Help with yyy65 and others

[Cerberis]

Hi, Im new to these forums,
Im looking for some help, I believe I have yyy65 or some nasty, but none of my scans pick it up. Im a little new to removing trojans/virus/spyware and such but my usuall strategy of locating files and manually deleting the files
doesnt work, I use Security Task Manager to locate the programs it usually works, its how i got rid of Wtools, but when i scan I dont find any suspicious programs. Hijack This was reccomended to me but i dont know how to use much so plz correct me if i made a problem with posting my log. I heard something about a Sircam virus that disguises itself RUNDLL32.exe, just wondering i have it.

-Edit- Sorry, next time ill post my log as a attachment

 

[Cerberis]

Will someone plz help me, ive tried everything, I have Zone ALarm and AVG free but, nothing seems to work these popups dont stop. someone plz help

 

[swker98]

hi, ill analize your log



YOUR VIRSON OF HJT IS OUT OF DATE
PLEASE UPDATE AND POST A FRESH LOG

 

[Cerberis]

Here we go i got updated version of HJK, i think 1.9.9

 

[swker98]

yess you noww have the current virson of HJT

fix the folowing

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)

O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)


fix this if its not your isp

O15 - Trusted IP range: 81.222.131.59

uninstall anythihng that has to do with
slotchbar.com
skoobidoo.com

fix those enetrys and then youll be good

 

[Cerberis]

Im still having problems, heres my HJK log with some changes

 

[swker98]

fix

O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\j6n20g5oe6.dll


other wise your log is clean

if problems are still there turn off system restore, boot in safemode, run anti spyware, malware, and virus scan

 

[Cerberis]

ive done just about everything, there is to do, and nothing has worked so far, has anyone here ever gotten yyy65 and gotten rid of it?

 

[swker98]

follow all of RBS's Read posts in the Suericty and the web forum


l l
DID YOU do thatVV

if problems are still there turn off system restore, boot in safemode, run anti spyware, malware, and virus scan

 

[Cerberis]

Ive done everything so far, nothing worked i just got out of safe mode, i ran adaware, spybot, and tried to fix things in my Hijack log, but its still not working.I cant fix a few things like this
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\g2040cdqef0e0.dll

there are a few like that and i went into safe mode and try and manually delete them from system32, but moste of them are being used by another program, theres got to be a way to fix these,
the popups dont seem to ever stop nothing ihave done has fixed it and ive been trying for 3 days now to fix this.

 

[Cerberis]

Anyone around to help me?

 

[swker98]

post a log from safe mode, with SYSTEM RESTORE OFF

YOU can alternetly get a popup blocker

also try to clar all intenet history and delete all temporery intenrnet files

 

[Vigilante]

What you need to do is get the file names of any infections, then boot to Recovery Console and delete the files, they won't be in use there.

If you can't do R.C., then you want to boot into "Safe Mode Command Prompt", then try to delete the files from there. Once they are deleted, assuming they don't come back again with different names, you can then search the registry for those files and delete the references.
Notify key entries are especially difficult to get rid of.

Tell us, though, where are you getting the name "yyy65" from? Is some program saying this?

 

[Cerberis]

some of the popups i get end in yyy65 a nd iassumed thats what they were. I think i may ahve located the source of the problems, In my hijack logs i get a few different files that look like this
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\dnpo0173e.dll
they all say winlogon notify but the "installer" part is always something different, i cant fix them from Hijack and i cant delet the dll's from safemode becuase they are being used by a different program, when i check my processes i find somethign like winlogon.exe, ive tried ending it but i cant,
And i assume thats a normal process.

And what is this recovery console, plz explain a little more about for me

Here is my Hijack log from safemode, it looks like the same from

 

[swker98]

this O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\o0840alqedqe0.dll

looks bad

and this
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

looks a little intersting, i would fix it if you dont know what it is

did you delete your temp interent files and clear hisroy as i asked


best of luck

 

[Cerberis]

Just deleted Temp internet files
but i dont know how to fix the
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\o0840alqedqe0.dll
I cant use hijack, cuase when i try with hijack, they are back in my next scan so i went into safemode and attempted to delete the dll's no luck, they are in use by another program, as i said before i beleive that is the source of my problems.

How can i fix it?

 

[computer help]

heres your fix

go here install this

avast http://www.download.com/Avast-Home-Edition/3000-2239_4- 10375520.html?tag=lst-0-1


then go here install this adaware se


http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1

do this then you will be all fixed or dont do it and just waste my time
and by the way if you do it and it works please let me know :slurp:

 

[Vigilante]

Jot down the file path of the bad DLL, which is: C:\WINDOWS\system32\o0840alqedqe0.dll right now.
Do not attempt to delete the DLL or remove the entry with HJT.
Get out your XP CD and put it in the drive, restart your PC. As the PC boots up, it should say "Press any key to boot from CD...", and then hit a key while it says that.
If it does NOT say this, go into your BIOS and change the boot order to CD-ROM first. You usually get into your BIOS by pressing DEL as the system first boots up, it should tell you what to press somewhere on the screen. If you miss it, and it boots into Windows, check HJT to make sure the filename is still the same.

Anyway, once you boot to your XP CD, the first screen will have an option to press "R" to repair with Recovery Console. Press that.
Next it will ask to log in to a Windows installation, it is usually "1". This part is self evident, it will ask for administrator password, if you have none, just hit Enter.
Don't worry, it isn't that complex, just follow what the screens say.

Eventually it will dump you at a command prompt in C:\Windows or whatever your Windows root is. You will type this, change as needed:

cd system32 <enter>
del o0840alqedqe0.dll <enter>

If it works, it will just go to the next line. Otherwise it will give an error like "file not found" or something else. If you get no error, then it worked, you can type exit and the system will restart.
Be sure to type the filename carefully, as zero could be oO0, etc... L I 1, look similar.
If there were any other bad DLL filenames, del them as well.

Assuming you can do all this and it works, the DLL will now be deleted, and the Notify key will fail to load it. However, if the malware program is still installed somewhere else, it may just create a new DLL and put the entry right back in. So check HJT again when you've done this. And delete the Notify key if it is there.

This is how to use the Recovery Console to delete a file
If you can't do it, or can't find the file to delete, or something happens, post back here. And we can try another technique.

good luck!

 

[Tedster]

yyy65 is caused by the look2me spyware.

Removal:

Look2Me is an advertising and information network that uses a shell extension to attach itself to Windows and display pop up advertising for its clients. It monitors visited web sites and submits this information to a server.

How do I Remove Look2Me?

Because the software highly integrates itself with Explorer, it can be hard to remove. Included below is a basic manual removal method for Look2Me as well as an excellent Visual Basic Script that can be run to help remove it.

Automatic Removal Program from Look2Me

Follow the instructions below to manually remove Look2Me

1. Click on Start, Run, and type REGEDIT and click Ok to start the Registry Editor
2. Now open the Windows Task Manager

On Windows 95/98/ME, Press CTRL+ATL+DEL
On Windows NT/2000/XP, Press CTRL+ALT+DEL, Select the Task Manager if needed, and click on the Processes tab
3. In the list of programs, click on EXPLORER.EXE and select End Task or End Process. Repeat this procedure until no explorer.exe process is running (The Start Menu, Task Bar, and System Tray will disappear)
4. Select the Registry Editor (you may have to press ALT + Tab)
5. Delete the following registry keys if they exist

HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ ShellExtensions \ Approved \ {DDFFA75A-E81D-4454-89FC-B9FD0631E726}
6. Close the Registry Editor
7. Restart your computer
8. Now open My Computer and Drive C, open the Windows directory, and then the System directory
Note: %SystemDir% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
9. Delete all files that look similar to the following, where * represents a letter or number

msg{********-****-****-****-************}****.dll

The known variants of Look2Me are associated with the following files:

msg{*.dll
msg116.dll
msg117.dll
msg118.dll
msg119.dll
msg120.dll
msg121.dll
msg122.dll
10. Open Internet Explorer
11. Click Tools, Internet Options
12. Click the Programs tab and then click Reset Web Settings to restore default settings for home page, search page, and other settings.

If Look2Me remains or popups from NicTechNetworks remain, then proceed with the following extra instructions

1) Download and run VX2.BetterInternet Finder which will search for files that are tied to Explorer and very tough to remove. These files usually are .dll files found in the Windows\System32 directory with backup files similar to *.cpy.dll

For Windows 9X systems, use this version of VX2.Betterinternet Finder

2) Write these files down for later removal

3) To remove these files, you'll need to boot into the Recovery Console. Reboot your computer with your Windows XP or 2000 cd now. If your computer does not boot from the CD-ROM disk, you'll have to change settings in your BIOS to do this to boot from the CD-ROM first.

During the loading of the Windows XP or Windows 2000 CD, you'll eventually be given the choice to load the "Recovery Console" by pressing R.

Next, Choose your Windows Installation, usually by pressing 1 and pressing Enter.

You'll have to enter the Administrator password, if you dont know the password try leaving it blank. Once logged into the Recovery Console, you'll be at a C:\WINDOWS> prompt.

If the system does not let you in because of a bad password or you cant access the recovery console from the CD-ROM, you'll have to use the alternate instructions below to access the Recovery Console.

4) At the C:\WINDOWS> prompt type CD SYSTEM32 and press Enter

5) At the C:\WINDOWS\SYSTEM32> prompt, use the DEL command to delete the files you wrote down previously.

Ex: DEL AYMPARSE.DLL and press Enter
DEL AYMPARSE.CPY.DLL and press Enter

6) After you have deleted the files, type EXIT and restart your computer in normal mode. Look2Me and the files that were previously unable to be deleted should be removed.

 

[Cerberis]

Well, Thx for the info on Look2me, i pretty much figured that out on my own seeing as Look2me came around the time of the popups but the thing is i lookd in my registry and i could find any of those registries that were listed. And i cant boot from recovery console becuase i cant find my OS discs : P

I just lookd in my System directory and i didnt find any dll's that looked like msg112 etc. but im still getting popups, what i dont understand is my Security Task manager, normal task manager or countless virus scanners pick this up.

 

[Vigilante]

HiJackThis clearly still shows a bad DLL in the Notify key. Unless you followed my advice and others, to delete it. This could be your whole problem. Very likely your whole problem.

Have you fixed that yet?