Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need help with id08.exe

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need help with id08.exe

Unread postby Xeen » May 24th, 2009, 8:36 am

About 3 hours ago, around 4:00 AM central time I caught a virus that was posing as a security warning saying I had viruses/trojans and I was at risk while opening a window showing a fake scan and a link to a supposed 'fix' site that I didnt believe.

First thing I did was check my task manager processes for anything unusual, sure enough :: id08.exe

There were also two other processes that were random strings of numbers which appear to be called by id08.exe.
I shut down these processes and then began looking for solutions. The first thing I noticed is that certain features of my browser (Opera 9.64) were no longer working correctly, such as pressing enter after typing something into a search engine to begin a search instead of having to click search, as well as crashes when I tried to click resulting links from said search. The only way I can get around is to manually copy addresses and paste them into the address bar.

Lastly I noticed this virus would automatically reset my desktop to some bogus black wall with text on it about how everything I do is tracked -blah blah blah- after ending the suspected processes, that stopped happening, but my browser is still compromised (even after a re-install)

Sorry if I didn't make too much sense with some of that, but its really early in the morning (which is really late for me since I'm typically awake at night and asleep during the day - vampire ftw)

Here is a hijackthis log that I just took (with the suspected processes already ended)
I would appreciate it if I could get some help removing these or if someone could let me know if any other malware is present.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:40 AM, on 5/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\SYSDLL.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\SYSDLL.exe
C:\Tools\Opera\opera.exe
C:\Tools\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\svchost.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: 121973 helper - {31C2A4CC-289D-442A-950C-B33B1B06522B} - C:\WINDOWS\system32\121973\121973.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Tools\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [10465784] C:\Documents and Settings\All Users\Application Data\10465784\10465784.exe
O4 - HKLM\..\Run: [90475776] C:\Documents and Settings\All Users\Application Data\90475776\90475776.exe
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
** These are the ones I was talking about before **
O4 - HKCU\..\Run: [Steam] "c:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SYSDLL] SYSDLL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Tools\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with &ZipScan - C:\Tools\ZIPSCA~1\zs_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Tools\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 3945 bytes

I'm inclined to just go to the folders they are listed in and delete them, but I'm taking no action for now. I've viewed these forums when I had problems before (which I've always managed to fix by myself), but never posted anything. I want to see what you guys have to offer, so put on a good show for me ;)
Xeen
Active Member
 
Posts: 4
Joined: May 24th, 2009, 8:06 am
Advertisement
Register to Remove

Re: Need help with id08.exe

Unread postby Shaba » May 26th, 2009, 12:19 am

Hi Xeen

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Need help with id08.exe

Unread postby Xeen » May 27th, 2009, 6:15 pm

I already figured out that part, and thats where the trouble began.

My PC was definetly compromised :evil:

I noticed such services as the remote assistance protocols had be re-enabled.
I was pretty keen to do my own research and learn what type of infection I had caught. Once I knew how dangerous it was, I discontinued visiting any sites requiring sensitive information/passwords.

I attempted to regain control of my computer by removing some bad registry entries with the help of hijackthis and winpatrol, but the damage was already done. My internet connections were beginning to get bogged down, my browser was crashing every time I clicked a link (I also caught a snapkey virus, which was probably installed by the first one, running under the process ID SYSDLL), and eventually all connections were severed. I also lost my sound driver and I don't know what else.

End game - I have already procured a copy of XP from a friend as my old disc has since degraded (along with my old collection of movies, games, anime, apps, etc.) only to find out that my CD drive (which was becoming progressively slower at copying/reading discs over the past year or so) had finally spun its last disc. So, after buying a new drive for about 50 bucks and spending 4 hours driving to get an OS disc, then another hour to install it, and several more to come (work in progress as I type this) to update all of my drivers, personal settings, reinstall software etc.... I'm up and running again with a clean, re-formatted machine.

It's not all that bad considering I've been wanting to reformat for some time now.... My lazy ass just got a reason to :D

Down side is that I lost all of my documents, home-made macros/scripts, movies, online banking/bills recepits, etc.
Up side, I didn't have any passwords stolen because I was aware of the situation immediately.

Sucks that I couldn't wait for a reply from you guys before I had to take action, but I suspect I would have ended up in the same place either way.

Back to work I go, and thanks for your troubles anyways.
At least I'm capable of handling the rest on my own, hehe.

First thing I did was get Opera and discontinue using internet explorer, obviously my network drivers are intalled and I'm online again, next I'm gonna get my sound back and my video up to date.

Wish me luck.
Xeen
Active Member
 
Posts: 4
Joined: May 24th, 2009, 8:06 am

Re: Need help with id08.exe

Unread postby Shaba » May 28th, 2009, 12:00 am

Sorry to hear that.

Please post back a fresh HijackThis log and I will give you some tips for the future.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Need help with id08.exe

Unread postby Xeen » May 28th, 2009, 12:20 am

I've already begun monitoring my system with HT snapshots and winpatrol.

Heres the latest log after reformatting and installing a couple of drivers/hardware support programs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:40 PM, on 5/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Tools\WinPatrol\winpatrol.exe
C:\WINDOWS.0\RTHDCPL.EXE
C:\WINDOWS.0\ALCMTR.EXE
C:\WINDOWS.0\system32\CTHELPER.EXE
C:\WINDOWS.0\system32\ctfmon.exe
C:\Tools\Opera\opera.exe
C:\Tools\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinPatrol] C:\Tools\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Games\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe (file missing)
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe

--
End of file - 3315 bytes
Xeen
Active Member
 
Posts: 4
Joined: May 24th, 2009, 8:06 am

Re: Need help with id08.exe

Unread postby Shaba » May 28th, 2009, 1:38 am

This would be next step:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Need help with id08.exe

Unread postby Xeen » May 28th, 2009, 11:19 am

I used to be overly cautious about viruses, but this is only the second time I've ever been infected in 4 years since owning this machine.

I've always found that running and anti-virus and/or firewall (used to run zone alarm which was pretty nice) only served to eat up extra system resources 99% of the time, and then fail to prevent or remove a problem when an infection did occur.

Not to mention, some of these so-called 'free' antivirus/computer cleanup programs contain TONS of spyware/adware.

How well would you rate these as far as reliability for protection, detection & removal, and freedom of the extra bull?


The best way to not get a virus is to simply watch where you go on the internet. I have a sixth sense about what is safe and what isn't. Normally I will avoid all suspicious websites, 100% of any ads I see, especially those for *free* things, emails from unknown sources with or without attachments, and any random links I come across wether they be from forums, in-game chat, voice chat, or wherever. However, I was foolish and bored, so I went to play some free online flash games, plus when my brother stayed at my house for a bit he had to 'do me a favor' and leave one of his favorite 'sites' open for me to see when I got home from work. Either one of these could have been the source of my infection, and the timing was all too correlated.
Xeen
Active Member
 
Posts: 4
Joined: May 24th, 2009, 8:06 am

Re: Need help with id08.exe

Unread postby Shaba » May 28th, 2009, 11:45 am

One can always think which one is the most important factor, protection or having a bit less system resources.

Those won't slow down much and nowadays RAM is very cheap so I don't consider that as any good reason.

Those three are best free antiviruses available.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Need help with id08.exe

Unread postby Shaba » June 2nd, 2009, 11:19 am

Due to lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 63 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware