• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Ripcord

Identify UTFYYS.exe ?

4 posts in this topic

Sometimes, my dial-up connection window pops open, without my calling for it.

Such as when I open "Eudora" (not optioned to do so), my IE Browser (also not optioned to do so) and during boot or re-boot.

 

Thus far, I've been able to identify things and all seems okay (although I'm no pro), with the exception of one file.

 

It is named "UTFYYS.EXE" It is sitting inside the system32 file folder.

I can't open it in DOS Edit mode, having to go into safe-mode instead.

There, within the file it show it as "Callinghime.biz" and "Caller.exe" v.1.0.0.1

 

I've no idea if the dial-up problem and this file are related, but I cannot locate "UTFYYS.EXE" anywhere on the 'net. (Google search, AV sites, etc.)

 

I suspect that the file name is randomly generated by another program, which I cannot locate (if it exists at all!)

 

I should also mention that the wife and I share a LAN hub, so I can be on-line through her. (If she's not, I dial-up on my own. It's rare that she wants on while I am.) She also runs Win XP Home with SP1.

 

HJT log follows:

 

Logfile of HijackThis v1.97.7

Scan saved at 3:00:54 AM, on 6/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

C:\WINDOWS\System32\hphmon05.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\LTMSG.exe

c:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\WINDOWS\System32\utfyys.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HiJackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Home%20Pages/Ripcord/index.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///C:/Home%20Pages/Ripcord/index.html

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\ReGetDx\iebar.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [lrtdwdx] C:\WINDOWS\System32\utfyys.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [backupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm

O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Research (HKLM)

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

Share this post


Link to post
Share on other sites

A minor information addition: The dial-up window that this "thing" is bringing up is the older (98se?) window, not the XP "fancier" window, which I normally get on this PC.

 

I've also tried to 'Net search "lrtdwdx", which is associated with this file.

(See HJT log in previous post. 20th 'O4' entry.)

Share this post


Link to post
Share on other sites

Another update:

 

The dial-up window is showing my own User ID and Connection To info correctly, but the password (which I can't read of course) is getting longer and longer, each time the *&^% thing pops up.

 

A while back I caught the trojan that renamed "Notepad.exe" to "Notpad.exe".

I checked around at that time and found "a" solution, but didn't find any virus or the like anywhere in my system that was associated with its placement.

 

I edited my Registry, renamed "Notpad.exe" to the original name and deleted the fake file.

 

But now the little bugger has cropped up again!

Unlike last time though, it is not showing the same symptoms, not exactly.

I did get a new copy of Notepad installed, no problem there, plus I deleted both occurances of the old (both "Notepad" and "Notpad").

 

But concern now is finding the file that is keeping this little monster on my system!

On-line research named 2 possible bugs, but neither appear on my system.

 

I can't tell if the Notepad problem is connected with the dial-up problem, as I can't find out enough information about either.

 

This is chewing up much too much of my time as well as driving me slightly buggy myself.

 

Thoughts folks?

Share this post


Link to post
Share on other sites

Well now, I think I got the little bugger!

 

I took chance.

"msconfig" and the start-up tab.

Unchecked "utfyys.exe" AND a totally blank entry just below it.

They were the last two entries listed and showed the same registry paths. (The blank one did show a path, but nothing else.)

 

HKLM\Software\Microsoft\Windows\Current Version\Run

 

Rebooted

(No, I didn't turn of the System Restore. I forgot, so maybe I'll have to do this again.)

 

Mucked about on-line (browsed, e-mail, etc) plus ran local programs.

No dial-up window unannounced!

 

Then ran "Ad-aware", which DID turn up 3 items that caught my eye, along with the usual cookie stuff.

 

Here's what "Ad-aware" had to say about each:

 

Vendor:VX2.BetterInternet

Category:Data Miner

Object Type:File

Size:37888 Bytes

Location:c:\windows\system32\utfyys.exe

Last Activity:6-25-2004 1:13:20 PM

Risk LevelLow

Comment:

Description:VX2 Variant, Malware. Causes Popups and may install unsolicited software

 

 

Vendor:VX2.BetterInternet

Category:Data Miner

Object Type:File

Size:21176 Bytes

Location:c:\docume~1\owner\locals~1\temp\billionaire.bmp

Last Activity:6-25-2004 1:13:23 PM

Risk LevelLow

Comment:

Description:VX2 Variant, Malware. Causes Popups and may install unsolicited software

 

 

Vendor:VX2.BetterInternet

Category:Data Miner

Object Type:File

Size:0 Bytes

Location:c:\docume~1\owner\locals~1\temp\dummy.htm

Last Activity:6-25-2004 1:13:23 PM

Risk LevelLow

Comment:

Description:VX2 Variant, Malware. Causes Popups and may install unsolicited software

 

Now when I look in either my folders are the registry, I don't find any of the files that I've been complaining about. It could be that I'll have to do this again (since I failed to turn off the System Restore) but for now at least things are looking good again.

 

But I do have one question:

"Something" landed on my PC that started all this muck, no doubt due to a visit to one of the "nefarious" web sites I visited.

What, if anything, can I look for (a file?) in the future to possibly stop this from starting again?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0