help idd.tmp.exe

saurya_mishra · 05-02-2007, 02:33 PM

I am really trobled by this. whenever am working on som thing on my pc, a "idd***.tmp.exe" pops in the system tray and slows down the system miserably. they swarm in in huge numbers. can som 1 help me ? am posting the hijack log file...
see the last but one in the running processes list. hundreds of those pop in..

thanx
Saurya

Logfile of HijackThis v1.99.1
Scan saved at 2:31:05 PM, on 2/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\d4322d1a.exe
C:\WINDOWS\System32\rundll32.exe
F:\quick_time\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ismini.exe
C:\WINDOWS\System32\psc_mon.exe
C:\Program Files\Common Files\WinAntiSpyware 2007 Free\uwasdc.exe
C:\Program Files\Common Files\WinAntiSpyware 2007 Free\uwasers.exe
C:\Program Files\bepu\tdop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinAntiSpyware 2007 Free\uwas7cw.exe
C:\Program Files\Common Files\WinAntiSpyware 2007 Free\uwasers.exe
C:\Program Files\Common Files\WinAntiSpyware 2007 Free\uwasdc.exe
C:\WINDOWS\TEMP\win82D8.tmp.exe
C:\WINDOWS\TEMP\idd82D9.tmp.exe
J:\HIJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dataone.in/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: ChangerBHO Class - {0D4C7057-EAD2-44C6-AD18-9092905F28F1} -

C:\WINDOWS\system32\ws2helpa.dll
O2 - BHO: ChangerBHO Class - {0edc6c20-a31c-11db-8ab9-0800200c9a66} -

C:\WINDOWS\system32\tapi32s.dll
O2 - BHO: (no name) - {18209BEC-6659-CE1F-CD9A-0811EE6E8969} - C:\Documents and

Settings\sudhansu\Local Settings\Application Data\smwclwd.dll
O2 - BHO: ChangerBHO Class - {1D4C7057-EAD2-44C6-AD18-9092905F28F1} -

C:\WINDOWS\system32\wow32a.dll
O2 - BHO: (no name) - {23CB9697-2835-45C5-8949-8A4E73AA70D4} - (no file)
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: SpoofBHO Class - {385066e0-23f3-11db-a98b-0800200c9a66} -

C:\WINDOWS\se_spoof.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program

Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: WeeklyExecuter Class - {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} -

C:\WINDOWS\inetloader.dll
O2 - BHO: Clicker Class - {631f7200-642e-11db-bd13-0800200c9a66} -

C:\WINDOWS\system32\mscoriezb.dll
O2 - BHO: (no name) - {74EE6180-6879-E6C9-A910-00850E0AE7EC} -

C:\WINDOWS\System32\pjlnpkk.dll
O2 - BHO: (no name) - {9B053E00-78D3-47AE-B763-60FF36FF2886} - (no file)
O2 - BHO: TrustIn Bar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\Program

Files\trustin bar\trustin.dll
O2 - BHO: ContextualAds Class - {FE6C16C4-16AD-47B6-B250-26AD1829E49A} - C:\Program

Files\TrustIn Contextual\trustincontext.dll
O3 - Toolbar: AZE Search - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} -

C:\WINDOWS\System32\azesearch2.ocx (file missing)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} -

C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: TrustIn Bar - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\Program Files\trustin

bar\trustin.dll
O4 - HKLM\..\Run: [d4322d1a.exe] C:\WINDOWS\System32\d4322d1a.exe
O4 - HKLM\..\Run: [vmifwxm.dll] C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\vmifwxm.dll,oqdtjbd
O4 - HKLM\..\Run: [QuickTime Task] "F:\quick_time\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32

C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKLM\..\Run: [ifmmvxh.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and

Settings\sudhansu\Local Settings\Application Data\ifmmvxh.dll",rohzskc
O4 - HKLM\..\Run: [Personal Security Center Monitor] C:\WINDOWS\System32\psc_mon.exe
O4 - HKLM\..\Run: [DC6_Check] "C:\Program Files\Common Files\WinAntiSpyware 2007

Free\uwasdc.exe"
O4 - HKLM\..\Run: [ERS_Check] "C:\Program Files\Common Files\WinAntiSpyware 2007

Free\uwasers.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvriw.dll,startup
O4 - HKLM\..\Run: [WinAntiSpyware 2007 Free] "C:\Program Files\WinAntiSpyware 2007

Free\was7.exe" /min
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\WinAntiSpyware 2007 Free\uwas7cw.exe" -c
O4 - HKLM\..\RunServices: [NDIS Adapter] svchosttt.exe
O4 - HKLM\..\RunServices: [psYko] updates32.exe
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-H91IG.exe" /REG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Ccss] "C:\Program Files\bepu\tdop.exe" -vt yazr
O4 - HKCU\..\Run: [d4322d1a.exe] C:\Documents and Settings\sudhansu\Local

Settings\Application Data\d4322d1a.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe"

/autostart
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~3\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program

Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} -

C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} -

C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://public.windupdates.com/get_fi...95c0ae18260743

70b6ef2ab58c7b394a46b7785ed02dcd1d18afd71cf37a3273 507e405440345a19b4981e02e4ec7

1b0834b3328:522a1c137ec85ca995271ab95b94951b
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://static.windupdates.com/cab/62.../bridge-c3.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) -

http://www.ysbweb.com/ist/softwares/...sb_regular.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -

file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} (CParamWr Class) -

http://www.azebar.com/install/azesearch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{109BFC5E-D9F9-47B0-B89B-3CEDBBB31B28}:

NameServer = 218.248.255.145 218.248.255.161
O17 - HKLM\System\CS1\Services\Tcpip\..\{109BFC5E-D9F9-47B0-B89B-3CEDBBB31B28}:

NameServer = 218.248.255.145 218.248.255.161
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\SYSTEM32\winrkp32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

anandk · 05-02-2007, 03:21 PM

the first thing to do is to turn of system restore, scan ur pc in safe mode with ur antivirus (avast/avg) and ur anti-spy (avg/adaware) and the clear up ur residual pc junk using 'ccleaner'.

ya, ur pc is infected. C:\WINDOWS\System32\ismini.exe is a trojan posbly from the SpywareQuake family. SpywareQuake is a rogue anti-spyware program that was also known in the past as SpyAxe, SpywareStrike and SpyFalcon. u can also always use 'delete doctor' to delete this sticky trojan.

this page may then help u http://www.remove-spywarequake.com/ Also c "SpywareQuake" : the newest rogue anti-spy Also RogueRemover is a great new utility that can remove various rogue antispyware, antivirus and hard drive cleaning utilities as also rogue registry cleaners.

also ur browser pages have been hijacked by prosearching.com
for help in this regards, pls see my post here.

::cyborg:: · 05-02-2007, 03:48 PM

manual way will be to go to search enable hidden files

and enter this to search "idd*.exe" whichever file comes delete them

then open regedit

go to find box

type "exact name of the application u deleted " and delete whichever entries are there with this exe file

and then scan with spyware doctor and avast

syware doctor = www.pctools.com
avast= www.avast.com

Popular Categories

Popular Articles

Content Categories

Sister Sites

Follow Us

Facebook Channels

Digit Magazine