TechSpot

yyy65 strikes again and maybe more plz help me!

By missy
Jan 21, 2006
Topic Status:
Not open for further replies.
  1. I am another victim of yyy65. I have mozilla firefox 1.0.7 and if I am in a browser for any length of time it automatically minimizes the window and redirects to one of it's sites "http://www.uniqueoffer-s.com/normal/yyy65.html". If the browser is minimized it doesn't affect it. Please help me. I am running xp on new laptop. And where does this come from?
    Also my symantec scanner keeps finding trojans it cannot fix and spybot gets rid of some stuff, but it comes back.

    Here is my hijackthis logfile
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

  3. missy

    missy Newcomer, in training Topic Starter

    New HijackThis Log

    I did all the things as suggested and still my firefox is being redirected by yyy65. Here is my new Hijack This Log
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Boot into safe mode, and turn system restore off.

    Go to add remove programmes in your control panel, and uninstall anything to do with(if there)

    C:\Program Files\siot\dapr.exe

    Close contol panel.

    Open your task manager, and click on the processes tab. End process for(if there)

    ??ool32.exe
    dapr.exe
    enewsletterpro.exe
    banmanpro.exe
    VCClient.exe
    VCMain.exe
    dapr.exe" -vt ndrv
    lwintsap.exe
    rkdsregq.exe

    Close task manager.

    Run HJT with no other programmes open, and let HJT fix the following(if there)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - URLSearchHook: (no name) - {13B43FC6-AE5E-DADB-0595-814A328AAECD} - C:\WINDOWS\system32\oeg.dll

    O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe
    O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe
    O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
    O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
    O4 - HKCU\..\Run: [Ajpmum] C:\WINDOWS\system32\??ool32.exe
    O4 - HKCU\..\Run: [Htpu] "C:\Program Files\siot\dapr.exe" -vt ndrv
    O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwintsap.exe
    O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\rkdsregq.exe

    O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
    O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122781741546
    O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab

    O20 - Winlogon Notify: OfficeUpdate - C:\WINDOWS\system32\dnl8013ue.dll

    Close HJT.

    Go to the following directories, and delete the following bold files(if there)

    C:\WINDOWS\system32\??ool32.exe
    C:\Program Files\siot\dapr.exe
    C:\WINDOWS\system32\oeg.dll
    C:\windows\enewsletterpro.exe
    C:\windows\banmanpro.exe
    C:\Program Files\Common Files\VCClient\VCClient.exe
    C:\Program Files\Common Files\VCClient\VCMain.exe
    C:\Program Files\siot\dapr.exe" -vt ndrv
    C:\WINDOWS\system32\lwintsap.exe
    C:\WINDOWS\system32\rkdsregq.exe
    C:\WINDOWS\system32\dnl8013ue.dll

    Reboot into normal mode, and turn system restore back on.

    Regards Howard :)
  5. Cerberis

    Cerberis Newcomer, in training

    This may help with somethings but i highly doubt its gonna fix the yyy65, Im having the same problem.

    What i know so far is yyy65 is a popup from the look2me virus or whatever,
    There is ways to delete. Look in the How to remove look2me its a sticky at the top of the forums.
  6. missy

    missy Newcomer, in training Topic Starter

    Grr

    I know it's been a while but I was hospitalized and now I'm out and my computer still is not fixed. Just letting you know why I haven't replied. I forget where I was so I am going to go to the top and redo it all. Argh! Thank you for your patience and I'll post back when I'm caught back up.
  7. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    I`m sorry to hear that you`ve been in hospital. I hope everything`s ok now.

    Download the trial version of Spy Sweeper from HERE

    Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

    You will be prompted to check for updated definitions, please do so.
    (This may take several minutes)

    Make sure you are disconnected from the internet.

    Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

    Click on Sweep and allow it to fully scan your system.

    When the sweep has finished, click Remove. Click Select All and then Next

    From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

    When prompted, allow Spy Sweeper to restart your computer.

    Please post a fresh HJT log.

    Regards Howard :)
  8. missy

    missy Newcomer, in training Topic Starter

    Ok, I did that Spysweeper but it doesn't remove what it detects. I also tried XCleaner, in any case, here's a new HJT logfile.
  9. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    A little web search dug up this solution:

    Download L2mfix from one of these two locations:

    http://www.atribune.org/downloads/l2mfix.exe
    http://www.downloads.subratam.org/l2mfix.exe

    Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

    * Note: If you receive an error while running option #1 like: ''C:\windows\system32\cmd.exe
    C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications, choose close to terminate the application.."...then do one of the following:

    1: Click on the l2mfix.bat again and choose option # 5 for Fix Autoexec.nt/cmd.exe error.
    2: Alternatively, you can click the fixautont.html link in the l2mfix folder and follow the directions there to fix it manually.
    Do not run the fix portion without fixing the error first.
    After you have performed the procedures to fix the error, repeat the steps above to run option #1 for Run Find Log.
  10. missy

    missy Newcomer, in training Topic Starter

    Here's the logfile.
    Finishing the scan now.
  11. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Look at reply #14 in this thread HERE

    Regards Howard :)
     
  12. missy

    missy Newcomer, in training Topic Starter

    Freaky

    I did rootkit remover and autoruns also, but they just ran, there was really no fixes or anything. Now I haven't had popups in a while, even rebooted a couple times, you know, too good to be true sort of thing. I'll post a fresh HJT logfile.

    Oh, I did run spysweeper again and it still detects the look2me and other things like last time. Don't really know what to make of it all. Here's the HJT.
  13. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Download, and run this removal tool from HERE

    Be sure to read the instructions.

    Regards Howard :)
  14. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

  15. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hi Tedster.

    It would seem that this is a very stubborn infection to get rid of.

    I`m hoping that the above removal tool will finally get rid of it.

    But, I`m not crossing my fingers just yet lol.

    The L2mfix doesn`t seem to always get rid of it unfortunately, unless I`ve misunderstood something.

    Keep up the good work.

    Regards Howard :)
  16. missy

    missy Newcomer, in training Topic Starter

    GRRRrrrrrrrrrr

    Ok, well I thought it was all good then of course firefox began popping up once again, and redirecting browsers that are open. I can't take it anymore. I tried that l2me fix and no help there.....HELP. Please. Any more suggestions? Here's a fresh HJT in case you need it.
  17. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    The nasty infection is still there.

    I can`t help you with this any more, as I`ve tried everything I can think of.

    What I want you to do is, go and post your problem HERE This is a specialist malware site. If they can`t get rid of it no one can.

    Please let us know how you get on.

    Regards Howard :)
  18. N3051M

    N3051M Newcomer, in training Posts: 2,800

    backup. reformat. clean install. that is if everyone's out of ideas..
  19. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    That would deffinitely work.

    However, it would be better if missy could get rid of the infection, without the need for a reformat.

    Regards Howard :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.