yyy65 Help, Please.

Status
Not open for further replies.
D

dofml

Posts: 12   +0
I had the Spy Sheriff spyware thing and I'm pretty sure I got rid of all of it. but I get popups with "yyy65" and "XBDYUS" in the end of the URL.

I read a lot of forums on stuff to do to get rid of it; I've ran full updated scans of Norton, Spyware Doctor, Spy Sweeper, and Ewido Anti-Malware. I have run out of options that I can think of.

Any help will be greatly appreciated, thank you.

Dan.


edit: I'm running on Windows 2000
 
Hi dofml,

i also use various programs to get rid of things.
I use spybot search & destroy, crap cleaner,
works for me, never have probs.
You could remove the nasty ones manually, any anti spyware
will show the path, where it's located on the pc, just toss it out.
Often your Temp folder, under local settings. :giddy:
 
Sorry it took me so long, I haven't had much time and there was a lot to do. It didn't work, though. I'm sure I cleared a lot of other stuff that was bad news, but I still get the popups with those endings.

I attatched my HJT .txt log.


thanks
dan
 
Boot into safe mode. See how HERE


In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE

Go to add remove programmes in your control panel, and uninstall anything to do with(if there)

C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

Close control panel.

Open your task manager by pressing the ctrl/alt/delete keys together.

Click on the processes tab, and end process for(if there)

ineec32.exe
inspdsvc.exe
DesktopWeather.exe
?ttrib.exe

Close task manager.

Run HJT with no other programmes open, and let HJT fix the following by placing a tick in the little box before(if there)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

O4 - HKLM\..\Run: [47nV3mQ] ineec32.exe
O4 - HKCU\..\Run: [Lw49Rgc7R] inspdsvc.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Imq] C:\WINNT\system32\?ttrib.exe

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)

O20 - Winlogon Notify: Run - C:\WINNT\system32\l2p2lc7o1f.dll
O20 - Winlogon Notify: winwky32 - winwky32.dll (file missing)

Now click on the fix checked button.

Close HJT.

Delete the following bold files(if there)

C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
C:\WINNT\system32\?ttrib.exe
C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
C:\WINNT\system32\l2p2lc7o1f.dll

Reboot into safe mode.

Regards Howard :)
 
Okay, I did all that, I didn't have all the files but you stated "If" they were there..I did have some, though. As soon as I rebooted normally, though, I started getting the popups still :(

I have my new log attatched as txt.
 
Boot into safe mode.

In Windows Explorer, turn on "Show all files and folders, including hidden and system".

click start/run and type regsvr32 /u C:\WINNT\system32\e8020idoe80c0.dll and press the enter key.

Run HJT with no other programmes open, and let HJT fix(if there).

O20 - Winlogon Notify: Group Policy - C:\WINNT\system32\e8020idoe80c0.dll

Close HJT

Delete the following bold file(if there).

C:\WINNT\system32\e8020idoe80c0.dll

Delete all files, and directories from C:\Documents and settings\[username]\local settings\Temp.

Do this for all usernames.

Delete all files and directories from C:\Windows\temp (except files dated from today)

Right click IE on your desktop, and selct properties. Click on delete cookies, and delete files including all off line content.

Boot into normal mode.

Post fresh HJT log.

Regards Howard :)
 
I didn't have that file, but I emptied all the folders you said to.

I disabled Java and Javascript in Firefox and the popups still pop up, but they don't go to a website or resize, they just steal the focus. It's just a white page in the browser.

But...

For some reason I get a lot more popups now, not just the same ones anymore.

http://www.searchfeed.com/rd/Clk.jsp?s=wf&k=web+hosting+review&lnk2=rhhE%3F..iy29%27wBAyekxpr%27fsCqvrkh%27pDB.osC.fsCqvrkh%27qAA%3EpAsplhrxDigr%29t%3DH8441%29w%3DliMqUmMA6fytVNtHNcToXSyLLngvofcTwYqYIYM%3FDot6GYnLySAYPc4JCnm0%3AcHLC70%3Fi2%3FiIcMMXYOTtxzc7rMq4iarNvvplYnJi%3FTSs54Pu24%3FnpQVemt%3AyvMI6M0ui5l7FMuvic3EvxaiRYm9QvqkEk36pylce%3FvVe6goZ%7C2%2726&p=15150&sid=559873&ex=1138980857848#post242366&ID={FA1FB63D-114B-A0C5-957D-ABC68F57DCD0}

is one of the sites it takes me to. As soon as I get a popup, about three or four of them come up right after, then I'm good for a couple minutes..then it happens again.

It almost seems like because the (example) .yyy65.html popup can't go to a site, it automatically opens up another one.. this one just opened up with the yyy65 one:

http://certified-safe-downloads.com/adserver/RegClean/soref/newdownload.asp?Referrer=ellregclean

I just ran hijack this again and attatched my log.
 
Your problem is related to this HJT entry.

O20 - Winlogon Notify: App Management - C:\WINNT\system32\g4lmle311h.dll. The .dll filename keeps changing.

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Regards Howard :)
 
When I hit 1 and enter, in the green it said
"The system cannot find the file specified.
The system cannot find the file specified.
Scanning please Wait."

then a warning type window popped up but it wasn't a warning.
it was titled "16 bit MS-DOS Subsystem" and the message was

"C:\WINNT\system32\cmd.exe
C:\WINNT\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications.
Choose 'Close' to terminate the application."

Pasting the notepad contents is too long, so I have to double post, sorry.


EDIT: the contents of the notepad is too long to post in a reply so I saved it as .txt and attatched it.
 
Ok. Now do the following


Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Paste the conetents of the log along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Regards Howard :)
 
I get this when I hit 2 then enter.


This fix will reboot automatically.
'sc' is not recognized as an internal or external command,
operable program or batch file.
Password will be entered automatically.
Do not press any keys till instructed too.
Enter password for L2MFIX:


That is all it says and all I hit was 2>enter. and that came up. Also that pop up window from the program came up again.
 
I don`t know why that should happen.

Leave it with me, and I`ll research the problem.

This is obviously a very nasty and obstinate infection.

I will get back to you.

Regards Howard :)
 
Download the trial version of Spy Sweeper from HERE

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Make sure you are disconnected from the internet.

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

When prompted, allow Spy Sweeper to restart your computer.

Then please post a fresh HJT log.

Regards Howard :)
 
I had purchased Spy Sweeper a little bit ago, so I didn't have to download the trial version. But I did do what you said to do andit told me I had no infections. So I didn't have anything to remove.

None-the-less, here is my new HJT log..

Dan.
 
It would appear that some variations of this infection don`t get fixed by running the L2mfix.

However, in another post it seems to have been fixed by using the Systernals rootkit revealer/Autoruns.

See reply #14 in this thread HERE

You can get these from http://www.sysinternals.com/

Regards Howard :)
 
The rootkit revealer said it didn't find anything. The Autoruns program listed a lot of stuff that autoruns or can autorun, but I don't know what to look for so I saved the log as .txt and attatched it.
 
Take a look HERE for manual removal instructions.

I don`t know if this`ll work, so please let me know, as I`m searching for a fix that I can recommend to others.

Regards Howard :)
 
I have also just found this removal tool. Look HERE

I hope it helps.

Please let us know how your get on, and post a fresh HJT log.

Regards Howard :)
 
For the first one, I tried to do it manually, but the files it said to look for weren't there. So I tried to download the tool but it said the server could not be found or something.. I am going to try the next tool now.



Edit: That second tool said that the Look2Me spyware thing was not found on my computer.
 
Go HERE, and download the About:buster programme.

Unzip the programme, and run it. make sure the programme is fully updated.

Now boot into safe mode, and run the programme.

Please post a fresh hJT log when done.

Regards Howard :)
 
I ran the About:Buster program when I d'led it and in safe mode. It caught something the first time, and the second time it didn't get anything...still getting popups, though.

Here is my new HJT log.
 
Status
Not open for further replies.

Similar threads

losdavos
Malware removal help, please and thank you!
Replies
1
Views
805
losdavos
losdavos
R
Solved Norton blocked attack by: System Infected: Miner.Bitcoinminer Activity #
2
Replies
32
Views
3K
Broni
Broni
Shawn Knight
When Asus and MSI battle over OLED monitor burn-in warranties, consumers win
Replies
7
Views
285
ddferrari
ddferrari

Latest posts

Back