Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

YTBB.exe....Help


  • Please log in to reply
7 replies to this topic

#1 i82much

i82much

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 30 September 2010 - 10:37 AM

Hello:
I got this ytbb.exe file and cant get rid of it by myself, so I'll ask the EXPERTS for help
I ran MBAM and SAS both in safe mode and regular mode ( which found other things,but not this)and this file still shows up at times
I had avg8 free but was a rescouce hog and had to switch to avast
I've noticed through task manager that I'll have a svchost running 10,oo0 kb and when I stop this process, the computer will be blazin fast
Where do I start?
Thanks for your time and help

Edited by i82much, 30 September 2010 - 10:38 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:15 AM

Posted 30 September 2010 - 11:50 AM

You start by identifying the file and whether it is malicious or not BEFORE taking action.

Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. Another techinique is for the process to alter the registry and add itself as a Startup program or service so that it can run automatically each time the computer is booted. Keep in mind that a legitimate file can also be infected by some types of malware such as Virut which is a dangerous polymorphic file infector. A file's properties may give a clue to identifying it. Right-click on the file, choose Properties and examine the General and Version tabs.

If you do a Google search for ytbb.exe you will find that malware uses that name and so does Yahoo! Toolbar Assistant. Do you use that Toolbar? If so, it's normally found here: C:\Program Files\Yahoo!\Companion\Installs\cpn\ytbb.exe

If it is giving you problems, then uninstall it. Many toolbars and Add-ons come bundled with other software and can be removed via Add/Remove Programs in Control Panel or Programs and Features in Vista/Windows 7 so check there first.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 i82much

i82much
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 30 September 2010 - 12:18 PM

I do not use Yahoo toolbar, and it is not listed in the add/remove software.
I did google it, and thats how I found out it might be a bad file
I ran the other programs because the compiter was real sloooooow and acting up.
I then found out about ytbb which does not run all the time. It seams to run just before another IE window opens up saying how good something is

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:15 AM

Posted 30 September 2010 - 12:32 PM

Do a search of your computer and let me know where the file is located.

You can use Windows Search feature > More advanced options to see if the file(s) is present. To do this, go to Posted Image -> Search and click For Files or Folders... or just press the Windows key + F key on the keyboard.
  • Click All files and folders.
  • Type the name of the file under "Search by...criteria below...All or part of the file name"
  • Click More advanced options and check these options:
    • "Search system folders"
    • "Search hidden files and folders"
    • "Search subfolders"
  • Then click "Search" to look for the file(s).
If you're using Vista, see Windows Vista - Using the Search Function for how to perform an advanced search.

When you find the file, go to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of that file and submit (upload) it for scanning/analysis.
-- Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 i82much

i82much
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 30 September 2010 - 02:04 PM

Hello quietman:
The file was listed twice
Once in program files/yahoo
and once in windows/prefetch
Both were scanned by the place you suggested with no results
I still get the "extra" IE page and once deleted my task bar will change colors and style of font.
Any suggestions?
Thanks Mel

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:15 AM

Posted 30 September 2010 - 02:49 PM

I thought you said you didn't have the Yahoo Toolbar but you said you didn't use it so many you were not aware.

How do I uninstall Yahoo! Toolbar?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 i82much

i82much
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 30 September 2010 - 05:41 PM

The tool bar didnt show up in the browser window untill I did a search for it
I followed the instructions on how to uninstall it, but that didnt work
I still get the random IE window that pops up
IE is listed twice in task manager
1 of the 5 svchost runs at 10,000kb or more
any ideas?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:15 AM

Posted 30 September 2010 - 07:26 PM

If using Internet Explorer 8 or Windows 7, the browser will run an extra instance of iexplorer.exe for a loaded tab as part of the Loosely-Coupled IE and Automatic Crash Recovery features by design. ACR stores information about a browsing session on the hard disk so that in the event of a browser crash, hang, or other unexpected shutdown, it you to resume the last browsing session. If using multiple tabs, ARC allows recovery of all opened tabs in case of a browser failure. Essentially that allows Internet Explorer to prevent itself from closing when a web site in one tab crashes. In order to this, Internet Explorer 8 will open a new process for the main window and another process with any opened tab. As such, it is not unusual to find multiple instances of iexplore.exe running in Task Manager. More information about ACR and LCIE can be found on the IEBlog and an explanation of multiple instances of iexplorer.exe is provided by DON, MS MVP IE here. One drawback of this new feature is that ACR has been reported to utilize high memory resources.

Disabling ACR is not recommended, but if you want to do so, please refer to:Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual to find multiple instances of Svchost.exe running at the same time in Task Manager in order to optimize the running of the various services.
  • svchost.exe SYSTEM
  • svchost.exe LOCAL SERVICE
  • svchost.exe NETWORK SERVICE
Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. The legitimate Svchost.exe file is located in the C:\WINDOWS\system32\ folder.

Another techinique is for the process to alter the registry and add itself as a service or startup program as shown here and here so that it can run automatically each time the computer is booted. Keep in mind that a legitimate file can also be infected by some types of malware such as Virut which is a dangerous polymorphic file infector.

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Always make sure the spelling is correct. If it's scvhost.exe, then your dealing with a Trojan.

There are several ways to investigate and see what services a Svchost.exe process is controlling:Tools to investigate running processes and gather additional information to identify them and resolve problems:-- These tools will provide information about each process, CPU usage, file description and its path location.

-- System Explorer provides a security check of running processing using their online security database when you first launch the program. If you want process the initial scan, press the "Start Security Check" button. Keep in mind, that the check is not a guarantee of what is or is not detected as malware. Further investigation is always recommended. At the Security Check page you can also check the file through the VirusTotal database by pressing the Check MD5 button.

-- Process Explorer shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users