TheBugs February 17, 2005 Share TheBugs Member February 17, 2005 (edited) i have 2 .exe files that keep coming back after i delete them. They both seem to keep my PC Usage at about 90-100% when nothing else is running. Ive tried Ad aware, spy bot, and did a full system scan with Norton and the friggen things wont go away. ha, figure the names of the two might be helpful. "yftupy.exe" and "yqrioy.exe" Any suggestions? Edited February 17, 2005 by TheBugs Link to comment Share on other sites More sharing options...
appalachian_fox February 17, 2005 Share appalachian_fox Member February 17, 2005 ? Do they come back while the computer is in use, or on reboots? - If they come back on reboots, do they come back if you boot into safe mode, or only if you do a full real boot? -Do they restart themselves if you kill the task w/o deleting the files? How long until they restart? -Did you check your "Run" registry entries for obvious hijacks? Also, try posting a HijackThis log for those who got 73h 5k11z in catching spyware and will likely be here shortly. For another forum, but a good list of things to do: http://www.geekstogo.com/forum/You_Must_Re..._Log-t2852.html Link to comment Share on other sites More sharing options...
dwEEziL February 17, 2005 Share dwEEziL Member February 17, 2005 If you are familiar with the registry, you can check in HKLM\Software\Microsoft\Windows\Run and HKCU\Software\Microsoft\Windows\Run for entries that look like they kick it off. Look in Run, RunOnce, RunEX, or any other Run variant in the Windows hive (that begins with Run anyway). Link to comment Share on other sites More sharing options...
NOFX February 17, 2005 Share NOFX Member February 17, 2005 dduuuuudddee. go to start>run type msconfig. Go to startup tab and uncheck all that crap, but keep what you want to startup when you boot your comp. I turn everything off but AIM. Link to comment Share on other sites More sharing options...
dwEEziL February 17, 2005 Share dwEEziL Member February 17, 2005 I don't like msconfig myself cuz it creates another registry hive with all the stuff you disabled. I just prefer to delete what I know (key word here is "know") I don't want running. Link to comment Share on other sites More sharing options...
TheBugs February 17, 2005 Author Share TheBugs Member February 17, 2005 ive gone into my msconfig and turned them all of but they still come back. I can delete both of them. Both are in my system32 folder but when i refresh the folder they are right back in there. Ill try looking at the registry later. Link to comment Share on other sites More sharing options...
TheBugs February 17, 2005 Author Share TheBugs Member February 17, 2005 looked through the registry and its only in the main RUN folder. I delete it, and it just comes back Link to comment Share on other sites More sharing options...
dwEEziL February 17, 2005 Share dwEEziL Member February 17, 2005 I heard some virii were getting smarter and adding themselves to the list of "Protected Windows Files" so that if you delete them, Windows puts them back. Might be what is going on here, might not. Did you try spybot? Maybe run it while Windows is in Safe Mode? Link to comment Share on other sites More sharing options...
TheBugs February 17, 2005 Author Share TheBugs Member February 17, 2005 did that, didnt do a thing. :[ Link to comment Share on other sites More sharing options...
Guest zerodamage February 17, 2005 Share Guest zerodamage Guests February 17, 2005 I've run across this multiple times and as of right now, none of my spyware removal tools will get rid of it. I am not even sure what it is as I've checked multiple sources. I am afraid your only option is a format and reinstall with this bugger. Link to comment Share on other sites More sharing options...
Guest zerodamage February 17, 2005 Share Guest zerodamage Guests February 17, 2005 You know what... we can try one thing. Download and run this; http://www.majorgeeks.com/download3155.html Do the Save log and then copy and paste it in here. Let's see if you can by my first successful cleaning of this bugger. Link to comment Share on other sites More sharing options...
Acid-Flux February 17, 2005 Share Acid-Flux Member February 17, 2005 download somthing like tweakXP, or TweakNow PowerPack and edit the startup registry and do a reg clean. I have found that these programs work great for programs which seem to auto-load on startup, and cant find them (cause there hidden), wierd registry commands etc.. Link to comment Share on other sites More sharing options...
