Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ad Aware Detecting Xxyayax.dll


  • Please log in to reply
8 replies to this topic

#1 ihateviruses62

ihateviruses62

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 22 February 2008 - 11:12 PM

Hello, I made my account so I could post this because you people seem very helpful. I have recently encountered some viruses and have cleaned up most of my system using Ad Aware, Trojan Hunter, and Spybot. Yet, Ad Aware is still detecting a .dll file called "C:\\WINDOWS\system32\xxyayax.dll" and whenever I try to delete it, a critical system error occurs and my PC shuts down. Trojan Hunter and Spybot are not detecting this file though. My question is if this is a false positive or not, I have found the file manually and am ready to delete it though I'm not sure if I should or not. If this is not a false positive how can I get rid of it? Please help! :thumbsup:

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:22 AM

Posted 22 February 2008 - 11:33 PM

Welcome to BC ihateviruses62

Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection". (If using Vista, right-click on VundoFix.exe and select "Run As Administrator".)

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 ihateviruses62

ihateviruses62
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 23 February 2008 - 12:30 AM

Alright, I did VundoFix and now here is the text file. I know it couldn't remove the xxyayas.dll one though but it found other ones that it got rid of :thumbsup:.

EDIT: Aparently it brought back one I thought I got rid of, icons from StorageProtect are back on my desktop.

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:03:34 PM 2/22/2008

Listing files found while scanning....

C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\tuvvuss.dll
C:\WINDOWS\system32\xxyayax.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\cbadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvvuss.dll
C:\WINDOWS\system32\tuvvuss.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyayax.dll
C:\WINDOWS\system32\xxyayax.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\xxyayax.dll
C:\WINDOWS\system32\xxyayax.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Edited by ihateviruses62, 23 February 2008 - 12:56 AM.


#4 ihateviruses62

ihateviruses62
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 23 February 2008 - 04:20 AM

Alright, I did the ATF-Cleaner and the SUPERAntispyware Free Edition! I think things look OK, Ad-Aware found some more Trojans and files but they were removed. Before all that though I did VundoFix again because viruses were being added like crazy. Spybot even stopped the registry from deleting something about SUPERanitspyware O_o

Here is the removal information for SUPERAnitSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/23/2008 at 01:05 AM

Application Version : 3.9.1008

Core Rules Database Version : 3408
Trace Rules Database Version: 1400

Scan type : Complete Scan
Total Scan Time : 02:24:00

Memory items scanned : 173
Memory threats detected : 2
Registry items scanned : 5459
Registry threats detected : 39
File items scanned : 105206
File threats detected : 12

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\VTURR.DLL
C:\WINDOWS\SYSTEM32\VTURR.DLL
HKLM\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{A9CD64FE-2774-4ABB-B18E-80769C342F24}
HKCR\CLSID\{A9CD64FE-2774-4ABB-B18E-80769C342F24}
HKCR\CLSID\{A9CD64FE-2774-4ABB-B18E-80769C342F24}\InprocServer32
HKCR\CLSID\{A9CD64FE-2774-4ABB-B18E-80769C342F24}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A9CD64FE-2774-4ABB-B18E-80769C342F24}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
C:\VUNDOFIX BACKUPS\TUVVUSS.DLL.BAD

Trojan.Unclassifed/AffiliateBundle
C:\WINDOWS\SYSTEM32\XXYAYAX.DLL
C:\WINDOWS\SYSTEM32\XXYAYAX.DLL
C:\VUNDOFIX BACKUPS\XXYAYAX.DLL.BAD

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\BBJBATOH.DLL
HKLM\Software\Classes\CLSID\{E1759A31-E627-4758-9562-6899DF36C9C2}
HKCR\CLSID\{E1759A31-E627-4758-9562-6899DF36C9C2}
HKCR\CLSID\{E1759A31-E627-4758-9562-6899DF36C9C2}\InprocServer32
HKCR\CLSID\{E1759A31-E627-4758-9562-6899DF36C9C2}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1759A31-E627-4758-9562-6899DF36C9C2}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{E1759A31-E627-4758-9562-6899DF36C9C2}
HKCR\CLSID\{E1759A31-E627-4758-9562-6899DF36C9C2}

Adware.Vundo-Variant/Small-A
HKLM\Software\Classes\CLSID\{38ea30fe-4f46-447e-a074-34ed0a629874}
HKCR\CLSID\{38EA30FE-4F46-447E-A074-34ED0A629874}
HKCR\CLSID\{38EA30FE-4F46-447E-A074-34ED0A629874}\InprocServer32
HKCR\CLSID\{38EA30FE-4F46-447E-A074-34ED0A629874}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\ROHQCJLS.DLL
C:\WINDOWS\SYSTEM32\NDKTALMM.DLL

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{3B28542D-4125-4522-AC31-C4001D6B8B6F}
HKCR\CLSID\{3B28542D-4125-4522-AC31-C4001D6B8B6F}
HKCR\CLSID\{3B28542D-4125-4522-AC31-C4001D6B8B6F}\InprocServer32
HKCR\CLSID\{3B28542D-4125-4522-AC31-C4001D6B8B6F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMNLJ.DLL
HKLM\Software\Classes\CLSID\{523FC63B-413F-4385-A5F0-6B8AA58CD4A3}
HKCR\CLSID\{523FC63B-413F-4385-A5F0-6B8AA58CD4A3}
HKCR\CLSID\{523FC63B-413F-4385-A5F0-6B8AA58CD4A3}\InprocServer32
HKCR\CLSID\{523FC63B-413F-4385-A5F0-6B8AA58CD4A3}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDABC.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3B28542D-4125-4522-AC31-C4001D6B8B6F}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{523FC63B-413F-4385-A5F0-6B8AA58CD4A3}

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount

Malware.LocusSoftware Inc/BestSellerAntivirus
C:\DOCUMENTS AND SETTINGS\ZACH\LOCAL SETTINGS\TEMP\NI.UGA6P_5555_N122M0312\SETUP.EXE

Adware.Yazzle-Installer
C:\DOCUMENTS AND SETTINGS\ZACH\LOCAL SETTINGS\TEMP\YAZZSNET.EXE

Trojan.Downloader-Gen/BundleBase
C:\WINDOWS\SYSTEM32\ARDCO01\ARDCO011065.EXE

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:22 AM

Posted 23 February 2008 - 08:32 AM

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. That's probably how you came to be infected in the first place. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 ihateviruses62

ihateviruses62
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 23 February 2008 - 09:39 PM

Yeah I saw that. I removed the old Java last night. I'll install the new one pretty soon. Tyvm for all of your help! :thumbsup:

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:22 AM

Posted 23 February 2008 - 10:44 PM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 ihateviruses62

ihateviruses62
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 23 February 2008 - 11:54 PM

Alright did that. :flowers: Not much happened though because I kept on turning system restore on and off throughout the process of cleaning up my PC so that it would delete itself. Things are looking good. :thumbsup:

Edited by ihateviruses62, 23 February 2008 - 11:54 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:22 AM

Posted 24 February 2008 - 07:24 AM

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1 & Part 2".
"IE Recommended Minimal Security Settings".
"Block Unwanted Parasites with a Custom Hosts File" - Instructions for the MVPS HOSTS File
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users