Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virtumonde? Pidle.exe removal?

Started by Integration , May 09 2009 01:53 PM

  • Please log in to reply

#1
Integration
Posted 09 May 2009 - 01:53 PM

Integration

    New Member

  • Member
  • Pip
  • 1 posts
Hello!

I've been having issues with my computer for maybe two weeks. Firefox redirects to some BS download-this-anti-malware crap when I do Google searches and there are a bunch of popups that come up in Internet Explorer [even when I'm using Firefox]. I peeked in the system processes and there's pidle.exe there. Also, on startup, there used to be this prnet.tmp that tried to open in Adobe Reader. I tried looking up ways to remove it, but they all seem customized to the user's computer, so I didn't want to try in case they broke my computer.

I took a peek at this thread and it seemed like Krysis09 had the same sort of problem I was having. I wasn't sure what to do with OTListlt2, so I ran ComboFix. It looked like ComboFix fixed some stuff [prnet.tmp doesn't try to run anymore], but pidle.exe is still here and so are the popups.

Here's the ComboFix log. Thanks in advance for anyone who helps! I appreciate it.






ComboFix 09-05-03.6 - Tsumy 05/09/2009 12:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1584 [GMT -7:00]
Running from: c:\documents and settings\Tsumy\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
FW: Norton AntiVirus *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\protect.dll
c:\documents and settings\NetworkService\protect.dll
c:\documents and settings\Tsumy\protect.dll
c:\documents and settings\Tsumy\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Tsumy\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\Tsumy\Temporary Internet Files\fbk.sts
c:\windows\system32\__c0094211.dat
c:\windows\system32\afnoinkdsfe.dll
c:\windows\system32\ak1.exe
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\loader49.exe
c:\windows\system32\ovfsthqoybomyndbqoxwskubyhqpexifnbfqxf.dll
c:\windows\system32\ovfsthxhkqpkcfokryvsojfrgijipbycfjwyma.dat
c:\windows\system32\p2hhr.bat
c:\windows\system32\prnet.tmp
c:\windows\system32\win32hlp.cnf
c:\windows\system32\winglsetup.exe
c:\windows\temp\1404801010.exe
c:\windows\temp\1471320220.exe
c:\windows\temp\1479892160.exe
c:\windows\temp\199368896.exe
c:\windows\temp\2048609456.exe
c:\windows\temp\2109208714.exe
c:\windows\temp\2448086192.exe
c:\windows\temp\2865142854.exe
c:\windows\temp\2866080354.exe
c:\windows\temp\2982017854.exe
c:\windows\temp\3343336622.exe
c:\windows\temp\3797144760.exe
c:\windows\temp\3918845632.exe
c:\windows\temp\699143306.exe
C:\xcrashdump.dat
D:\Autorun.inf

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\init32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthxettglobuyructffdkawullvmlqomhjn


((((((((((((((((((((((((( Files Created from 2009-04-09 to 2009-05-09 )))))))))))))))))))))))))))))))
.

