.134.2.5,202.134.0.155
O17 - HKLM\System\CS1\Services\Tcpip\..\{AE11FB27-0A8D-4C76-B27D-51E5288B3CF2}: NameServer = 202.134.2.5,202.134.0.155
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
=============================================================================
please help
thanks b4
best regard
Ibnu Salman
-
I thought the file was first related to HP
But it's running from the wrong folder
Can you do the following
Go to this link
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Use the browse button and navigate to this file on your harddrive
C:\WINDOWS\system32\ida.exe <-this file, in the System32 folder
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
-
==============================================================================
STATUS: FINISHEDComplete scanning result of "ida.exe", received in VirusTotal at 07.13.2006, 09:43:47 (CET).
Antivirus Version Update Result
AntiVir 6.35.0.21 07.13.2006 no virus found
Authentium 4.93.8 07.12.2006 no virus found
Avast 4.7.844.0 07.12.2006 no virus found
AVG 386 07.12.2006 no virus found
BitDefender 7.2 07.13.2006 no virus found
CAT-QuickHeal 8.00 07.12.2006 no virus found
ClamAV devel-20060426 07.13.2006 no virus found
DrWeb 4.33 07.12.2006 no virus found
eTrust-InoculateIT 23.72.67 07.13.2006 no virus found
eTrust-Vet 12.6.2295 07.12.2006 no virus found
Ewido 4.0 07.12.2006 no virus found
Fortinet 2.77.0.0 07.13.2006 no virus found
F-Prot 3.16f 07.12.2006 no virus found
F-Prot4 4.2.1.29 07.12.2006 no virus found
Ikarus 0.2.65.0 07.12.2006 no virus found
Kaspersky 4.0.2.24 07.13.2006 no virus found
McAfee 4805 07.12.2006 no virus found
Microsoft 1.1481 07.13.2006 no virus found
NOD32v2 1.1656 07.12.2006 probably unknown NewHeur_PE virus
Norman 5.90.23 07.12.2006 no virus found
Panda 9.0.0.4 07.12.2006 no virus found
Sophos 4.07.0 07.12.2006 no virus found
Symantec 8.0 07.13.2006 no virus found
TheHacker 5.9.8.174 07.13.2006 no virus found
UNA 1.83 07.12.2006 no virus found
VBA32 3.11.0 07.12.2006 no virus found
VirusBuster 4.3.7:9 07.12.2006 no virus found
Aditional Information
File size: 36864 bytes
MD5: 321cf5de4edc33206e8f9805251922e2
SHA1: 107de5ed44495c936d3ffb307222f819434c6416
==============================================================================
i already check it using the URL that u suggest. the above is the result of the scanning
any other suggestion????
-
i check it again in the address that u suggested
here is the result
==============================================================================
STATUS: FINISHEDComplete scanning result of "ida.exe", received in VirusTotal at 07.14.2006, 09:07:22 (CET).
Antivirus Version Update Result
AntiVir 6.35.0.21 07.14.2006 TR/Spy.Agent.MO
Authentium 4.93.8 07.14.2006 no virus found
Avast 4.7.844.0 07.12.2006 no virus found
AVG 386 07.13.2006 no virus found
BitDefender 7.2 07.14.2006 no virus found
CAT-QuickHeal 8.00 07.13.2006 no virus found
ClamAV devel-20060426 07.14.2006 no virus found
DrWeb 4.33 07.13.2006 no virus found
eTrust-InoculateIT 23.72.68 07.13.2006 no virus found
eTrust-Vet 12.6.2296 07.13.2006 no virus found
Ewido 4.0 07.13.2006 no virus found
Fortinet 2.77.0.0 07.14.2006 no virus found
F-Prot 3.16f 07.14.2006 no virus found
F-Prot4 4.2.1.29 07.12.2006 no virus found
Ikarus 0.2.65.0 07.13.2006 no virus found
Kaspersky 4.0.2.24 07.14.2006 no virus found
McAfee 4806 07.13.2006 no virus found
Microsoft 1.1508 07.14.2006 no virus found
NOD32v2 1.1660 07.14.2006 probably unknown NewHeur_PE virus
Norman 5.90.23 07.13.2006 no virus found
Panda 9.0.0.4 07.13.2006 no virus found
Sophos 4.07.0 07.14.2006 no virus found
Symantec 8.0 07.14.2006 no virus found
TheHacker 5.9.8.175 07.13.2006 no virus found
UNA 1.83 07.13.2006 no virus found
VBA32 3.11.0 07.13.2006 no virus found
VirusBuster 4.3.7:9 07.13.2006 no virus found
Aditional Information
File size: 36864 bytes
MD5: 321cf5de4edc33206e8f9805251922e2
SHA1: 107de5ed44495c936d3ffb307222f819434c6416
=============================================================================
-
Sorry for the delay, I'm just on my way to work
In the meantime
Can you do the following please
Seems as if AntiVir is now up to date on the file in question
Can you Check for updates with AntiVir
You may want to reboot into safe mode and run a full system scan
Let it fix whatever it finds
Reboot back to Normal mode and post back a fresh hijackthis log please
-
Since the topic starter has not returned, this topic is now locked