help idd.tmp.exe

[saurya_mishra]

I am really trobled by this. whenever am working on som thing on my pc, a "idd***.tmp.exe" pops in the system tray and slows down the system miserably. they swarm in in huge numbers. can som 1 help me ? am posting the hijack log file...
see the last but one in the running processes list. hundreds of those pop in..

thanx
Saurya

Logfile of HijackThis v1.99.1
Scan saved at 2:31:05 PM, on 2/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\d4322d1a.exe
C:\WINDOWS\System32\rundll32.exe
F:\quick_time\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ismini.exe
C:\WINDOWS\System32\psc_mon.exe
C:\Program Files\Common Files\WinAntiSpyware 2007 Free\uwasdc.exe
C:\Program Files\Common Files\WinAntiSpyware 2007 Free\uwasers.exe
C:\Program Files\bepu\tdop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinAntiSpyware 2007 Free\uwas7cw.exe
C:\Program Files\Common Files\WinAntiSpyware 2007 Free\uwasers.exe
C:\Program Files\Common Files\WinAntiSpyware 2007 Free\uwasdc.exe
C:\WINDOWS\TEMP\win82D8.tmp.exe
C:\WINDOWS\TEMP\idd82D9.tmp.exe
J:\HIJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.dataone.in/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: ChangerBHO Class - {0D4C7057-EAD2-44C6-AD18-9092905F28F1} -

C:\WINDOWS\system32\ws2helpa.dll
O2 - BHO: ChangerBHO Class - {0edc6c20-a31c-11db-8ab9-0800200c9a66} -

C:\WINDOWS\system32\tapi32s.dll
O2 - BHO: (no name) - {18209BEC-6659-CE1F-CD9A-0811EE6E8969} - C:\Documents and

Settings\sudhansu\Local Settings\Application Data\smwclwd.dll
O2 - BHO: ChangerBHO Class - {1D4C7057-EAD2-44C6-AD18-9092905F28F1} -

C:\WINDOWS\system32\wow32a.dll
O2 - BHO: (no name) - {23CB9697-2835-45C5-8949-8A4E73AA70D4} - (no file)
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: SpoofBHO Class - {385066e0-23f3-11db-a98b-0800200c9a66} -

C:\WINDOWS\se_spoof.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program

Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: WeeklyExecuter Class - {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} -

C:\WINDOWS\inetloader.dll
O2 - BHO: Clicker Class - {631f7200-642e-11db-bd13-0800200c9a66} -

C:\WINDOWS\system32\mscoriezb.dll
O2 - BHO: (no name) - {74EE6180-6879-E6C9-A910-00850E0AE7EC} -

C:\WINDOWS\System32\pjlnpkk.dll
O2 - BHO: (no name) - {9B053E00-78D3-47AE-B763-60FF36FF2886} - (no file)
O2 - BHO: TrustIn Bar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\Program

Files\trustin bar\trustin.dll
O2 - BHO: ContextualAds Class - {FE6C16C4-16AD-47B6-B250-26AD1829E49A} - C:\Program

Files\TrustIn Contextual\trustincontext.dll
O3 - Toolbar: AZE Search - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} -

C:\WINDOWS\System32\azesearch2.ocx (file missing)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} -

C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: TrustIn Bar - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\Program Files\trustin

bar\trustin.dll
O4 - HKLM\..\Run: [d4322d1a.exe] C:\WINDOWS\System32\d4322d1a.exe
O4 - HKLM\..\Run: [vmifwxm.dll] C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\vmifwxm.dll,oqdtjbd
O4 - HKLM\..\Run: [QuickTime Task] "F:\quick_time\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32

C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKLM\..\Run: [ifmmvxh.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and

Settings\sudhansu\Local Settings\Application Data\ifmmvxh.dll",rohzskc
O4 - HKLM\..\Run: [Personal Security Center Monitor] C:\WINDOWS\System32\psc_mon.exe
O4 - HKLM\..\Run: [DC6_Check] "C:\Program Files\Common Files\WinAntiSpyware 2007

Free\uwasdc.exe"
O4 - HKLM\..\Run: [ERS_Check] "C:\Program Files\Common Files\WinAntiSpyware 2007

Free\uwasers.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvriw.dll,startup
O4 - HKLM\..\Run: [WinAntiSpyware 2007 Free] "C:\Program Files\WinAntiSpyware 2007

Free\was7.exe" /min
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\WinAntiSpyware 2007 Free\uwas7cw.exe" -c
O4 - HKLM\..\RunServices: [NDIS Adapter] svchosttt.exe
O4 - HKLM\..\RunServices: [psYko] updates32.exe
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-H91IG.exe" /REG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Ccss] "C:\Program Files\bepu\tdop.exe" -vt yazr
O4 - HKCU\..\Run: [d4322d1a.exe] C:\Documents and Settings\sudhansu\Local

Settings\Application Data\d4322d1a.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe"

/autostart
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~3\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program

Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} -

C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} -

C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: Yahoo! Chess - *download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

*public.windupdates.com/get_file.php?bt=ie&p=e685f42af16b4ae133fb6395c0ae18260743

70b6ef2ab58c7b394a46b7785ed02dcd1d18afd71cf37a3273507e405440345a19b4981e02e4ec7

1b0834b3328:522a1c137ec85ca995271ab95b94951b
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -

*static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c3.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) -

*www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -

file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} (CParamWr Class) -

*www.azebar.com/install/azesearch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{109BFC5E-D9F9-47B0-B89B-3CEDBBB31B28}:

NameServer = 218.248.255.145 218.248.255.161
O17 - HKLM\System\CS1\Services\Tcpip\..\{109BFC5E-D9F9-47B0-B89B-3CEDBBB31B28}:

NameServer = 218.248.255.145 218.248.255.161
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\SYSTEM32\winrkp32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

 

[anandk]

the first thing to do is to turn of system restore, scan ur pc in safe mode with ur antivirus (avast/avg) and ur anti-spy (avg/adaware) and the clear up ur residual pc junk using 'ccleaner'.

ya, ur pc is infected. C:\WINDOWS\System32\ismini.exe is a trojan posbly from the SpywareQuake family. SpywareQuake is a rogue anti-spyware program that was also known in the past as SpyAxe, SpywareStrike and SpyFalcon. u can also always use 'delete doctor' to delete this sticky trojan.

this page may then help u *www.remove-spywarequake.com/ Also c "SpywareQuake" : the newest rogue anti-spy Also RogueRemover is a great new utility that can remove various rogue antispyware, antivirus and hard drive cleaning utilities as also rogue registry cleaners.

*i144.photobucket.com/albums/r168/happyandy/stylucm5.gif

also ur browser pages have been hijacked by prosearching.com
for help in this regards, pls see my post here.

 

[::cyborg::]

manual way will be to go to search enable hidden files

and enter this to search "idd*.exe" whichever file comes delete them

then open regedit

go to find box

type "exact name of the application u deleted " and delete whichever entries are there with this exe file

and then scan with spyware doctor and avast

syware doctor = www.pctools.com
avast= www.avast.com