« previous next »
Pages: [1]

Author Topic: ida.exe, please help  (Read 782 times)

Offline Ibnu Salman

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
ida.exe, please help
« on: July 12, 2006, 11:58:30 PM »
i have a problem with my computer, there a file name ida.exe, every time i insert a diskette or flashdrive the file copy itself to it. i use avira antivir but it seem it doesn't recognize it. i try using the hijackthis this is the log

=============================================================================
Logfile of HijackThis v1.99.1
Scan saved at 11:20:32, on 13/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\Update_OB\realsched.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ida.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ida.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Documents and Settings\User\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
F2 - REG:system.ini: Shell=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ida] C:\WINDOWS\system32\ida.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinMessenger StartUp.lnk = C:\Program Files\WinMessenger\WinMesgr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://wits.worldbank.org
O15 - Trusted IP range: http://192.86.99.9
O16 - DPF: {0A2233AD-E771-11D2-973D-00104B15E56F} (ToinbWTR Class) - http://stat.kita.net/include/toinbocx/toinbtr.cab
O16 - DPF: {1F57AEAD-DB12-11D2-A4F9-00608CEBEE49} (ToinbWGrid Class) - http://stat.kita.net/include/toinbocx/toinbgrid.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3267EA0D-B5D8-11D2-A4F9-00608CEBEE49} (ToinbWData Class) - http://stat.kita.net/include/toinbocx/toinbdata.cab
O16 - DPF: {37D13B2F-E5EB-11D2-973D-00104B15E56F} (ToinbWReport Class) - http://stat.kita.net/include/toinbocx/toinbrep.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.com/ist/softwares/v4.0/0006_adult.cab
O16 - DPF: {9C9AB433-EA85-11D2-A4F9-00608CEBEE49} (ToinbWBind Class) - http://stat.kita.net/include/toinbocx/toinbbind.cab
O16 - DPF: {B5F6727A-DD38-11D2-973D-00104B15E56F} (ToinbWChart Class) - http://stat.kita.net/include/toinbocx/toinbchart.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE11FB27-0A8D-4C76-B27D-51E5288B3CF2}: NameServer = 202.134.2.5,202.134.0.155
O17 - HKLM\System\CS1\Services\Tcpip\..\{AE11FB27-0A8D-4C76-B27D-51E5288B3CF2}: NameServer = 202.134.2.5,202.134.0.155
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
=============================================================================

please help

thanks b4
best regard
Ibnu Salman
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
ida.exe, please help
« Reply #1 on: July 13, 2006, 12:21:54 AM »
I thought the file was first related to HP
But it's running from the wrong folder

Can you do the following
Go to this link
http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to this file on your harddrive
C:\WINDOWS\system32\ida.exe <-this file, in the System32 folder

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ibnu Salman

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
ida.exe, please help
« Reply #2 on: July 13, 2006, 02:50:35 AM »
==============================================================================
STATUS: FINISHEDComplete scanning result of "ida.exe", received in VirusTotal at 07.13.2006, 09:43:47 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.21 07.13.2006  no virus found
Authentium 4.93.8 07.12.2006  no virus found
Avast 4.7.844.0 07.12.2006  no virus found
AVG 386 07.12.2006  no virus found
BitDefender 7.2 07.13.2006  no virus found
CAT-QuickHeal 8.00 07.12.2006  no virus found
ClamAV devel-20060426 07.13.2006  no virus found
DrWeb 4.33 07.12.2006  no virus found
eTrust-InoculateIT 23.72.67 07.13.2006  no virus found
eTrust-Vet 12.6.2295 07.12.2006  no virus found
Ewido 4.0 07.12.2006  no virus found
Fortinet 2.77.0.0 07.13.2006  no virus found
F-Prot 3.16f 07.12.2006  no virus found
F-Prot4 4.2.1.29 07.12.2006  no virus found
Ikarus 0.2.65.0 07.12.2006  no virus found
Kaspersky 4.0.2.24 07.13.2006  no virus found
McAfee 4805 07.12.2006  no virus found
Microsoft 1.1481 07.13.2006  no virus found
NOD32v2 1.1656 07.12.2006 probably unknown NewHeur_PE virus
Norman 5.90.23 07.12.2006  no virus found
Panda 9.0.0.4 07.12.2006  no virus found
Sophos 4.07.0 07.12.2006  no virus found
Symantec 8.0 07.13.2006  no virus found
TheHacker 5.9.8.174 07.13.2006  no virus found
UNA 1.83 07.12.2006  no virus found
VBA32 3.11.0 07.12.2006  no virus found
VirusBuster 4.3.7:9 07.12.2006 no virus found


Aditional Information
File size: 36864 bytes
MD5: 321cf5de4edc33206e8f9805251922e2
SHA1: 107de5ed44495c936d3ffb307222f819434c6416
==============================================================================

i already check it using the URL that u suggest. the above is the result of the scanning

any other suggestion????
Logged

Offline Ibnu Salman

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
ida.exe, please help
« Reply #3 on: July 14, 2006, 02:11:57 AM »
i check it again in the address that u suggested

here is the result
==============================================================================
STATUS: FINISHEDComplete scanning result of "ida.exe", received in VirusTotal at 07.14.2006, 09:07:22 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.21 07.14.2006 TR/Spy.Agent.MO
Authentium 4.93.8 07.14.2006  no virus found
Avast 4.7.844.0 07.12.2006  no virus found
AVG 386 07.13.2006  no virus found
BitDefender 7.2 07.14.2006  no virus found
CAT-QuickHeal 8.00 07.13.2006  no virus found
ClamAV devel-20060426 07.14.2006  no virus found
DrWeb 4.33 07.13.2006  no virus found
eTrust-InoculateIT 23.72.68 07.13.2006  no virus found
eTrust-Vet 12.6.2296 07.13.2006  no virus found
Ewido 4.0 07.13.2006  no virus found
Fortinet 2.77.0.0 07.14.2006  no virus found
F-Prot 3.16f 07.14.2006  no virus found
F-Prot4 4.2.1.29 07.12.2006  no virus found
Ikarus 0.2.65.0 07.13.2006  no virus found
Kaspersky 4.0.2.24 07.14.2006  no virus found
McAfee 4806 07.13.2006  no virus found
Microsoft 1.1508 07.14.2006  no virus found
NOD32v2 1.1660 07.14.2006 probably unknown NewHeur_PE virus
Norman 5.90.23 07.13.2006  no virus found
Panda 9.0.0.4 07.13.2006  no virus found
Sophos 4.07.0 07.14.2006  no virus found
Symantec 8.0 07.14.2006  no virus found
TheHacker 5.9.8.175 07.13.2006  no virus found
UNA 1.83 07.13.2006  no virus found
VBA32 3.11.0 07.13.2006  no virus found
VirusBuster 4.3.7:9 07.13.2006 no virus found


Aditional Information
File size: 36864 bytes
MD5: 321cf5de4edc33206e8f9805251922e2
SHA1: 107de5ed44495c936d3ffb307222f819434c6416
=============================================================================
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
ida.exe, please help
« Reply #4 on: July 14, 2006, 08:32:58 AM »
Sorry for the delay, I'm just on my way to work
In the meantime

Can you do the following please
Seems as if AntiVir is now up to date on the file in question
Can you Check for updates with AntiVir

You may want to reboot into safe mode and run a full system scan
Let it fix whatever it finds

Reboot back to Normal mode and post back a fresh hijackthis log please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
ida.exe, please help
« Reply #5 on: July 30, 2006, 10:02:31 AM »
Since the topic starter has not returned, this topic is now locked
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »