TechSpot

Help with yyy65 and others

By Cerberis
Jan 17, 2006
  1. Hi, Im new to these forums,
    Im looking for some help, I believe I have yyy65 or some nasty, but none of my scans pick it up. Im a little new to removing trojans/virus/spyware and such but my usuall strategy of locating files and manually deleting the files
    doesnt work, I use Security Task Manager to locate the programs it usually works, its how i got rid of Wtools, but when i scan I dont find any suspicious programs. Hijack This was reccomended to me but i dont know how to use much so plz correct me if i made a problem with posting my log. I heard something about a Sircam virus that disguises itself RUNDLL32.exe, just wondering i have it.

    -Edit- Sorry, next time ill post my log as a attachment
     
  2. Cerberis

    Cerberis TS Rookie Topic Starter

    Will someone plz help me, ive tried everything, I have Zone ALarm and AVG free but, nothing seems to work these popups dont stop. someone plz help
     
  3. swker98

    swker98 TechSpot Paladin Posts: 1,077

    hi, ill analize your log



    YOUR VIRSON OF HJT IS OUT OF DATE
    PLEASE UPDATE AND POST A FRESH LOG
     
  4. Cerberis

    Cerberis TS Rookie Topic Starter

    Here we go i got updated version of HJK, i think 1.9.9
     
  5. swker98

    swker98 TechSpot Paladin Posts: 1,077

    yess you noww have the current virson of HJT

    fix the folowing

    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O15 - Trusted Zone: *.skoobidoo.com (HKLM)

    O15 - Trusted Zone: *.slotchbar.com (HKLM)
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)


    fix this if its not your isp

    O15 - Trusted IP range: 81.222.131.59

    uninstall anythihng that has to do with
    slotchbar.com
    skoobidoo.com

    fix those enetrys and then youll be good
     
  6. Cerberis

    Cerberis TS Rookie Topic Starter

    Im still having problems, heres my HJK log with some changes
     
  7. swker98

    swker98 TechSpot Paladin Posts: 1,077

    fix

    O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\j6n20g5oe6.dll


    other wise your log is clean

    if problems are still there turn off system restore, boot in safemode, run anti spyware, malware, and virus scan
     
  8. Cerberis

    Cerberis TS Rookie Topic Starter

    ive done just about everything, there is to do, and nothing has worked so far, has anyone here ever gotten yyy65 and gotten rid of it?
     
  9. swker98

    swker98 TechSpot Paladin Posts: 1,077

    follow all of RBS's Read posts in the Suericty and the web forum


    l l
    DID YOU do thatVV
     
  10. Cerberis

    Cerberis TS Rookie Topic Starter

    Ive done everything so far, nothing worked i just got out of safe mode, i ran adaware, spybot, and tried to fix things in my Hijack log, but its still not working.I cant fix a few things like this
    O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\g2040cdqef0e0.dll

    there are a few like that and i went into safe mode and try and manually delete them from system32, but moste of them are being used by another program, theres got to be a way to fix these,
    the popups dont seem to ever stop nothing ihave done has fixed it and ive been trying for 3 days now to fix this.
     
  11. Cerberis

    Cerberis TS Rookie Topic Starter

    Anyone around to help me?
     
  12. swker98

    swker98 TechSpot Paladin Posts: 1,077

    post a log from safe mode, with SYSTEM RESTORE OFF

    YOU can alternetly get a popup blocker

    also try to clar all intenet history and delete all temporery intenrnet files
     
  13. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    What you need to do is get the file names of any infections, then boot to Recovery Console and delete the files, they won't be in use there.

    If you can't do R.C., then you want to boot into "Safe Mode Command Prompt", then try to delete the files from there. Once they are deleted, assuming they don't come back again with different names, you can then search the registry for those files and delete the references.
    Notify key entries are especially difficult to get rid of.

    Tell us, though, where are you getting the name "yyy65" from? Is some program saying this?
     
  14. Cerberis

    Cerberis TS Rookie Topic Starter

    some of the popups i get end in yyy65 a nd iassumed thats what they were. I think i may ahve located the source of the problems, In my hijack logs i get a few different files that look like this
    O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\dnpo0173e.dll
    they all say winlogon notify but the "installer" part is always something different, i cant fix them from Hijack and i cant delet the dll's from safemode becuase they are being used by a different program, when i check my processes i find somethign like winlogon.exe, ive tried ending it but i cant,
    And i assume thats a normal process.

    And what is this recovery console, plz explain a little more about for me

    Here is my Hijack log from safemode, it looks like the same from
     
  15. swker98

    swker98 TechSpot Paladin Posts: 1,077

    this O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\o0840alqedqe0.dll

    looks bad

    and this
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

    looks a little intersting, i would fix it if you dont know what it is

    did you delete your temp interent files and clear hisroy as i asked


    best of luck
     
  16. Cerberis

    Cerberis TS Rookie Topic Starter

    Just deleted Temp internet files
    but i dont know how to fix the
    O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\o0840alqedqe0.dll
    I cant use hijack, cuase when i try with hijack, they are back in my next scan so i went into safemode and attempted to delete the dll's no luck, they are in use by another program, as i said before i beleive that is the source of my problems.

    How can i fix it?
     
  17. computer help

    computer help TS Rookie Posts: 68

  18. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Jot down the file path of the bad DLL, which is: C:\WINDOWS\system32\o0840alqedqe0.dll right now.
    Do not attempt to delete the DLL or remove the entry with HJT.
    Get out your XP CD and put it in the drive, restart your PC. As the PC boots up, it should say "Press any key to boot from CD...", and then hit a key while it says that.
    If it does NOT say this, go into your BIOS and change the boot order to CD-ROM first. You usually get into your BIOS by pressing DEL as the system first boots up, it should tell you what to press somewhere on the screen. If you miss it, and it boots into Windows, check HJT to make sure the filename is still the same.

    Anyway, once you boot to your XP CD, the first screen will have an option to press "R" to repair with Recovery Console. Press that.
    Next it will ask to log in to a Windows installation, it is usually "1". This part is self evident, it will ask for administrator password, if you have none, just hit Enter.
    Don't worry, it isn't that complex, just follow what the screens say.

    Eventually it will dump you at a command prompt in C:\Windows or whatever your Windows root is. You will type this, change as needed:

    cd system32 <enter>
    del o0840alqedqe0.dll <enter>

    If it works, it will just go to the next line. Otherwise it will give an error like "file not found" or something else. If you get no error, then it worked, you can type exit and the system will restart.
    Be sure to type the filename carefully, as zero could be oO0, etc... L I 1, look similar.
    If there were any other bad DLL filenames, del them as well.

    Assuming you can do all this and it works, the DLL will now be deleted, and the Notify key will fail to load it. However, if the malware program is still installed somewhere else, it may just create a new DLL and put the entry right back in. So check HJT again when you've done this. And delete the Notify key if it is there.

    This is how to use the Recovery Console to delete a file :)
    If you can't do it, or can't find the file to delete, or something happens, post back here. And we can try another technique.

    good luck!
     
  19. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

    yyy65 is caused by the look2me spyware.

    Removal:

    Look2Me is an advertising and information network that uses a shell extension to attach itself to Windows and display pop up advertising for its clients. It monitors visited web sites and submits this information to a server.

    How do I Remove Look2Me?

    Because the software highly integrates itself with Explorer, it can be hard to remove. Included below is a basic manual removal method for Look2Me as well as an excellent Visual Basic Script that can be run to help remove it.

    Automatic Removal Program from Look2Me

    Follow the instructions below to manually remove Look2Me

    1. Click on Start, Run, and type REGEDIT and click Ok to start the Registry Editor
    2. Now open the Windows Task Manager

    On Windows 95/98/ME, Press CTRL+ATL+DEL
    On Windows NT/2000/XP, Press CTRL+ALT+DEL, Select the Task Manager if needed, and click on the Processes tab
    3. In the list of programs, click on EXPLORER.EXE and select End Task or End Process. Repeat this procedure until no explorer.exe process is running (The Start Menu, Task Bar, and System Tray will disappear)
    4. Select the Registry Editor (you may have to press ALT + Tab)
    5. Delete the following registry keys if they exist

    HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}

    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ ShellExtensions \ Approved \ {DDFFA75A-E81D-4454-89FC-B9FD0631E726}
    6. Close the Registry Editor
    7. Restart your computer
    8. Now open My Computer and Drive C, open the Windows directory, and then the System directory
    Note: %SystemDir% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    9. Delete all files that look similar to the following, where * represents a letter or number

    msg{********-****-****-****-************}****.dll

    The known variants of Look2Me are associated with the following files:

    msg{*.dll
    msg116.dll
    msg117.dll
    msg118.dll
    msg119.dll
    msg120.dll
    msg121.dll
    msg122.dll
    10. Open Internet Explorer
    11. Click Tools, Internet Options
    12. Click the Programs tab and then click Reset Web Settings to restore default settings for home page, search page, and other settings.

    If Look2Me remains or popups from NicTechNetworks remain, then proceed with the following extra instructions

    1) Download and run VX2.BetterInternet Finder which will search for files that are tied to Explorer and very tough to remove. These files usually are .dll files found in the Windows\System32 directory with backup files similar to *.cpy.dll

    For Windows 9X systems, use this version of VX2.Betterinternet Finder

    2) Write these files down for later removal

    3) To remove these files, you'll need to boot into the Recovery Console. Reboot your computer with your Windows XP or 2000 cd now. If your computer does not boot from the CD-ROM disk, you'll have to change settings in your BIOS to do this to boot from the CD-ROM first.

    During the loading of the Windows XP or Windows 2000 CD, you'll eventually be given the choice to load the "Recovery Console" by pressing R.

    Next, Choose your Windows Installation, usually by pressing 1 and pressing Enter.

    You'll have to enter the Administrator password, if you dont know the password try leaving it blank. Once logged into the Recovery Console, you'll be at a C:\WINDOWS> prompt.

    If the system does not let you in because of a bad password or you cant access the recovery console from the CD-ROM, you'll have to use the alternate instructions below to access the Recovery Console.

    4) At the C:\WINDOWS> prompt type CD SYSTEM32 and press Enter

    5) At the C:\WINDOWS\SYSTEM32> prompt, use the DEL command to delete the files you wrote down previously.

    Ex: DEL AYMPARSE.DLL and press Enter
    DEL AYMPARSE.CPY.DLL and press Enter

    6) After you have deleted the files, type EXIT and restart your computer in normal mode. Look2Me and the files that were previously unable to be deleted should be removed.
     
  20. Cerberis

    Cerberis TS Rookie Topic Starter

    Well, Thx for the info on Look2me, i pretty much figured that out on my own seeing as Look2me came around the time of the popups but the thing is i lookd in my registry and i could find any of those registries that were listed. And i cant boot from recovery console becuase i cant find my OS discs : P

    I just lookd in my System directory and i didnt find any dll's that looked like msg112 etc. but im still getting popups, what i dont understand is my Security Task manager, normal task manager or countless virus scanners pick this up.
     
  21. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    HiJackThis clearly still shows a bad DLL in the Notify key. Unless you followed my advice and others, to delete it. This could be your whole problem. Very likely your whole problem.

    Have you fixed that yet?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...