2009-05-09 19:29 . 2009-05-09 19:29 -------- d-----w c:\program files\Jcore
2009-05-09 18:52 . 2009-05-09 18:52 -------- d-----w C:\_OTListIt
2009-05-07 03:57 . 2009-05-09 17:47 27648 ----a-w c:\windows\system32\lmn_setup.exe
2009-05-07 03:02 . 2009-05-07 03:02 -------- d-----w c:\documents and settings\Sumi\Application Data\Yahoo!
2009-05-05 04:27 . 2009-05-05 04:27 -------- d-----w c:\program files\Trend Micro
2009-05-02 03:38 . 2009-05-02 03:38 -------- d-----w c:\documents and settings\Tsumy\Application Data\Malwarebytes
2009-05-01 04:41 . 2009-05-01 04:41 -------- d-sh--w c:\documents and settings\NetworkService\History
2009-05-01 04:41 . 2009-05-01 04:41 -------- d-sh--w c:\documents and settings\NetworkService\Temporary Internet Files
2009-05-01 04:33 . 2009-05-01 04:33 -------- d-sh--w c:\windows\system32\config\systemprofile\History
2009-05-01 04:33 . 2009-05-01 04:33 -------- d-sh--w c:\windows\system32\config\systemprofile\Temporary Internet Files
2009-05-01 04:32 . 2009-05-01 04:32 18432 ----a-w c:\windows\system32\ovfsthshppsbjtkmhpjyotlrhkdykaehxjrnkl.dll
2009-05-01 04:32 . 2009-05-01 04:32 18944 ----a-w c:\windows\system32\ovfsthyqvgiyonsftpmgrhbhvgmpqjunaitbse.dll
2009-05-01 04:32 . 2009-05-09 19:02 56840 ----a-w c:\windows\system32\ovfsthhrdhbihrvtdltnivkvgfrgmtprlttuws.dat
2009-05-01 04:32 . 2009-05-01 04:32 83968 ----a-w c:\windows\system32\drivers\ovfsthmpapuejekpkfijkdlskabkolqjlrovvf.sys
2009-05-01 04:32 . 2009-05-01 04:32 -------- d-----w c:\documents and settings\Tsumy\Application Data\pidle
2009-04-23 04:41 . 2009-05-06 05:01 -------- d-----w C:\Temp
2009-04-23 04:39 . 2009-04-23 04:39 -------- d-----w c:\program files\Common Files\DVDVideoSoft
2009-04-23 04:39 . 2009-04-23 04:39 -------- d-----w c:\program files\Youtube

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 04:39 . 2009-02-01 04:39 50688 --sha-w c:\windows\system32\siduwoha.exe
2009-04-09 00:17 . 2006-05-11 11:54 109208 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-05 21:09 . 2006-07-31 23:51 109208 ----a-w c:\documents and settings\Tsumy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-02 23:51 . 2009-04-02 23:52 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-02 23:51 . 2006-05-11 09:47 -------- d-----w c:\program files\Java
2009-03-21 03:33 . 2006-05-11 09:47 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-19 02:37 . 2009-03-19 02:37 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-19 02:36 . 2009-03-19 02:35 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 17:19 . 2009-03-19 02:35 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 17:19 . 2009-03-19 02:35 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2007-03-21 15:57 . 2007-03-21 15:57 19104 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-03-21 15:57 . 2007-03-21 15:57 105632 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
1999-07-07 00:00 . 1999-07-07 00:00 6 --sh--r c:\windows\@[email protected]
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}]
2009-04-22 07:12 105984 ----a-w c:\program files\WWShow\WWShow.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA}]
2009-05-09 19:29 135168 ----a-w c:\program files\Jcore\Jcore2.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-02 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"pidle"="c:\documents and settings\Tsumy\Application Data\pidle\pidle.exe" [2009-05-01 56832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-02 148888]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Lexmark X83 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 40960]
"Lexmark X83 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 53248]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 36864]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2006-09-06 26248]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-10 158208]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2007-07-06 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-18 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-8-1 113664]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\Drivers\usbscan.sys [2004-08-04 15104]
R3 USA19H;USA19H;c:\windows\system32\DRIVERS\USA19H2k.sys [2003-06-25 727908]
R3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\DRIVERS\USA19H2kp.SYS [2003-06-25 44928]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-01-18 109616]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34f62afe-8f2a-11dc-b1d6-0013026c841d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-11 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Fergie admin.job
- c:\progra~1\NORTON~1\Navw32.exe [2006-09-07 05:38]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll
HKLM-Run-prnet - c:\windows\system32\prnet.tmp
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
SharedTaskScheduler-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll
Notify-__c0094211 - c:\windows\system32\__c0094211.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\docume~1\Sumi\LOCALS~1\Temp\ntdll64.dll
Trusted Zone: gaiaonline.com\www
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Tsumy\Application Data\Mozilla\Firefox\Profiles\tmdlzojj.default\
FF - prefs.js: browser.search.selectedEngine - Dictionary.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-09 12:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????[??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(8092)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Hp\Digital Imaging\bin\hpqimzone.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2009-05-09 12:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-09 19:36

Pre-Run: 63,661,142,016 bytes free
Post-Run: 63,952,289,792 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

255 --- E O F --- 2008-04-27 00:27
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP