Jump to content


Identify UTFYYS.exe ?

  • Please log in to reply
3 replies to this topic

#1 Ripcord



  • Full Member
  • Pip
  • 10 posts

Posted 21 June 2004 - 02:23 AM

Sometimes, my dial-up connection window pops open, without my calling for it.
Such as when I open "Eudora" (not optioned to do so), my IE Browser (also not optioned to do so) and during boot or re-boot.

Thus far, I've been able to identify things and all seems okay (although I'm no pro), with the exception of one file.

It is named "UTFYYS.EXE" It is sitting inside the system32 file folder.
I can't open it in DOS Edit mode, having to go into safe-mode instead.
There, within the file it show it as "Callinghime.biz" and "Caller.exe" v.

I've no idea if the dial-up problem and this file are related, but I cannot locate "UTFYYS.EXE" anywhere on the 'net. (Google search, AV sites, etc.)

I suspect that the file name is randomly generated by another program, which I cannot locate (if it exists at all!)

I should also mention that the wife and I share a LAN hub, so I can be on-line through her. (If she's not, I dial-up on my own. It's rare that she wants on while I am.) She also runs Win XP Home with SP1.

HJT log follows:

Logfile of HijackThis v1.97.7
Scan saved at 3:00:54 AM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Home%20Pages/Ripcord/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///C:/Home%20Pages/Ripcord/index.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [lrtdwdx] C:\WINDOWS\System32\utfyys.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab

#2 Ripcord



  • Full Member
  • Pip
  • 10 posts

Posted 21 June 2004 - 05:27 PM

A minor information addition: The dial-up window that this "thing" is bringing up is the older (98se?) window, not the XP "fancier" window, which I normally get on this PC.

I've also tried to 'Net search "lrtdwdx", which is associated with this file.
(See HJT log in previous post. 20th 'O4' entry.)

#3 Ripcord



  • Full Member
  • Pip
  • 10 posts

Posted 24 June 2004 - 03:20 PM

Another update:

The dial-up window is showing my own User ID and Connection To info correctly, but the password (which I can't read of course) is getting longer and longer, each time the *&^% thing pops up.

A while back I caught the trojan that renamed "Notepad.exe" to "Notpad.exe".
I checked around at that time and found "a" solution, but didn't find any virus or the like anywhere in my system that was associated with its placement.

I edited my Registry, renamed "Notpad.exe" to the original name and deleted the fake file.

But now the little bugger has cropped up again!
Unlike last time though, it is not showing the same symptoms, not exactly.
I did get a new copy of Notepad installed, no problem there, plus I deleted both occurances of the old (both "Notepad" and "Notpad").

But concern now is finding the file that is keeping this little monster on my system!
On-line research named 2 possible bugs, but neither appear on my system.

I can't tell if the Notepad problem is connected with the dial-up problem, as I can't find out enough information about either.

This is chewing up much too much of my time as well as driving me slightly buggy myself.

Thoughts folks?

#4 Ripcord



  • Full Member
  • Pip
  • 10 posts

Posted 25 June 2004 - 09:05 AM

Well now, I think I got the little bugger!

I took chance.
"msconfig" and the start-up tab.
Unchecked "utfyys.exe" AND a totally blank entry just below it.
They were the last two entries listed and showed the same registry paths. (The blank one did show a path, but nothing else.)

HKLM\Software\Microsoft\Windows\Current Version\Run

(No, I didn't turn of the System Restore. I forgot, so maybe I'll have to do this again.)

Mucked about on-line (browsed, e-mail, etc) plus ran local programs.
No dial-up window unannounced!

Then ran "Ad-aware", which DID turn up 3 items that caught my eye, along with the usual cookie stuff.

Here's what "Ad-aware" had to say about each:

Category:Data Miner
Object Type:File
Size:37888 Bytes
Last Activity:6-25-2004 1:13:20 PM
Risk LevelLow
Description:VX2 Variant, Malware. Causes Popups and may install unsolicited software

Category:Data Miner
Object Type:File
Size:21176 Bytes
Last Activity:6-25-2004 1:13:23 PM
Risk LevelLow
Description:VX2 Variant, Malware. Causes Popups and may install unsolicited software

Category:Data Miner
Object Type:File
Size:0 Bytes
Last Activity:6-25-2004 1:13:23 PM
Risk LevelLow
Description:VX2 Variant, Malware. Causes Popups and may install unsolicited software

Now when I look in either my folders are the registry, I don't find any of the files that I've been complaining about. It could be that I'll have to do this again (since I failed to turn off the System Restore) but for now at least things are looking good again.

But I do have one question:
"Something" landed on my PC that started all this muck, no doubt due to a visit to one of the "nefarious" web sites I visited.
What, if anything, can I look for (a file?) in the future to possibly stop this from starting again?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button