680180.net pop-ups

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Nanimo, Sep 30, 2004.

  1. Nanimo

    Nanimo Private E-2

    Hi there,

    I've been helping out with a local women's groups, and they received a machine a while ago as a donation... nice as it is, unfortunately, it came riddled with viruses, though various scans have gotten rid of them...

    However, I've been having problems with one particularly stubborn ad-ware, the 680180.net pop-ups. I've already trawled through the forums and followed the instructions there, but to no avail... well, I've managed to get it to a point where the original pop-up can't generate any more, I guess that's something...

    Anyway, let me give a quick summary of what I've already tried:

    Install windows updates up to SP2. (It originally came without any of them)
    Scan with AVG Anti-virus system
    Scan with symmantec online virus scan
    Scan with AdAware
    Scan with Spybot
    Scan with CWShredder
    Run HijackThis without "fixing" anything
    Identified that the culprit is ymhfl.dll and assorted ymhfl*.* files
    Tried to get rid of them, failed.
    Did all of the above again with System restore turned off an in safe mode, failed.

    So now I'm at a bit of a loss, what should I try next?

    I guess getting rid of this isn't really of high priority since this machine doesn't tend to be used for going online... However, I know it's there, and it's annoying the carp out of me...

    Any help at all would be appreciated... Thanks :D
     
    Nanimo, Sep 30, 2004
    #1
  2. Nanimo

    Nanimo Private E-2

    Actually, scratch that.... It's everything apart from SP2...

    What happened was I tried to install it, and someone came along and cancelled it whilst I was away doing other stuff...

    Tried to install it again today, and it was practically finished "Clearing Up", and I'd gone to the toilet, by the time I came back, there was a blue screen telling me that it wasn't able to install properly.... reboot, it tells me that it's just recovered from a catastrophe and that the system is unstable and that I should go into add/remove programs to remove it properly, but it won't let me remove them....

    :(
     
    Nanimo, Sep 30, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is not a good idea to try to install SP2 on any system that has anyform or malware (viruses, adware, trojan, etc). It can cause the installation to fail or be bad.

    I know you have done some of this already but not all.

    You should follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


    NOTE: You should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder or choose run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Sep 30, 2004
    #3
  4. Nanimo

    Nanimo Private E-2

    Thanks for the advice, unfortunately it's taken me until now to follow it since I only go in once or twice a week... I've followed the basic spyware/trojan removal link and did everything advised. As for SP2, I now know the error of my ways, but I can't seem to get rid of the components that were installed... :(

    Anyway, please find attached a copy of the HijackThis log.

    Thanks
     

    Attached Files:

    Nanimo, Oct 4, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: SDWin32 Class - {64D53102-EAD5-493D-921F-C5ED15934D49} - C:\WINDOWS\System32\ymhfl.dll

    Boot in safe mode and delete:
    C:\WINDOWS\System32\ymhfl.dll


    Do you need or want these to be in your trusted zone? Not that they are bad. I just don't put anything into the trusted zone ever.
    O15 - Trusted Zone: *.excite.com
    O15 - Trusted Zone: *.hotmail.com
    O15 - Trusted Zone: *.lycos.com
    O15 - Trusted Zone: http://security.symantec.com
    O15 - Trusted Zone: http://securityresponse.symantec.com
    O15 - Trusted Zone: mail.yahoo.co.uk
     
    chaslang, Oct 4, 2004
    #5
  6. Nanimo

    Nanimo Private E-2

    Ah, thanks. I'll give it a try as soon as I go in tomorrow morning, since I needed to get in and re-set the system restore before anyone else gets to it anyway... (Silly me, forgot to put it back on when I finished with it today.)

    Hopefully this will be it... although this is pretty much what I originally did to try to get rid of that dll, but it just kept reappearing....

    As for the trusted sites, maybe I need to re-work how I did the security settings on that machine... I'll have another look at it when I get there...

    Anyway, thanks again. :)
     
    Nanimo, Oct 4, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    DO NOT enable system restore until after we are positive the problems are resolved.
    The trusted zones are up to you. But as I said I never put anything in there. It makes it real easy to detect when a baddie has entered something that way since nothing belongs there. I have seen some people having lots of items in the Trusted Zone making it too easy for a baddie to hide. (I use similar logic on a hosts file.)
     
    chaslang, Oct 4, 2004
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds