Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Major Adware issues...uMonitor too?


  • Please log in to reply

#16
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Euphemist4137

Go to microsoft update then check your download History
that will tell you the last microsoft update to your system

Next dissable auto-update on your system


kc
  • 0

Advertisements


#17
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Euphemist4137

Lets try this get yourself a blank formated floppy disk.

Now cut and paste the ykuthk.exe onto the floppy, take the floppy out of the drive reboot then search ykuthk.exe, lets see if it comes back.


kc <_<
  • 0

#18
Euphemist4137

Euphemist4137

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Okay...I copied the file ykuthk.exe to a floppy, then rebooted in Safe Mode as Administrator and deleted the file through a Command Line prompt. I also checked the registry under

HKLM\Software\Microsoft\Current Version\Run

Just to make sure there were no startup entries for it. There weren't. I then used msconfig to make sure that the startup item had been removed. It had.

I rebooted normally...and sure as heck, wouldn't you know it popped right back up in the Startup tab under msconfig, and the file was replaced into the directory from which I deleted it in Safe Mode.

Sounds fishy to me. Let me fill you in on something else I discovered in the process of working with this...

Both within the registry and within the Startup tab of msconfig, I have discovered another process called ypirwp.exe, and I have absolutely no clue what this process does. A search in online process libraries returns absolutely nothing, and a google search uncovers nothing as well. It is being run from the following directory:

C:\WINDOWS\system32

Also seems suspicious. I am beginning to wonder if these two "gibberish" files (ykuthk.exe and ypirwp.exe) are related...maybe one is creating the other? Do you think it would be safe to do a similar process as before with BOTH of these files this time?
  • 0

#19
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Euphemist4137

Having checked my system for the two files =zero

Lets try this boot in to safemode

(1) use taskmanager to end the processes (ykuthk.exe and ypirwp.exe)

(2)Now cut and paste to the floppy disk

(3) Run Ad-aware rescan

(4) Reboot to normal mode

(5) check system for (ykuthk.exe and ypirwp.exe) and any new file that has been added

(6) Run HijackThis and post the log.file

kc <_<
  • 0

#20
Euphemist4137

Euphemist4137

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Well, I followed your instructions. Had to use msconfig to stop the ypirwp.exe process from loading at startup, then reboot in safe mode and use a command line prompt to delete both it and the ykuthk.exe file from my system. I also found and deleted a registry entry for the ypirwp.exe file from a directory for Search Assistant (whatever that is).

I rebooted, and while I am still getting adware popups, so far I have not yet had any RunDLL error messages. My recycle bin still won't store deleted files.

I checked the registry and the startup processes, and ypirwp.exe is not loading anymore...and I checked the system32 director in MS-DOS, and the file seems to be gone, as does ykuthk.exe. Of course, they could be renamed to something else now...but I don't see any new suspicious items anywhere either.

Now...if I could just figure out what is still causing thesed darned popups....

Most recent HJT log posted below:

Logfile of HijackThis v1.98.2
Scan saved at 2:10:15 PM, on 12/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\AVWLPSTA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Palm\AlarmApp.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\EndNote\EndNote5.EXE
C:\PROGRA~1\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Johnathan Kana\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://campusweb.garrett.edu/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.hotmail.com"); (C:\Documents and Settings\Johnathan Kana\Application Data\Mozilla\Profiles\default\x30swvn7.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Johnathan Kana\Application Data\Mozilla\Profiles\default\x30swvn7.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVWLPSTA.EXE] AVWLPSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93F7977D-FF5A-4E9A-A7F8-111CDA3848D0}: Domain = northwestern.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{93F7977D-FF5A-4E9A-A7F8-111CDA3848D0}: NameServer = 129.105.49.1,165.124.49.21
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = northwestern.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = northwestern.edu
  • 0

#21
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Euphemist4137

Have searched and found this info from your hosts file

69.20.16.183 is a bad place
Adware.IGetNet
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Go to this link and copy the instructions

http://sarc.com/avce...re.igetnet.html

Please post a new hjt.log

kc <_<
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP