Attached the logfile from hijack program. Please help me to get rid of the yoogee... Thank you.

Raylene


***********************************
Logfile of HijackThis v1.96.0
Scan saved at 下午 05:37:38, on 92/8/8
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\loadqm.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Presentia\LTDMgr.exe
C:\Program Files\Common Files\Presentia\LSvr.exe
C:\Program Files\Hotbar\bin\4.3.2.0\HbInst.exe
C:\WINNT\System32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\Windows Update Setup Files\ie6setup.exe
C:\Program Files\Microsoft Office\Office\1028\msoffice.exe
C:\Documents and Settings\ralia\Local Settings\Temp\IXP000.TMP\ie6wzd.exe
C:\Program Files\Hotbar\bin\4.3.2.0\HbSrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program file\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - h:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.2.0\HbHostIE.dll
O3 - Toolbar: &Openbar - {03FD3234-98CA-4C47-B814-0799F74DA780} - C:\WINNT\DOWNLO~1\pp.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.2.0\HbHostIE.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LTDMgr] C:\Program Files\Common Files\Presentia\LTDMgr.exe
O4 - HKLM\..\Run: [LSvr] C:\Program Files\Common Files\Presentia\LSvr.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.3.2.0\HbInst.exe /Upgrade
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Babylon Translator] D:\Program Files\Babylon\Babylon.exe
O4 - Startup: .plugin140.trace
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: Plus!.bmp
O4 - Global Startup: ntuser.pol
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Openbar 搜尋 (&Q) - res://C:\WINNT\Downloaded Program Files\pp_res.dll/QuerySel.htm
O8 - Extra context menu item: Openbar 更換背景 - res://C:\WINNT\Downloaded Program Files\pp_res.dll/ReplaceSkinSel.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: gcaee - http://www.pki.gov.tw/gcaee/gcaee.CAB
O16 - DPF: {03FD3234-98CA-4C47-B814-0799F74DA780} (&Openbar) - http://www.openbar.com.tw/0/download/pp.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.skogssverige.se/CFIDE/classes/CFJava.cab
O16 - DPF: {0D663AC0-A152-47D0-8696-9F7DB4707D03} - http://tw.f2.pg.photos.yahoo.com/ocx/tw/yexplorer1_9tw.cab
O16 - DPF: {27A7CA75-09E6-4F24-92DA-C6477FF807E6} - http://202.39.225.21/Labor3/LaborForm.cab
O16 - DPF: {36F680C3-6675-4F2F-A013-F812279C722B} - http://202.39.225.21/Labor3/FileReq.cab
O16 - DPF: {4CD94406-5700-11D3-A924-0080C8424885} - http://202.39.225.21/Labor3/CKSACTX202.CAB
O16 - DPF: {56E533A6-9102-11D3-BB25-00E01898E891} - http://202.39.225.21/tl10/LONGCKS202.CAB
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} - http://202.39.225.109/emap/mgaxctrl.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://intranet.swedishtrade.se/STC/Portal/resources/msddsc.cab
O16 - DPF: {7704D8D8-9EFE-4D82-9C89-0ECBA8434EEE} (PSSetup Class) - http://www.adsvr.net/PowerStrip/PSOCX.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://sc.communities.msn.com/controls/chat/msnchat42.cab
O16 - DPF: {897D8A66-C9A1-11D3-BB18-00E01898E891} (Busines1 Control) - http://202.39.225.21/psdj2/BUSINES202.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A2C271DF-91C3-11D5-9FA6-860301900128} (PPlayerX Control) - http://www.paragonmicro.com.tw/vpop/pplayer.cab
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E9AAB5FD-AB85-4828-A848-5C4927DB5237} (EEX Control) - http://www.pki.gov.tw/bli/EEX.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = swedishtrade.se
O17 - HKLM\System\CCS\Services\Tcpip\..\{57FA0317-E84F-4485-8A00-62AF00E85C1D}: Domain = swedishtrade.org.tw
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = swedishtrade.se
O17 - HKLM\System\CS1\Services\Tcpip\..\{57FA0317-E84F-4485-8A00-62AF00E85C1D}: Domain = swedishtrade.org.tw
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = swedishtrade.se
O17 - HKLM\System\CS2\Services\Tcpip\..\{57FA0317-E84F-4485-8A00-62AF00E85C1D}: Domain = swedishtrade.org.tw

Hi raylene,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:


O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.2.0\HbHostIE.dll
O3 - Toolbar: &Openbar - {03FD3234-98CA-4C47-B814-0799F74DA780} - C:\WINNT\DOWNLO~1\pp.dll (file missing)

O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.2.0\HbHostIE.dll

O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.3.2.0\HbInst.exe /Upgrade

O16 - DPF: {03FD3234-98CA-4C47-B814-0799F74DA780} (&Openbar) - http://www.openbar.com.tw/0/download/pp.cab
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab

Reboot after doing so, preferably into safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
and delete:
C:\Program Files\Hotbar <= entire folder

The ones that follow are hard for me to decide whether they can be trusted:

O4 - Startup: .plugin140.trace
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: Plus!.bmp
O4 - Global Startup: ntuser.pol


O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.skogssverige.se/CFIDE/classes/CFJava.cab
O16 - DPF: {0D663AC0-A152-47D0-8696-9F7DB4707D03} - http://tw.f2.pg.photos.yahoo.com/ocx/tw/yexplorer1_9tw.cab
O16 - DPF: {27A7CA75-09E6-4F24-92DA-C6477FF807E6} - http://202.39.225.21/Labor3/LaborForm.cab
O16 - DPF: {36F680C3-6675-4F2F-A013-F812279C722B} - http://202.39.225.21/Labor3/FileReq.cab
O16 - DPF: {4CD94406-5700-11D3-A924-0080C8424885} - http://202.39.225.21/Labor3/CKSACTX202.CAB
O16 - DPF: {56E533A6-9102-11D3-BB25-00E01898E891} - http://202.39.225.21/tl10/LONGCKS202.CAB
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} - http://202.39.225.109/emap/mgaxctrl.cab

HTH,

Pieter

These need to be fixed as well:

O4 - HKLM\..\Run: [LTDMgr] C:\Program Files\Common Files\Presentia\LTDMgr.exe
O4 - HKLM\..\Run: [LSvr] C:\Program Files\Common Files\Presentia\LSvr.exe

It's this parasite:

http://www.doxdesk.com/parasite/PowerStrip.html

THANK BOTH OF YOU!!! IT'S FINE NOW. YOU ARE GREAT!!! THANKS A LOT!

Raylene

Hi Raylene,

Glad we could help. :)

Sorry I missed the Powerstrip entries, but Tony saved my behind (again).

Happy surfing,

Pieter

Same here! ;)

BIGDOG196, I've moved your post to a new thread in the 'adware, spyware & hijack cleaning' forum. Please follow the link below - snap

http://www.wilderssecurity.com/showthread.php?t=29135

Hi,
Read these responses with interest but still frustrated! Can you help with this? I will try almost anything.

Many thanks in advance

Martyn :)

Hi Martyn, ;)

Welcome to Wilders' ;)

Please follow these instructions by LWM Posting a Hijack This Log (http://www.wilderssecurity.com/showthread.php?t=15913)

Then start a "new" thread in the Hijack forum - Here (http://www.wilderssecurity.com/forumdisplay.php?f=26) Please be patient as many of the experts live in different time zones, but someone will address your log shortly. ;)

In the mean time you might be interested to read this - How did I get infected in the first place? (http://www.wilderssecurity.com/showthread.php?t=27971)

dog - *puppy*

Thanks Dog,

I have done as suggested and posted a new thread.

Fingers crossed!

Cheers

Martyn

I found this on google after having a serious problem with yoogee, it's stopping me get to websites i wish to access, but I don't know how to
get rid of it. Please can you help, I would really appreciate it.
Please help me.

Cinn,

register as a forum member and follow dog's advice (reply #9)

regards,

paul

Thanks, i'll hopefully get rid of it.
Thanks Paul Wilders! :D

Cinn.

P.S. I should probably thank Dog too, because I got the instructions from Dog...... :D

Hi, Iv also got this problem too! I dont know whether anyone can help me???

Iv just ran Hijack This and here is the log file

Logfile of HijackThis v1.97.7
Scan saved at 21:11:45, on 13/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\System32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\cmfcjq.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Soviet Russia\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redimps.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freenetname.co.uk/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O1 - Hosts: 1089288654 auto.search.msn.com
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem215.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [haxzwvjp] C:\WINDOWS\System32\cmfcjq.exe
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [WinLoader] lxfnwqarpmic.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

Can anyone help???

Hi chezza27,

I am afraid we no longer allow the posting of unsolicited HijackThis logs as per our Posting Policy stated in this Announcement (http://www.wilderssecurity.com/showthread.php?t=42148). However, you will find a link in the Announcement Post to several other sites that still do provide HijackThis log analysis service.

Whichever site you decide to go to, please be sure to read their FAQ's and follow their posting policy before you post your hijackthis log.

Regards,

snap