ohnoes!

[TheBugs]

i have 2 .exe files that keep coming back after i delete them. They both seem to keep my PC Usage at about 90-100% when nothing else is running. Ive tried Ad aware, spy bot, and did a full system scan with Norton and the friggen things wont go away.

 

ha, figure the names of the two might be helpful. "yftupy.exe" and "yqrioy.exe"

 

Any suggestions?

Edited February 17, 2005 by TheBugs

[appalachian_fox]

? Do they come back while the computer is in use, or on reboots?

 

- If they come back on reboots, do they come back if you boot into safe mode, or only if you do a full real boot?

 

-Do they restart themselves if you kill the task w/o deleting the files? How long until they restart?

 

-Did you check your "Run" registry entries for obvious hijacks?

 

Also, try posting a HijackThis log for those who got 73h 5k11z in catching spyware and will likely be here shortly.

 

For another forum, but a good list of things to do:

 

http://www.geekstogo.com/forum/You_Must_Re..._Log-t2852.html

[dwEEziL]

If you are familiar with the registry, you can check in HKLM\Software\Microsoft\Windows\Run and HKCU\Software\Microsoft\Windows\Run for entries that look like they kick it off. Look in Run, RunOnce, RunEX, or any other Run variant in the Windows hive (that begins with Run anyway).

[NOFX]

dduuuuudddee. go to start>run type msconfig. Go to startup tab and uncheck all that crap, but keep what you want to startup when you boot your comp. I turn everything off but AIM.

[dwEEziL]

I don't like msconfig myself cuz it creates another registry hive with all the stuff you disabled. I just prefer to delete what I know (key word here is "know") I don't want running.

[TheBugs]

ive gone into my msconfig and turned them all of but they still come back. I can delete both of them. Both are in my system32 folder but when i refresh the folder they are right back in there. Ill try looking at the registry later.

[TheBugs]

looked through the registry and its only in the main RUN folder. I delete it, and it just comes back

[dwEEziL]

I heard some virii were getting smarter and adding themselves to the list of "Protected Windows Files" so that if you delete them, Windows puts them back. Might be what is going on here, might not.

 

Did you try spybot? Maybe run it while Windows is in Safe Mode?

[TheBugs]

did that, didnt do a thing. :[

[Guest zerodamage]

I've run across this multiple times and as of right now, none of my spyware removal tools will get rid of it. I am not even sure what it is as I've checked multiple sources. I am afraid your only option is a format and reinstall with this bugger.

[Guest zerodamage]

You know what... we can try one thing.

 

Download and run this; http://www.majorgeeks.com/download3155.html

 

Do the Save log and then copy and paste it in here. Let's see if you can by my first successful cleaning of this bugger.

[Acid-Flux]

download somthing like tweakXP, or TweakNow PowerPack and edit the startup registry and do a reg clean. I have found that these programs work great for programs which seem to auto-load on startup, and cant find them (cause there hidden), wierd registry commands etc..

[Guest zerodamage]

Just do a search on Google for "Startup Control Panel" the first result is a nice little app that loads up in your control panel. MSConfig for XP sucks big time and this is all I use for Win2k and XP. I bet you will be able to disable this here but doesn't solve the problem of it still being on your system.

[TheBugs]

here ya go ZD. Good luck! and ill be happy to be a guinea pig

 

Logfile of HijackThis v1.99.1

Scan saved at 9:08:08 PM, on 2/17/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Logitech\MouseWare\system\em_exec.exe

D:\powerstrip\pstrip.exe

D:\Mirc\mirc.exe

D:\Ventrilo\Ventrilo.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Kyle Ciccaglione\My Documents\bleh\HijackThis.exe

C:\WINDOWS\system32\yqrioy.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nsmb.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.csnation.net/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r

O4 - HKLM\..\Run: [PowerStrip] d:\powerstrip\pstrip.exe

O4 - HKLM\..\Run: [AWMON] "C:\Lavasoft\AD-AWA~1\Ad-Watch.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\yqrioy.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - Startup: mIRC.lnk = D:\Mirc\mirc.exe

O4 - Global Startup: yftupy.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Aim\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

Im also running a registry fix. Hope it works.

Edited February 18, 2005 by TheBugs

[Guest zerodamage]

Remove:

 

O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\yqrioy.exe

 

And all of these DPF's for they will reinstall as needed.

 

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab

 

This is just a waste of Resources. Remove it also.

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime

 

And this I am not sure what it is. If you know what it is for if it is some sort of application you need, then leave it. Otherwise, remove it.

 

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[TheBugs]

ok, everything removed. But yqrioy.exe just gets recreated and shows up when i do the scan.

[Guest zerodamage]

ok, everything removed. But yqrioy.exe just gets recreated and shows up when i do the scan.

<{POST_SNAPBACK}>

 

 

Well that is your main problem. Do a search in your registry for this file name and remove all entries of it. Then reboot into recovery console with your xp cd and delete that file. Also run a virus scan after doing all of this.

 

http://housecall.antivirus.com

 

Then do a scan again with hijackthis and run adaware and spybot S&D and even download and run Spysubtract after doing all of this to ensure everything is gone. Great 30 day full working demo that makes is great for just removing spyware and then uninstalling.

 

Also, go to the privacy tab of Internet Explorer properties and put everything as default. Click on each on, Restricted and trusted and set each to default. Also make sure there is NOTHING in the Trusted site list. remove anything that is there. I have a feeling there are a couple there that keep coming back.

 

Either you can do all of this or reinstall windows xp. Odds are, this file is not gonna go away. Some DLL is most likely responsible for this that has a random name change. I've run into this file before and it is ugly.

 

Also, use Firefox browser.

 

http://www.mozilla.org

Edited February 18, 2005 by zerodamage .gc

[TheBugs]

well, i used spy sweeper and it seemed to get rid of it, and nothing came up on the virus scan. Thanks for the help

[Guest zerodamage]

well, i used spy sweeper and it seemed to get rid of it, and nothing came up on the virus scan. Thanks for the help

<{POST_SNAPBACK}>

 

 

I will have to keep that in mind. Never used that before.

 

Keep an eye out to see if it comes back. I've seen them come back hours later.