yyy65 strikes again and maybe more plz help me!

[missy]

I am another victim of yyy65. I have mozilla firefox 1.0.7 and if I am in a browser for any length of time it automatically minimizes the window and redirects to one of it's sites "http://www.uniqueoffer-s.com/normal/yyy65.html". If the browser is minimized it doesn't affect it. Please help me. I am running xp on new laptop. And where does this come from?
Also my symantec scanner keeps finding trojans it cannot fix and spybot gets rid of some stuff, but it comes back.

Here is my hijackthis logfile

 

[howard_hopkinso]

Hello and welcome to Techspot.

First, go HERE and have your computer scanned.

Then, go and read both these threads by RBS. Follow all the instructions exactly.

How to remove Trojans and its ilk! and How to remove Begin2search / coolwebsearch and other nasties.

Once you`ve done the above. please post a fresh HJT log.

Regards Howard :wave: :wave:

 

[missy]

New HijackThis Log

I did all the things as suggested and still my firefox is being redirected by yyy65. Here is my new Hijack This Log

 

[howard_hopkinso]

Boot into safe mode, and turn system restore off.

Go to add remove programmes in your control panel, and uninstall anything to do with(if there)

C:\Program Files\siot\dapr.exe

Close contol panel.

Open your task manager, and click on the processes tab. End process for(if there)

??ool32.exe
dapr.exe
enewsletterpro.exe
banmanpro.exe
VCClient.exe
VCMain.exe
dapr.exe" -vt ndrv
lwintsap.exe
rkdsregq.exe

Close task manager.

Run HJT with no other programmes open, and let HJT fix the following(if there)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {13B43FC6-AE5E-DADB-0595-814A328AAECD} - C:\WINDOWS\system32\oeg.dll

O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe
O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Ajpmum] C:\WINDOWS\system32\??ool32.exe
O4 - HKCU\..\Run: [Htpu] "C:\Program Files\siot\dapr.exe" -vt ndrv
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwintsap.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\rkdsregq.exe

O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122781741546
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab

O20 - Winlogon Notify: OfficeUpdate - C:\WINDOWS\system32\dnl8013ue.dll

Close HJT.

Go to the following directories, and delete the following bold files(if there)

C:\WINDOWS\system32\??ool32.exe
C:\Program Files\siot\dapr.exe
C:\WINDOWS\system32\oeg.dll
C:\windows\enewsletterpro.exe
C:\windows\banmanpro.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\Program Files\siot\dapr.exe" -vt ndrv
C:\WINDOWS\system32\lwintsap.exe
C:\WINDOWS\system32\rkdsregq.exe
C:\WINDOWS\system32\dnl8013ue.dll

Reboot into normal mode, and turn system restore back on.

Regards Howard

 

[Cerberis]

This may help with somethings but i highly doubt its gonna fix the yyy65, Im having the same problem.

What i know so far is yyy65 is a popup from the look2me virus or whatever,
There is ways to delete. Look in the How to remove look2me its a sticky at the top of the forums.

 

[missy]

Grr

I know it's been a while but I was hospitalized and now I'm out and my computer still is not fixed. Just letting you know why I haven't replied. I forget where I was so I am going to go to the top and redo it all. Argh! Thank you for your patience and I'll post back when I'm caught back up.

 

[howard_hopkinso]

I`m sorry to hear that you`ve been in hospital. I hope everything`s ok now.

Download the trial version of Spy Sweeper from HERE

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Make sure you are disconnected from the internet.

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

When prompted, allow Spy Sweeper to restart your computer.

Please post a fresh HJT log.

Regards Howard

 

[missy]

Ok, I did that Spysweeper but it doesn't remove what it detects. I also tried XCleaner, in any case, here's a new HJT logfile.

 

[Tedster]

A little web search dug up this solution:

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

* Note: If you receive an error while running option #1 like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications, choose close to terminate the application.."...then do one of the following:

1: Click on the l2mfix.bat again and choose option # 5 for Fix Autoexec.nt/cmd.exe error.
2: Alternatively, you can click the fixautont.html link in the l2mfix folder and follow the directions there to fix it manually.
Do not run the fix portion without fixing the error first.
After you have performed the procedures to fix the error, repeat the steps above to run option #1 for Run Find Log.

 

[missy]

Here's the logfile.
Finishing the scan now.

 

[howard_hopkinso]

Look at reply #14 in this thread HERE

Regards Howard

 

[missy]

Freaky

I did rootkit remover and autoruns also, but they just ran, there was really no fixes or anything. Now I haven't had popups in a while, even rebooted a couple times, you know, too good to be true sort of thing. I'll post a fresh HJT logfile.

Oh, I did run spysweeper again and it still detects the look2me and other things like last time. Don't really know what to make of it all. Here's the HJT.

 

[howard_hopkinso]

Download, and run this removal tool from HERE

Be sure to read the instructions.

Regards Howard

 

[Tedster]

read my article on how to remove. https://www.techspot.com/vb/topic43491.html

 

[howard_hopkinso]

read my article on how to remove.

Hi Tedster.

It would seem that this is a very stubborn infection to get rid of.

I`m hoping that the above removal tool will finally get rid of it.

But, I`m not crossing my fingers just yet lol.

The L2mfix doesn`t seem to always get rid of it unfortunately, unless I`ve misunderstood something.

Keep up the good work.

Regards Howard

 

[missy]

GRRRrrrrrrrrrr

Ok, well I thought it was all good then of course firefox began popping up once again, and redirecting browsers that are open. I can't take it anymore. I tried that l2me fix and no help there.....HELP. Please. Any more suggestions? Here's a fresh HJT in case you need it.

 

[howard_hopkinso]

The nasty infection is still there.

I can`t help you with this any more, as I`ve tried everything I can think of.

What I want you to do is, go and post your problem HERE This is a specialist malware site. If they can`t get rid of it no one can.

Please let us know how you get on.

Regards Howard

 

[N3051M]

backup. reformat. clean install. that is if everyone's out of ideas..

 

[howard_hopkinso]

backup. reformat. clean install. that is if everyone's out of ideas..

That would deffinitely work.

However, it would be better if missy could get rid of the infection, without the need for a reformat.

Regards Howard