Yeakukz Problem. BIg!

I have this problem that i believe calls itself yeakukz. It constantly pops up AOl Instant Messenger. It had places trofkz.reg, a.html, and staff.html on my desktop. It also is preventing me from accessing msconfig.exe or Task Manager to disable this problem. How do i fix this. Please, this is urgent.

My Hijack Log is.

Logfile of HijackThis v1.97.7
Scan saved at 9:20:01 PM, on 9/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\sysreset\mirc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Application Data\c??k??.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\WINNT\system32\d?dplay.exe
C:\WINNT\system32\aoabfz.exe
C:\WINNT\SYSTEM32\qbewyeb.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BDB1250-EB6F-0DE0-D056-66550F852441} - C:\WINNT\system32\ugvansjr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem302.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\msconfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [tqletah] C:\WINNT\tqletah.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [idqketafgptvi] C:\WINNT\system32\aoabfz.exe
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [ICQ Lite Messenger] QBEWYEB.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Utta] C:\Documents and Settings\Administrator\Application Data\c??k??.exe
O4 - HKCU\..\Run: [Ahmogtw] C:\WINNT\system32\d?dplay.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\RunOnce: [ICQ Lite Messenger] QBEWYEB.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28578.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=ffe5909ffe00eb7f12d063133b3d23bee077a5bf6056e04090b5d765ec2e75e4f9e8656dccedb6d89d09d2c86f5b30597ea87d3d2a4c1ed47e9128c74281bfb4:a6d60611056994dfac80e4ac3a715ede
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/smsx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter.com/pop_shooter/install/win2000/SYSsfitb.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab

Please Help!
wiseman7687Asked:
Who is Participating?
 
ZylochCommented:
Give this a whir, download at page bottom:

http://www.sysinternals.com/ntw2k/freeware/pskill.shtml
0
 
ZylochCommented:
0
 
wiseman7687Author Commented:
ok, I should remove everything that is Unknown and Nasty, Correct?
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
ZylochCommented:
Well, if it's unknown, you have to be more careful about it. If you don't know it, you can remove it I guess, but it's up to your judgement. The nasties ones though... yeah
0
 
wiseman7687Author Commented:
ok, Another question is there a way to close programs through command.exe? Because whatever the file is preventing me from using Task Manager.
0
 
wiseman7687Author Commented:
I have windows 2000.
0
 
wiseman7687Author Commented:
ok. well i ran hijackthis and Though Most of the popups stopped. Aol instant messenger keeps popping up and i am still being prevented from using task manager.
0
 
ZylochCommented:
Do you have a virus checker? You can also try this: http://housecall.trendmicro.com/
0
 
wiseman7687Author Commented:
I am running the virus checker and i am using the program you provided.
0
 
wiseman7687Author Commented:
ok it found a Trojan Virus. I am going to try to remove it now. I will be right back.
0
 
ZylochCommented:
ok
0
 
wiseman7687Author Commented:
ok, Well i have tried that website. and it was unable to remove it. Should i Try AVG?
0
 
ZylochCommented:
which Trojan was it?
0
 
wiseman7687Author Commented:
using the pskill thing u provided i was able to get rid of the 3 executables preventing me from opening Task Manager, and Msconfig :)

But i believe i still have the viruses..
0
 
ZylochCommented:
Did the site tell you which trojan you have?
0
 
wiseman7687Author Commented:
trojan imiserv or something.

 I will be right back, I am going to have to restart computer because I installed AVG
0
 
wiseman7687Author Commented:
ok, I found that a program called qbewyeb.exe is the source of this error. I had to run pskill again to close this program to stop it from closing task manager and msconfig repeatedly.
0
 
ZylochCommented:
Hmm... Not sure what this file does, but can you find out where it is? Like do a system search of it?
0
 
wiseman7687Author Commented:
Yes. i am looking for it now. I found other people with the same problem that i have got. (Type in Yeakukz in Google) I believe it was transferred by Aol Instant Messenger.
I ended the process with pskill and i was able to use msconfig and Task manager again.
0
 
wiseman7687Author Commented:
The Symptons i have encountered so far-

On Aol Instant Messenger- Puts you on Away message with link to a website which i believe transfers the virus.

It Opens Aol Instant Messenger every 2 minutes.

It opens popups, even when u are not on Internet Explorer Causing the installation of more spyware.

it prevents you from ctrl-alt-delete to Task Manager.

It Prevents you from opening msconfig to disable the program when you restart the computer.

It installs 3 files onto the desktop. trofkz.REG, k.html, staff.html

These are the only Symptoms that i have encountered so far.
0
 
wiseman7687Author Commented:
It also installs x.bat on desktop. I missed that one.
0
 
wiseman7687Author Commented:
it also Slowed down Computer Processing Tremendously.
0
 
wiseman7687Author Commented:
qbewyeb.exe was found in C:\WINNT\System32\
0
 
ZylochCommented:
Hmm. As expected. Gotta find a way to manually uninstall it completely however
0
 
ZylochCommented:
Some dude posted that you have to do this:

erum.exe
ks.exe
mtx.bat
mtx.exe
x.bat
x.exe
o.bat
o.exe
staff.html
install.exe (in the root directory)

Probably add that qsomething.exe to the list and see if that helps
0
 
wiseman7687Author Commented:
SHould i Search for those files?
0
 
ZylochCommented:
Yeah I guess
0
 
wiseman7687Author Commented:
ok i found none of them.
0
 
rossfingalCommented:
Hi!

The first thing you should do is upgrade HijackThis to the latest version - 1.98.2
Download it from:
http://www.subratam.org/?page=removal
or:
http://www.subratam.org/?page=removal
Run it and post a new log here.

As far as what some of the things that your current log shows -

The following entry indicates the presence of "TrojanDownloader.Win32.Stubby.c" -
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe

This entry:
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" -
should be uninstalled through Add/Remove Programs in Control Panel.
Look for: "Active Alert" and/or "Internet Optimizer" - then uninstall them.

O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} X BHO  localNRD.dll
{Transponder parasite variant}
http://www.doxdesk.com/parasite/Transponder.html

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} X BHO  systb.dll
{IEPlugin variant}
http://www.doxdesk.com/parasite/IEPlugin.html

O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} X BHO  msbe.dll
{eXact Advertising}
http://www.doxdesk.com/parasite/BargainBuddy.html

This next one is particularly troublesome - VX2
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} X BHO  nem219.dll
{DyFuCa/Internet Optimizer}
http://www.doxdesk.com/parasite/InternetOptimizer.html 

These are not all the things you have on your computer.
Using HijackThis or the Automatic Analysis Site to fix them, will not work.
Just some information.

Good luck!
RF
0
 
wiseman7687Author Commented:
I have removed all the Trojans. And the Spyware. They were installed due to that qyeb file or whatever its called.
0
 
ZylochCommented:
Is there still a problem with your computer?
0
 
wiseman7687Author Commented:
So far, there is none.
0
 
wiseman7687Author Commented:
I gave you 500 points Zyloch, You helped me tremendously. :) Thank you!
0
 
ZylochCommented:
Thanks for the A, glad to help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.