Solved

Yeakukz Problem. BIg!

Posted on 2004-09-26
35
1,250 Views
Last Modified: 2013-12-04
I have this problem that i believe calls itself yeakukz. It constantly pops up AOl Instant Messenger. It had places trofkz.reg, a.html, and staff.html on my desktop. It also is preventing me from accessing msconfig.exe or Task Manager to disable this problem. How do i fix this. Please, this is urgent.

My Hijack Log is.

Logfile of HijackThis v1.97.7
Scan saved at 9:20:01 PM, on 9/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\sysreset\mirc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Application Data\c??k??.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\WINNT\system32\d?dplay.exe
C:\WINNT\system32\aoabfz.exe
C:\WINNT\SYSTEM32\qbewyeb.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BDB1250-EB6F-0DE0-D056-66550F852441} - C:\WINNT\system32\ugvansjr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem302.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\msconfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [tqletah] C:\WINNT\tqletah.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [idqketafgptvi] C:\WINNT\system32\aoabfz.exe
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [ICQ Lite Messenger] QBEWYEB.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Utta] C:\Documents and Settings\Administrator\Application Data\c??k??.exe
O4 - HKCU\..\Run: [Ahmogtw] C:\WINNT\system32\d?dplay.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\RunOnce: [ICQ Lite Messenger] QBEWYEB.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28578.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=ffe5909ffe00eb7f12d063133b3d23bee077a5bf6056e04090b5d765ec2e75e4f9e8656dccedb6d89d09d2c86f5b30597ea87d3d2a4c1ed47e9128c74281bfb4:a6d60611056994dfac80e4ac3a715ede
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/smsx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter.com/pop_shooter/install/win2000/SYSsfitb.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab

Please Help!
0
Comment
Question by:wiseman7687
  • 20
  • 14
35 Comments
 
LVL 36

Expert Comment

by:Zyloch
ID: 12157122
0
 

Author Comment

by:wiseman7687
ID: 12157149
ok, I should remove everything that is Unknown and Nasty, Correct?
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12157163
Well, if it's unknown, you have to be more careful about it. If you don't know it, you can remove it I guess, but it's up to your judgement. The nasties ones though... yeah
0
 

Author Comment

by:wiseman7687
ID: 12157172
ok, Another question is there a way to close programs through command.exe? Because whatever the file is preventing me from using Task Manager.
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12157179
0
 

Author Comment

by:wiseman7687
ID: 12157197
I have windows 2000.
0
 
LVL 36

Accepted Solution

by:
Zyloch earned 500 total points
ID: 12157212
Give this a whir, download at page bottom:

http://www.sysinternals.com/ntw2k/freeware/pskill.shtml
0
 

Author Comment

by:wiseman7687
ID: 12157261
ok. well i ran hijackthis and Though Most of the popups stopped. Aol instant messenger keeps popping up and i am still being prevented from using task manager.
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12157287
Do you have a virus checker? You can also try this: http://housecall.trendmicro.com/
0
 

Author Comment

by:wiseman7687
ID: 12157303
I am running the virus checker and i am using the program you provided.
0
 

Author Comment

by:wiseman7687
ID: 12157307
ok it found a Trojan Virus. I am going to try to remove it now. I will be right back.
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12157322
ok
0
 

Author Comment

by:wiseman7687
ID: 12157353
ok, Well i have tried that website. and it was unable to remove it. Should i Try AVG?
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12157363
which Trojan was it?
0
 

Author Comment

by:wiseman7687
ID: 12157369
using the pskill thing u provided i was able to get rid of the 3 executables preventing me from opening Task Manager, and Msconfig :)

But i believe i still have the viruses..
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12157371
Did the site tell you which trojan you have?
0
 

Author Comment

by:wiseman7687
ID: 12157380
trojan imiserv or something.

 I will be right back, I am going to have to restart computer because I installed AVG
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:wiseman7687
ID: 12157417
ok, I found that a program called qbewyeb.exe is the source of this error. I had to run pskill again to close this program to stop it from closing task manager and msconfig repeatedly.
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12157447
Hmm... Not sure what this file does, but can you find out where it is? Like do a system search of it?
0
 

Author Comment

by:wiseman7687
ID: 12157480
Yes. i am looking for it now. I found other people with the same problem that i have got. (Type in Yeakukz in Google) I believe it was transferred by Aol Instant Messenger.
I ended the process with pskill and i was able to use msconfig and Task manager again.
0
 

Author Comment

by:wiseman7687
ID: 12157491
The Symptons i have encountered so far-

On Aol Instant Messenger- Puts you on Away message with link to a website which i believe transfers the virus.

It Opens Aol Instant Messenger every 2 minutes.

It opens popups, even when u are not on Internet Explorer Causing the installation of more spyware.

it prevents you from ctrl-alt-delete to Task Manager.

It Prevents you from opening msconfig to disable the program when you restart the computer.

It installs 3 files onto the desktop. trofkz.REG, k.html, staff.html

These are the only Symptoms that i have encountered so far.
0
 

Author Comment

by:wiseman7687
ID: 12157494
It also installs x.bat on desktop. I missed that one.
0
 

Author Comment

by:wiseman7687
ID: 12157500
it also Slowed down Computer Processing Tremendously.
0
 

Author Comment

by:wiseman7687
ID: 12157507
qbewyeb.exe was found in C:\WINNT\System32\
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12157512
Hmm. As expected. Gotta find a way to manually uninstall it completely however
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12157528
Some dude posted that you have to do this:

erum.exe
ks.exe
mtx.bat
mtx.exe
x.bat
x.exe
o.bat
o.exe
staff.html
install.exe (in the root directory)

Probably add that qsomething.exe to the list and see if that helps
0
 

Author Comment

by:wiseman7687
ID: 12157532
SHould i Search for those files?
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12157545
Yeah I guess
0
 

Author Comment

by:wiseman7687
ID: 12157558
ok i found none of them.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12157571
Hi!

The first thing you should do is upgrade HijackThis to the latest version - 1.98.2
Download it from:
http://www.subratam.org/?page=removal
or:
http://www.subratam.org/?page=removal
Run it and post a new log here.

As far as what some of the things that your current log shows -

The following entry indicates the presence of "TrojanDownloader.Win32.Stubby.c" -
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe

This entry:
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" -
should be uninstalled through Add/Remove Programs in Control Panel.
Look for: "Active Alert" and/or "Internet Optimizer" - then uninstall them.

O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} X BHO  localNRD.dll
{Transponder parasite variant}
http://www.doxdesk.com/parasite/Transponder.html

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} X BHO  systb.dll
{IEPlugin variant}
http://www.doxdesk.com/parasite/IEPlugin.html

O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} X BHO  msbe.dll
{eXact Advertising}
http://www.doxdesk.com/parasite/BargainBuddy.html

This next one is particularly troublesome - VX2
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} X BHO  nem219.dll
{DyFuCa/Internet Optimizer}
http://www.doxdesk.com/parasite/InternetOptimizer.html

These are not all the things you have on your computer.
Using HijackThis or the Automatic Analysis Site to fix them, will not work.
Just some information.

Good luck!
RF
0
 

Author Comment

by:wiseman7687
ID: 12157608
I have removed all the Trojans. And the Spyware. They were installed due to that qyeb file or whatever its called.
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12157622
Is there still a problem with your computer?
0
 

Author Comment

by:wiseman7687
ID: 12157666
So far, there is none.
0
 

Author Comment

by:wiseman7687
ID: 12157674
I gave you 500 points Zyloch, You helped me tremendously. :) Thank you!
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12157677
Thanks for the A, glad to help
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
OfficeMate Freezes on login or does not load after login credentials are input.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now