Guest zerodamage February 18, 2005 Share Guest zerodamage Guests February 18, 2005 Just do a search on Google for "Startup Control Panel" the first result is a nice little app that loads up in your control panel. MSConfig for XP sucks big time and this is all I use for Win2k and XP. I bet you will be able to disable this here but doesn't solve the problem of it still being on your system. Link to comment Share on other sites More sharing options...
TheBugs February 18, 2005 Author Share TheBugs Member February 18, 2005 (edited) here ya go ZD. Good luck! and ill be happy to be a guinea pig Logfile of HijackThis v1.99.1 Scan saved at 9:08:08 PM, on 2/17/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Logitech\MouseWare\system\em_exec.exe D:\powerstrip\pstrip.exe D:\Mirc\mirc.exe D:\Ventrilo\Ventrilo.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Kyle Ciccaglione\My Documents\bleh\HijackThis.exe C:\WINDOWS\system32\yqrioy.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nsmb.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.csnation.net/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r O4 - HKLM\..\Run: [PowerStrip] d:\powerstrip\pstrip.exe O4 - HKLM\..\Run: [AWMON] "C:\Lavasoft\AD-AWA~1\Ad-Watch.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\yqrioy.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - Startup: mIRC.lnk = D:\Mirc\mirc.exe O4 - Global Startup: yftupy.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Aim\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Im also running a registry fix. Hope it works. Edited February 18, 2005 by TheBugs Link to comment Share on other sites More sharing options...
Guest zerodamage February 18, 2005 Share Guest zerodamage Guests February 18, 2005 Remove: O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\yqrioy.exe And all of these DPF's for they will reinstall as needed. O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab This is just a waste of Resources. Remove it also. O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime And this I am not sure what it is. If you know what it is for if it is some sort of application you need, then leave it. Otherwise, remove it. O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto Link to comment Share on other sites More sharing options...
TheBugs February 18, 2005 Author Share TheBugs Member February 18, 2005 ok, everything removed. But yqrioy.exe just gets recreated and shows up when i do the scan. Link to comment Share on other sites More sharing options...
Guest zerodamage February 18, 2005 Share Guest zerodamage Guests February 18, 2005 (edited) ok, everything removed. But yqrioy.exe just gets recreated and shows up when i do the scan. <{POST_SNAPBACK}> Well that is your main problem. Do a search in your registry for this file name and remove all entries of it. Then reboot into recovery console with your xp cd and delete that file. Also run a virus scan after doing all of this. http://housecall.antivirus.com Then do a scan again with hijackthis and run adaware and spybot S&D and even download and run Spysubtract after doing all of this to ensure everything is gone. Great 30 day full working demo that makes is great for just removing spyware and then uninstalling. Also, go to the privacy tab of Internet Explorer properties and put everything as default. Click on each on, Restricted and trusted and set each to default. Also make sure there is NOTHING in the Trusted site list. remove anything that is there. I have a feeling there are a couple there that keep coming back. Either you can do all of this or reinstall windows xp. Odds are, this file is not gonna go away. Some DLL is most likely responsible for this that has a random name change. I've run into this file before and it is ugly. Also, use Firefox browser. http://www.mozilla.org Edited February 18, 2005 by zerodamage .gc Link to comment Share on other sites More sharing options...
TheBugs February 18, 2005 Author Share TheBugs Member February 18, 2005 well, i used spy sweeper and it seemed to get rid of it, and nothing came up on the virus scan. Thanks for the help Link to comment Share on other sites More sharing options...
Guest zerodamage February 18, 2005 Share Guest zerodamage Guests February 18, 2005 well, i used spy sweeper and it seemed to get rid of it, and nothing came up on the virus scan. Thanks for the help <{POST_SNAPBACK}> I will have to keep that in mind. Never used that before. Keep an eye out to see if it comes back. I've seen them come back hours later. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now