I've been having issues with my computer for maybe two weeks. Firefox redirects to some BS download-this-anti-malware crap when I do Google searches and there are a bunch of popups that come up in Internet Explorer [even when I'm using Firefox]. I peeked in the system processes and there's pidle.exe there. Also, on startup, there used to be this prnet.tmp that tried to open in Adobe Reader. I tried looking up ways to remove it, but they all seem customized to the user's computer, so I didn't want to try in case they broke my computer.
I took a peek at this thread and it seemed like Krysis09 had the same sort of problem I was having. I wasn't sure what to do with OTListlt2, so I ran ComboFix. It looked like ComboFix fixed some stuff [prnet.tmp doesn't try to run anymore], but pidle.exe is still here and so are the popups.
Here's the ComboFix log. Thanks in advance for anyone who helps! I appreciate it.
ComboFix 09-05-03.6 - Tsumy 05/09/2009 12:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1584 [GMT -7:00]
Running from: c:\documents and settings\Tsumy\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
FW: Norton AntiVirus *enabled*
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\LocalService\protect.dll
c:\documents and settings\NetworkService\protect.dll
c:\documents and settings\Tsumy\protect.dll
c:\documents and settings\Tsumy\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Tsumy\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\Tsumy\Temporary Internet Files\fbk.sts
c:\windows\system32\__c0094211.dat
c:\windows\system32\afnoinkdsfe.dll
c:\windows\system32\ak1.exe
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\loader49.exe
c:\windows\system32\ovfsthqoybomyndbqoxwskubyhqpexifnbfqxf.dll
c:\windows\system32\ovfsthxhkqpkcfokryvsojfrgijipbycfjwyma.dat
c:\windows\system32\p2hhr.bat
c:\windows\system32\prnet.tmp
c:\windows\system32\win32hlp.cnf
c:\windows\system32\winglsetup.exe
c:\windows\temp\1404801010.exe
c:\windows\temp\1471320220.exe
c:\windows\temp\1479892160.exe
c:\windows\temp\199368896.exe
c:\windows\temp\2048609456.exe
c:\windows\temp\2109208714.exe
c:\windows\temp\2448086192.exe
c:\windows\temp\2865142854.exe
c:\windows\temp\2866080354.exe
c:\windows\temp\2982017854.exe
c:\windows\temp\3343336622.exe
c:\windows\temp\3797144760.exe
c:\windows\temp\3918845632.exe
c:\windows\temp\699143306.exe
C:\xcrashdump.dat
D:\Autorun.inf
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\init32.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_ovfsthxettglobuyructffdkawullvmlqomhjn
((((((((((((((((((((((((( Files Created from 2009-04-09 to 2009-05-09 )))))))))))))))))))))))))))))))
.
2009-05-09 19:29 . 2009-05-09 19:29 -------- d-----w c:\program files\Jcore
2009-05-09 18:52 . 2009-05-09 18:52 -------- d-----w C:\_OTListIt
2009-05-07 03:57 . 2009-05-09 17:47 27648 ----a-w c:\windows\system32\lmn_setup.exe
2009-05-07 03:02 . 2009-05-07 03:02 -------- d-----w c:\documents and settings\Sumi\Application Data\Yahoo!
