Jump to content


Photo

Quick Question: yelbijko.exe???


  • Please log in to reply
4 replies to this topic

#1 Air4Andy

Air4Andy

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 02 July 2004 - 04:51 PM

:scratchhead:
Hey, me again...
Cleaning cousins HP Pavilion a420n from Best"est"buy, ran HiJackThis, came across

O4 - HKLM\..\Run: [75586473] C:\Windows\System32\yelbijko.exe

what is this crazy thang? I'll post the HiJackThis log... its a mess, I know. This one stumped me though. Thanks...




Logfile of HijackThis v1.97.7
Scan saved at 4:50:44 PM, on 7/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Documents and Settings\Owner\Application Data\eber.exe
C:\WINDOWS\System32\NDrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\Program Files\MSN\MSNIA\WA\ClientSideProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://us10.hpwis.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [75586473] C:\WINDOWS\System32\yelbijko.exe
O4 - HKLM\..\Run: [Microsoft Updates] wkssvr.exe
O4 - HKLM\..\Run: [Microsoft Update] wudmate.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvr.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wudmate.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Microsoft Updates] wkssvr.exe
O4 - HKCU\..\Run: [Microsoft Update] wudmate.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: View Original Image - C:\program files\msn\msnia\wa\getoriginal.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{033421DD-B3DA-481C-9922-2273B67FC45A}: NameServer = 205.171.3.65 205.171.2.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{033421DD-B3DA-481C-9922-2273B67FC45A}: NameServer = 205.171.3.65 205.171.2.65
I am so smart! I am so smart! S M R T... I mean S M A R T!

#2 Air4Andy

Air4Andy

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 02 July 2004 - 05:23 PM

PLEASE HELP... THIS LITTLE BEAST CAN'T BE FOUND ANYWHERE... WHAT IS IT???
I am so smart! I am so smart! S M R T... I mean S M A R T!

#3 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 02 July 2004 - 10:13 PM

Ok, you have several entries there that shoudln't be.

Please follow these instructions.



Download and install Ad-aware found here: http://www.lavasoftu...pport/download/
After installing you need to download all updates for it. Use the Globe Icon in the program, and "Connect" to download latest Reference-file. Please update it before you scan with it then fix all it finds.
Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys. Click 'Next' again
Right-click in that pane and choose "select all"

If it finds "bad" files and registry keys, press "Next" again
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.
That ought to get rid of most of your spyware.




Go to START>.ALL PROGRAMS..ACCESSORIES>>SYSTEM TOOLS>> DISK CLEAN UP>> and clean everything...

Go to start >Run and paste this in:
%Userprofile%\Local Settings\Temp folder
It will open your temp folder.
Go to the toolbar>Edit>Select All
Then go back to File>Delete

Then get an online virus scan here: http://housecall.trendmicro.com/ Please select the Autoclean option when prompted.
or here: http://www.pandasoft...com/activescan/


After This, Reboot and Post a Fresh HijackThis log.
And well take it from there =)
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#4 Air4Andy

Air4Andy

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 03 July 2004 - 10:29 AM

Yes, as of when I did this, I had ran Ad-Aware with newest update, CWShredder, Spyboy, Symantec AV, and was now on to HiJackThis. The owner of the computer still has Dialup and has never updates the XP OS so all those security holes were still there. The computer wreaked of the Sasser worm, several others and many bots/malware. This was the only enrty I could not find info on.
O4 - HKLM\..\Run: [75586473] C:\Windows\System32\yelbijko.exe
NOTHING. I removed it and tested the system... all seems to work well. I assume it was trash. Either way, gone now. Keep me updates if anyone else sees or hears of this. Like I said, google found no hits relating to this at all. Thanks!

:weee:
I am so smart! I am so smart! S M R T... I mean S M A R T!

#5 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 08 July 2004 - 12:59 AM

Please reboot and post a new log for me to look at.. :)
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button