TechSpot

yyy65 Help, Please.

By dofml
Jan 29, 2006
Topic Status:
Not open for further replies.
  1. I had the Spy Sheriff spyware thing and I'm pretty sure I got rid of all of it. but I get popups with "yyy65" and "XBDYUS" in the end of the URL.

    I read a lot of forums on stuff to do to get rid of it; I've ran full updated scans of Norton, Spyware Doctor, Spy Sweeper, and Ewido Anti-Malware. I have run out of options that I can think of.

    Any help will be greatly appreciated, thank you.

    Dan.


    edit: I'm running on Windows 2000
  2. charp

    charp TS Rookie Posts: 25

    Hi dofml,

    i also use various programs to get rid of things.
    I use spybot search & destroy, crap cleaner,
    works for me, never have probs.
    You could remove the nasty ones manually, any anti spyware
    will show the path, where it's located on the pc, just toss it out.
    Often your Temp folder, under local settings. :giddy:
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

  4. dofml

    dofml TS Rookie Topic Starter

    Sorry it took me so long, I haven't had much time and there was a lot to do. It didn't work, though. I'm sure I cleared a lot of other stuff that was bad news, but I still get the popups with those endings.

    I attatched my HJT .txt log.


    thanks
    dan
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Boot into safe mode. See how HERE


    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE

    Go to add remove programmes in your control panel, and uninstall anything to do with(if there)

    C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

    Close control panel.

    Open your task manager by pressing the ctrl/alt/delete keys together.

    Click on the processes tab, and end process for(if there)

    ineec32.exe
    inspdsvc.exe
    DesktopWeather.exe
    ?ttrib.exe

    Close task manager.

    Run HJT with no other programmes open, and let HJT fix the following by placing a tick in the little box before(if there)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

    O4 - HKLM\..\Run: [47nV3mQ] ineec32.exe
    O4 - HKCU\..\Run: [Lw49Rgc7R] inspdsvc.exe
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - HKCU\..\Run: [Imq] C:\WINNT\system32\?ttrib.exe

    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)

    O20 - Winlogon Notify: Run - C:\WINNT\system32\l2p2lc7o1f.dll
    O20 - Winlogon Notify: winwky32 - winwky32.dll (file missing)

    Now click on the fix checked button.

    Close HJT.

    Delete the following bold files(if there)

    C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    C:\WINNT\system32\?ttrib.exe
    C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    C:\WINNT\system32\l2p2lc7o1f.dll

    Reboot into safe mode.

    Regards Howard :)
  6. dofml

    dofml TS Rookie Topic Starter

    Okay, I did all that, I didn't have all the files but you stated "If" they were there..I did have some, though. As soon as I rebooted normally, though, I started getting the popups still :(

    I have my new log attatched as txt.
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Boot into safe mode.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system".

    click start/run and type regsvr32 /u C:\WINNT\system32\e8020idoe80c0.dll and press the enter key.

    Run HJT with no other programmes open, and let HJT fix(if there).

    O20 - Winlogon Notify: Group Policy - C:\WINNT\system32\e8020idoe80c0.dll

    Close HJT

    Delete the following bold file(if there).

    C:\WINNT\system32\e8020idoe80c0.dll

    Delete all files, and directories from C:\Documents and settings\[username]\local settings\Temp.

    Do this for all usernames.

    Delete all files and directories from C:\Windows\temp (except files dated from today)

    Right click IE on your desktop, and selct properties. Click on delete cookies, and delete files including all off line content.

    Boot into normal mode.

    Post fresh HJT log.

    Regards Howard :)
  8. dofml

    dofml TS Rookie Topic Starter

    I didn't have that file, but I emptied all the folders you said to.

    I disabled Java and Javascript in Firefox and the popups still pop up, but they don't go to a website or resize, they just steal the focus. It's just a white page in the browser.

    But...

    For some reason I get a lot more popups now, not just the same ones anymore.

    http://www.searchfeed.com/rd/Clk.jsp?s=wf&k=web+hosting+review&lnk2=rhhE%3F..iy29%27wBAyekxpr%27fsCqvrkh%27pDB.osC.fsCqvrkh%27qAA%3EpAsplhrxDigr%29t%3DH8441%29w%3DliMqUmMA6fytVNtHNcToXSyLLngvofcTwYqYIYM%3FDot6GYnLySAYPc4JCnm0%3AcHLC70%3Fi2%3FiIcMMXYOTtxzc7rMq4iarNvvplYnJi%3FTSs54Pu24%3FnpQVemt%3AyvMI6M0ui5l7FMuvic3EvxaiRYm9QvqkEk36pylce%3FvVe6goZ%7C2%2726&p=15150&sid=559873&ex=1138980857848#post242366&ID={FA1FB63D-114B-A0C5-957D-ABC68F57DCD0}

    is one of the sites it takes me to. As soon as I get a popup, about three or four of them come up right after, then I'm good for a couple minutes..then it happens again.

    It almost seems like because the (example) .yyy65.html popup can't go to a site, it automatically opens up another one.. this one just opened up with the yyy65 one:

    http://certified-safe-downloads.com/adserver/RegClean/soref/newdownload.asp?Referrer=ellregclean

    I just ran hijack this again and attatched my log.
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your problem is related to this HJT entry.

    O20 - Winlogon Notify: App Management - C:\WINNT\system32\g4lmle311h.dll. The .dll filename keeps changing.

    Download L2mfix from one of these two locations:

    http://www.atribune.org/downloads/l2mfix.exe
    http://www.downloads.subratam.org/l2mfix.exe

    Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

    Regards Howard :)
  10. dofml

    dofml TS Rookie Topic Starter

    When I hit 1 and enter, in the green it said
    "The system cannot find the file specified.
    The system cannot find the file specified.
    Scanning please Wait."

    then a warning type window popped up but it wasn't a warning.
    it was titled "16 bit MS-DOS Subsystem" and the message was

    "C:\WINNT\system32\cmd.exe
    C:\WINNT\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications.
    Choose 'Close' to terminate the application."

    Pasting the notepad contents is too long, so I have to double post, sorry.


    EDIT: the contents of the notepad is too long to post in a reply so I saved it as .txt and attatched it.
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Ok. Now do the following


    Close any programs you have open since this step requires a reboot.

    From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Paste the conetents of the log along with a new hijackthis log.

    IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

    Regards Howard :)
     
  12. dofml

    dofml TS Rookie Topic Starter

    I get this when I hit 2 then enter.


    This fix will reboot automatically.
    'sc' is not recognized as an internal or external command,
    operable program or batch file.
    Password will be entered automatically.
    Do not press any keys till instructed too.
    Enter password for L2MFIX:


    That is all it says and all I hit was 2>enter. and that came up. Also that pop up window from the program came up again.
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I don`t know why that should happen.

    Leave it with me, and I`ll research the problem.

    This is obviously a very nasty and obstinate infection.

    I will get back to you.

    Regards Howard :)
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Download the trial version of Spy Sweeper from HERE

    Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

    You will be prompted to check for updated definitions, please do so.
    (This may take several minutes)

    Make sure you are disconnected from the internet.

    Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

    Click on Sweep and allow it to fully scan your system.

    When the sweep has finished, click Remove. Click Select All and then Next

    From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

    When prompted, allow Spy Sweeper to restart your computer.

    Then please post a fresh HJT log.

    Regards Howard :)
  15. dofml

    dofml TS Rookie Topic Starter

    I had purchased Spy Sweeper a little bit ago, so I didn't have to download the trial version. But I did do what you said to do andit told me I had no infections. So I didn't have anything to remove.

    None-the-less, here is my new HJT log..

    Dan.
  16. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    It would appear that some variations of this infection don`t get fixed by running the L2mfix.

    However, in another post it seems to have been fixed by using the Systernals rootkit revealer/Autoruns.

    See reply #14 in this thread HERE

    You can get these from http://www.sysinternals.com/

    Regards Howard :)
  18. dofml

    dofml TS Rookie Topic Starter

    The rootkit revealer said it didn't find anything. The Autoruns program listed a lot of stuff that autoruns or can autorun, but I don't know what to look for so I saved the log as .txt and attatched it.
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Take a look HERE for manual removal instructions.

    I don`t know if this`ll work, so please let me know, as I`m searching for a fix that I can recommend to others.

    Regards Howard :)
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I have also just found this removal tool. Look HERE

    I hope it helps.

    Please let us know how your get on, and post a fresh HJT log.

    Regards Howard :)
  21. dofml

    dofml TS Rookie Topic Starter

    For the first one, I tried to do it manually, but the files it said to look for weren't there. So I tried to download the tool but it said the server could not be found or something.. I am going to try the next tool now.



    Edit: That second tool said that the Look2Me spyware thing was not found on my computer.
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Go HERE, and download the About:buster programme.

    Unzip the programme, and run it. make sure the programme is fully updated.

    Now boot into safe mode, and run the programme.

    Please post a fresh hJT log when done.

    Regards Howard :)
  23. dofml

    dofml TS Rookie Topic Starter

  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Sorry link now fixed.

    Regards Howard :)
  25. dofml

    dofml TS Rookie Topic Starter

    I ran the About:Buster program when I d'led it and in safe mode. It caught something the first time, and the second time it didn't get anything...still getting popups, though.

    Here is my new HJT log.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.