Help! Yoogee hijacked my web pages...

Discussion in 'privacy problems' started by raylene, Aug 8, 2003.

Thread Status:
Not open for further replies.
  1. raylene

    raylene Guest

    Attached the logfile from hijack program. Please help me to get rid of the yoogee... Thank you.

    Raylene


    ***********************************
    Logfile of HijackThis v1.96.0
    Scan saved at 下午 05:37:38, on 92/8/8
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Common Files\Presentia\LTDMgr.exe
    C:\Program Files\Common Files\Presentia\LSvr.exe
    C:\Program Files\Hotbar\bin\4.3.2.0\HbInst.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINNT\Windows Update Setup Files\ie6setup.exe
    C:\Program Files\Microsoft Office\Office\1028\msoffice.exe
    C:\Documents and Settings\ralia\Local Settings\Temp\IXP000.TMP\ie6wzd.exe
    C:\Program Files\Hotbar\bin\4.3.2.0\HbSrv.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    H:\Program file\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - h:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.2.0\HbHostIE.dll
    O3 - Toolbar: &Openbar - {03FD3234-98CA-4C47-B814-0799F74DA780} - C:\WINNT\DOWNLO~1\pp.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.2.0\HbHostIE.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [LTDMgr] C:\Program Files\Common Files\Presentia\LTDMgr.exe
    O4 - HKLM\..\Run: [LSvr] C:\Program Files\Common Files\Presentia\LSvr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.3.2.0\HbInst.exe /Upgrade
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Babylon Translator] D:\Program Files\Babylon\Babylon.exe
    O4 - Startup: .plugin140.trace
    O4 - Startup: NTUSER.DAT
    O4 - Startup: ntuser.dat.LOG
    O4 - Startup: ntuser.ini
    O4 - Startup: Plus!.bmp
    O4 - Global Startup: ntuser.pol
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: Openbar 搜尋 (&Q) - res://C:\WINNT\Downloaded Program Files\pp_res.dll/QuerySel.htm
    O8 - Extra context menu item: Openbar 更換背景 - res://C:\WINNT\Downloaded Program Files\pp_res.dll/ReplaceSkinSel.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O15 - Trusted Zone: http://chat.msn.com
    O16 - DPF: gcaee - http://www.pki.gov.tw/gcaee/gcaee.CAB
    O16 - DPF: {03FD3234-98CA-4C47-B814-0799F74DA780} (&Openbar) - http://www.openbar.com.tw/0/download/pp.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.skogssverige.se/CFIDE/classes/CFJava.cab
    O16 - DPF: {0D663AC0-A152-47D0-8696-9F7DB4707D03} - http://tw.f2.pg.photos.yahoo.com/ocx/tw/yexplorer1_9tw.cab
    O16 - DPF: {27A7CA75-09E6-4F24-92DA-C6477FF807E6} - http://202.39.225.21/Labor3/LaborForm.cab
    O16 - DPF: {36F680C3-6675-4F2F-A013-F812279C722B} - http://202.39.225.21/Labor3/FileReq.cab
    O16 - DPF: {4CD94406-5700-11D3-A924-0080C8424885} - http://202.39.225.21/Labor3/CKSACTX202.CAB
    O16 - DPF: {56E533A6-9102-11D3-BB25-00E01898E891} - http://202.39.225.21/tl10/LONGCKS202.CAB
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} - http://202.39.225.109/emap/mgaxctrl.cab
    O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://intranet.swedishtrade.se/STC/Portal/resources/msddsc.cab
    O16 - DPF: {7704D8D8-9EFE-4D82-9C89-0ECBA8434EEE} (PSSetup Class) - http://www.adsvr.net/PowerStrip/PSOCX.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://sc.communities.msn.com/controls/chat/msnchat42.cab
    O16 - DPF: {897D8A66-C9A1-11D3-BB18-00E01898E891} (Busines1 Control) - http://202.39.225.21/psdj2/BUSINES202.CAB
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {A2C271DF-91C3-11D5-9FA6-860301900128} (PPlayerX Control) - http://www.paragonmicro.com.tw/vpop/pplayer.cab
    O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E9AAB5FD-AB85-4828-A848-5C4927DB5237} (EEX Control) - http://www.pki.gov.tw/bli/EEX.ocx
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = swedishtrade.se
    O17 - HKLM\System\CCS\Services\Tcpip\..\{57FA0317-E84F-4485-8A00-62AF00E85C1D}: Domain = swedishtrade.org.tw
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = swedishtrade.se
    O17 - HKLM\System\CS1\Services\Tcpip\..\{57FA0317-E84F-4485-8A00-62AF00E85C1D}: Domain = swedishtrade.org.tw
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = swedishtrade.se
    O17 - HKLM\System\CS2\Services\Tcpip\..\{57FA0317-E84F-4485-8A00-62AF00E85C1D}: Domain = swedishtrade.org.tw
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi raylene,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:


    O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.2.0\HbHostIE.dll
    O3 - Toolbar: &Openbar - {03FD3234-98CA-4C47-B814-0799F74DA780} - C:\WINNT\DOWNLO~1\pp.dll (file missing)

    O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.2.0\HbHostIE.dll

    O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.3.2.0\HbInst.exe /Upgrade

    O16 - DPF: {03FD3234-98CA-4C47-B814-0799F74DA780} (&Openbar) - http://www.openbar.com.tw/0/download/pp.cab
    O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab

    Reboot after doing so, preferably into safe mode
    and delete:
    C:\Program Files\Hotbar <= entire folder

    The ones that follow are hard for me to decide whether they can be trusted:

    O4 - Startup: .plugin140.trace
    O4 - Startup: NTUSER.DAT
    O4 - Startup: ntuser.dat.LOG
    O4 - Startup: ntuser.ini
    O4 - Startup: Plus!.bmp
    O4 - Global Startup: ntuser.pol


    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.skogssverige.se/CFIDE/classes/CFJava.cab
    O16 - DPF: {0D663AC0-A152-47D0-8696-9F7DB4707D03} - http://tw.f2.pg.photos.yahoo.com/ocx/tw/yexplorer1_9tw.cab
    O16 - DPF: {27A7CA75-09E6-4F24-92DA-C6477FF807E6} - http://202.39.225.21/Labor3/LaborForm.cab
    O16 - DPF: {36F680C3-6675-4F2F-A013-F812279C722B} - http://202.39.225.21/Labor3/FileReq.cab
    O16 - DPF: {4CD94406-5700-11D3-A924-0080C8424885} - http://202.39.225.21/Labor3/CKSACTX202.CAB
    O16 - DPF: {56E533A6-9102-11D3-BB25-00E01898E891} - http://202.39.225.21/tl10/LONGCKS202.CAB
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} - http://202.39.225.109/emap/mgaxctrl.cab

    HTH,

    Pieter
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    These need to be fixed as well:

    O4 - HKLM\..\Run: [LTDMgr] C:\Program Files\Common Files\Presentia\LTDMgr.exe
    O4 - HKLM\..\Run: [LSvr] C:\Program Files\Common Files\Presentia\LSvr.exe


    It's this parasite:

    http://www.doxdesk.com/parasite/PowerStrip.html
     
  4. Raylene

    Raylene Guest

    THANK BOTH OF YOU!!! IT'S FINE NOW. YOU ARE GREAT!!! THANKS A LOT!

    Raylene
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Raylene,

    Glad we could help. :)

    Sorry I missed the Powerstrip entries, but Tony saved my behind (again).

    Happy surfing,

    Pieter
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Same here! ;)
     
  7. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
  8. Martyn

    Martyn Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    4
    Location:
    Bedford Uk
    Hi,
    Read these responses with interest but still frustrated! Can you help with this? I will try almost anything.

    Many thanks in advance

    Martyn :)
     

    Attached Files:

  9. dog

    dog Guest

    Hi Martyn, ;)

    Welcome to Wilders' ;)

    Please follow these instructions by LWM Posting a Hijack This Log

    Then start a "new" thread in the Hijack forum - Here Please be patient as many of the experts live in different time zones, but someone will address your log shortly. ;)

    In the mean time you might be interested to read this - How did I get infected in the first place?

    dog - *puppy*
     
  10. Martyn

    Martyn Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    4
    Location:
    Bedford Uk
    Thanks Dog,

    I have done as suggested and posted a new thread.

    Fingers crossed!

    Cheers

    Martyn
     
  11. Cinn

    Cinn Guest

    I found this on google after having a serious problem with yoogee, it's stopping me get to websites i wish to access, but I don't know how to
    get rid of it. Please can you help, I would really appreciate it.
    Please help me.
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Cinn,

    register as a forum member and follow dog's advice (reply #9)

    regards,

    paul
     
  13. Cinn

    Cinn Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    7
    Thanks, i'll hopefully get rid of it.
    Thanks Paul Wilders! :D

    Cinn.

    P.S. I should probably thank Dog too, because I got the instructions from Dog...... :D
     
  14. chezza27

    chezza27 Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    1
    Hi, Iv also got this problem too! I dont know whether anyone can help meo_O

    Iv just ran Hijack This and here is the log file

    Logfile of HijackThis v1.97.7
    Scan saved at 21:11:45, on 13/09/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\System32\System32.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\cmfcjq.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Soviet Russia\Desktop\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redimps.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freenetname.co.uk/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
    O1 - Hosts: 1089288654 auto.search.msn.com
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem215.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [haxzwvjp] C:\WINDOWS\System32\cmfcjq.exe
    O4 - HKLM\..\RunServices: [VidSvr]
    O4 - HKLM\..\RunServices: [WinLoader] lxfnwqarpmic.exe
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
    O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

    Can anyone helpo_O
     
  15. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi chezza27,

    I am afraid we no longer allow the posting of unsolicited HijackThis logs as per our Posting Policy stated in this Announcement. However, you will find a link in the Announcement Post to several other sites that still do provide HijackThis log analysis service.

    Whichever site you decide to go to, please be sure to read their FAQ's and follow their posting policy before you post your hijackthis log.

    Regards,

    snap
     
Loading...
Thread Status:
Not open for further replies.