2009-05-05 04:27 . 2009-05-05 04:27 -------- d-----w c:\program files\Trend Micro
2009-05-02 03:38 . 2009-05-02 03:38 -------- d-----w c:\documents and settings\Tsumy\Application Data\Malwarebytes
2009-05-01 04:41 . 2009-05-01 04:41 -------- d-sh--w c:\documents and settings\NetworkService\History
2009-05-01 04:41 . 2009-05-01 04:41 -------- d-sh--w c:\documents and settings\NetworkService\Temporary Internet Files
2009-05-01 04:33 . 2009-05-01 04:33 -------- d-sh--w c:\windows\system32\config\systemprofile\History
2009-05-01 04:33 . 2009-05-01 04:33 -------- d-sh--w c:\windows\system32\config\systemprofile\Temporary Internet Files
2009-05-01 04:32 . 2009-05-01 04:32 18432 ----a-w c:\windows\system32\ovfsthshppsbjtkmhpjyotlrhkdykaehxjrnkl.dll
2009-05-01 04:32 . 2009-05-01 04:32 18944 ----a-w c:\windows\system32\ovfsthyqvgiyonsftpmgrhbhvgmpqjunaitbse.dll
2009-05-01 04:32 . 2009-05-09 19:02 56840 ----a-w c:\windows\system32\ovfsthhrdhbihrvtdltnivkvgfrgmtprlttuws.dat
2009-05-01 04:32 . 2009-05-01 04:32 83968 ----a-w c:\windows\system32\drivers\ovfsthmpapuejekpkfijkdlskabkolqjlrovvf.sys
2009-05-01 04:32 . 2009-05-01 04:32 -------- d-----w c:\documents and settings\Tsumy\Application Data\pidle
2009-04-23 04:41 . 2009-05-06 05:01 -------- d-----w C:\Temp
2009-04-23 04:39 . 2009-04-23 04:39 -------- d-----w c:\program files\Common Files\DVDVideoSoft
2009-04-23 04:39 . 2009-04-23 04:39 -------- d-----w c:\program files\Youtube
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 04:39 . 2009-02-01 04:39 50688 --sha-w c:\windows\system32\siduwoha.exe
2009-04-09 00:17 . 2006-05-11 11:54 109208 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-05 21:09 . 2006-07-31 23:51 109208 ----a-w c:\documents and settings\Tsumy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-02 23:51 . 2009-04-02 23:52 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-02 23:51 . 2006-05-11 09:47 -------- d-----w c:\program files\Java
2009-03-21 03:33 . 2006-05-11 09:47 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-19 02:37 . 2009-03-19 02:37 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-19 02:36 . 2009-03-19 02:35 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 17:19 . 2009-03-19 02:35 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 17:19 . 2009-03-19 02:35 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2007-03-21 15:57 . 2007-03-21 15:57 19104 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-03-21 15:57 . 2007-03-21 15:57 105632 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
1999-07-07 00:00 . 1999-07-07 00:00 6 --sh--r c:\windows\@[email protected]
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}]
2009-04-22 07:12 105984 ----a-w c:\program files\WWShow\WWShow.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA}]
2009-05-09 19:29 135168 ----a-w c:\program files\Jcore\Jcore2.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-02 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"pidle"="c:\documents and settings\Tsumy\Application Data\pidle\pidle.exe" [2009-05-01 56832]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-02 148888]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Lexmark X83 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 40960]
"Lexmark X83 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 53248]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 36864]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2006-09-06 26248]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-10 158208]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2007-07-06 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-18 61952]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-8-1 113664]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\Drivers\usbscan.sys [2004-08-04 15104]
R3 USA19H;USA19H;c:\windows\system32\DRIVERS\USA19H2k.sys [2003-06-25 727908]
R3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\DRIVERS\USA19H2kp.SYS [2003-06-25 44928]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-01-18 109616]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34f62afe-8f2a-11dc-b1d6-0013026c841d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
2009-04-11 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Fergie admin.job
- c:\progra~1\NORTON~1\Navw32.exe [2006-09-07 05:38]
.
- - - - ORPHANS REMOVED - - - -
BHO-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll
HKLM-Run-prnet - c:\windows\system32\prnet.tmp
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
SharedTaskScheduler-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll
Notify-__c0094211 - c:\windows\system32\__c0094211.dat
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\docume~1\Sumi\LOCALS~1\Temp\ntdll64.dll
Trusted Zone: gaiaonline.com\www
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Tsumy\Application Data\Mozilla\Firefox\Profiles\tmdlzojj.default\
FF - prefs.js: browser.search.selectedEngine - Dictionary.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-09 12:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????[??????(?@???????@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(8092)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Hp\Digital Imaging\bin\hpqimzone.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2009-05-09 12:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-09 19:36
Pre-Run: 63,661,142,016 bytes free
Post-Run: 63,952,289,792 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
255 --- E O F --- 2008-04-27 00:27