Please help me with my Yoogee problem.

Discussion in 'adware, spyware & hijack cleaning' started by Cinn, Jul 9, 2004.

Thread Status:
Not open for further replies.
  1. Cinn

    Cinn Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    7
    Yo, I need help! Yoogee's taking thw world by force! :eek: Something we must stop because it hijacks into web site people want to view.

    This keeps happening to me, I want to access a web page which I used to be able to access freely, but now everytime it starts to load yoogee hijacks it and I get the yoogee homepage put into my address box.

    Please help me get rid of yoogee. PLEASE!!!

    Cinn.
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Cinn,

    Please follow ALL the instructions, and each step in this link, carefully:
    HOW TO? Read here about how to post your log!!

    Once you have downloaded HijackThis, create a permanent folder for it on your C: (call the folder whatever you'd like) then unzip Hijackthis.exe into the new folder (do not put it in a Temp folder or desktop).

    Then open Hijackthis and run it by clicking on the Scan button. When the scan has finished, the "Scan" button will then change to a Save Log button. Press the "Save Log" button and save it to a location you can easily find it. Open the saved log and copy and paste the entire contents of the log here in this thread.

    Please do NOT fix anything in Hijackthis by yourself. Most of what it lists will be harmless and even essential. Someone will review your log and reply back with instructions on what needs to be fixed.

    Regards,

    snap
     
  3. Cinn

    Cinn Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    7
    Thanks for the pointer Snap.

    Here's the log I got. By the way, I used spybot.


    Logfile of HijackThis v1.97.7
    Scan saved at 20:12:27, on 11/07/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\soundman.exe
    C:\WINDOWS\System32\S3apphk.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Documents and Settings\hannah\Local Settings\Temporary Internet Files\Content.IE5\MVI7UXIF\HijackThis[1].exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
    O4 - HKLM\..\Run: [Restore] C:\\I386dr.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: Microsoft Office.lnk = C:\MSOFFICE\MSOFFICE.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B8EF9C74-BFD5-4DB1-A580-D3359F6BD0E9}: NameServer = 213.120.62.100 213.120.62.101


    Where I go from here, that's what I need help with now.

    Cinn.
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Cinn,

    First, bring up Task Manager (Ctrl-Alt-Del) to end the running processes for automove.exe.

    Next, create a permanent folder on your C: drive (example: C:\HJT\ ) and unzip HijackThis to the permanent folder. HijackThis must run from it's own folder and not the Desktop or Temp folders. It creates backups in the folder it is ran from, so if you should delete something you needed, you will be able to restore it from the backups.

    In HijackThis, place a check beside the following items.
    Close ALL browsers and any open programs/windows, except HijackThis, and click *Fix checked:


    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
    O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll

    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe

    Make sure you have all files and folders viewable:
    How to Show Hidden Files and Folders

    Reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

    Find and delete the following listed in bold:
    C:\WINDOWS\System32\automove.exe <--file
    C:\WINDOWS\nem219.dll <--file (may be gone but check just in case)
    C:\WINDOWS\System32\SWin32.dll <-- (may be gone but check just in case)

    While still in safe mode, navigate to to C:\Documents and Settings\hannah\Local Settings\Temp\ <--- select everything in that folder and delete it (do not delete the Temp folder itself though).

    Then navigate to the C:\windows\temp\ and delete everything in there too except the following folders, Temporary Internet Files, Cookies and History folders (leave those)

    And clear your IE cache: open IE --> Tools --> Internet Options --> click on "Delete Files" and put a check in the box for "Off line contents", click OK, then click the "History" button, then click "yes" to clear it, then "OK" to close the Internet Options Panel.

    ______

    Reboot your computer normally.

    Then before you do anything else, go to Microsoft's Update Site, download and install ALL the Security Patches & Critical Updates listed for XP and IE6. You are badly behind in your Security Patches and Updates and you risk worse infection because of that.

    Make sure you are using the most current versions of Spybot S&D v1.3, and AdAware6 build 6.181, and have checked for updates and brought them up-todate. Then followup with a scan using both Spybot S&D and AdAware6.


    I have no idea what this is. Do you know what it is used for?
    O4 - HKLM\..\Run: [Restore] C:\\I386dr.exe

    If not, please upload the I386dr.exe to Kaspersky for a scan, and let me know what the scan report is in your next reply.

    Post a new log here in this thread to be checked.

    Regards,

    snap
     
  5. Cinn

    Cinn Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    7
    Yo Snap,

    I'm stuck on the advice you gave me. I did the first two things and now
    HijackThis has it's own folder, but it won't run, and there's no other files in it apart from the log I made from the other steps.

    Please could you tell me where these folders i need to check for fixThis are...

    Thanks for all your help so far,

    Cinn.
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Cinn,

    Moving Hijackthis into its own folder wouldn't cause the program to not run. Maybe it became corrupted somehow.

    Have a permanent folder ready to put Hijackthis into, then go here and download the newer version (do not choose open, choose Save, and save the file to the new folder you made: Hijackthis 1.98.0-hotfix.

    Now go to the folder and click on the Hijackthis1980hf.exe to run it.

    Let me know if it works.

    Regards,

    snap
     
  7. Cinn

    Cinn Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    7
    Yo Snap,

    Thanks, the new link worked.

    Now, about the clik *fix checked. (well I think that's what you said, it was similar to that anyways)

    Do I only check the ones that have a name EXACTLY like the ones you said or the ones that are exactly the same AND are VERY VERY VERY similar?

    Please answer,

    Cinn.

    P.S. Thanks for all help so far. :D
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    LOL well now you have me curious Cinn.

    You would put a check in the box beside the one's I have listed that look exactly like the one's I have listed. But since you have said "VERY VERY VERY similar", I'm wondering what those similiar entries are.

    Before you do anything, please rescan with Hijackthis (the one you just downloaded) and post a new log here for me to check first.

    Oh, and did you upload the I386dr.exe file to Kaspersky for a scan? I'd really like to know what the scan says about it since I am not finding any information on what that file is or what it is used for.

    Regards,

    snap
     
  9. Cinn

    Cinn Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    7
    Yo Snap,

    Well the bit in blue is the new log, you may see what I mean by VERY VERY VERY similar now.... I think...

    Logfile of HijackThis v1.98.0
    Scan saved at 19:35:11, on 15/07/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\soundman.exe
    C:\WINDOWS\System32\S3apphk.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\HiJackThis\HijackThis1980hf.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
    O4 - HKLM\..\Run: [Restore] C:\\I386dr.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: Microsoft Office.lnk = C:\MSOFFICE\MSOFFICE.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B8EF9C74-BFD5-4DB1-A580-D3359F6BD0E9}: NameServer = 213.120.62.98 213.120.62.103
    O18 - Protocol: stibo - {FFAD3420-6D61-44F6-BA25-293F17152D79} - C:\Program Files\RS Electronic Catalogue\ProtocolHandler.dll


    Thanks for helping,

    Cinn.
     
  10. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Cinn,

    I see what you mean now. Yes, the newer version of Hijackthis reveals a bit more information, but it is always better to ask first rather than guess.

    Please rescan with Hijackthis, when the scan is finished put a check in the box beside the items I have listed below in bold (and ONLY those items).
    Then make sure you have no browsers open, or any other windows open, and press the button, *Fix checked*

    R3 - Default URLSearchHook is missing

    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
    O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll

    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe


    (optional to fix, but will save you resources if you do)
    O4 - Startup: Microsoft Office.lnk = C:\MSOFFICE\MSOFFICE.EXE


    Make sure you have all files and folders viewable:
    How to Show Hidden Files and Folders

    Reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

    Find and delete the following listed in bold:
    C:\WINDOWS\System32\automove.exe <--file
    C:\WINDOWS\nem219.dll <--file (may be gone but check just in case)
    C:\WINDOWS\System32\SWin32.dll <-- (may be gone but check just in case)

    ----

    (I have no idea what the RS Electronic Catalogue is, so I have to say leave this one alone since I do not have any information on it to advise you otherwise. Unless you can tell me what it is? )
    O18 - Protocol: stibo - {FFAD3420-6D61-44F6-BA25-293F17152D79} - C:\Program Files\RS Electronic Catalogue\ProtocolHandler.dll

    (The same applies to this line. I cannot tell you to fix it if I don't know what it is, or why it is there)
    O4 - HKLM\..\Run: [Restore] C:\\I386dr.exe

    Did you upload the l386dr.exe to Kaspersky for a scan? If yes, what did the scan say?

    Also, I see you have not yet gone to Microsoft Update and installed the Service Packs and Critical Updates. You risk greater infection without those. Please do that as quick as possible.

    After following the above instructions, rescan with Hijackthis and post a new log here to be checked.

    Regards,

    snap
     
  11. Cinn

    Cinn Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    7
    Yo Snap,

    As usual the bit in blue is the log, but before I post it, may I ask what are the updates and things from Microsoft Update?

    Logfile of HijackThis v1.98.0
    Scan saved at 20:53:34, on 16/07/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\savedump.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\soundman.exe
    C:\WINDOWS\System32\S3apphk.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\HiJackThis\HijackThis1980hf.exe

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
    O4 - HKLM\..\Run: [Restore] C:\\I386dr.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: Microsoft Office.lnk = C:\MSOFFICE\MSOFFICE.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B8EF9C74-BFD5-4DB1-A580-D3359F6BD0E9}: NameServer = 213.1.119.97 213.1.119.98
    O18 - Protocol: stibo - {FFAD3420-6D61-44F6-BA25-293F17152D79} - C:\Program Files\RS Electronic Catalogue\ProtocolHandler.dll


    Thanks for all your help so far,

    Cinn.

    P.S. RS Electrical Catalogue is a catalogue my dad get's to do with electric circuit parts and stuff. I hope that clears things up. And I didn't get the Kaspersky scan, if this is vitally important I apologise for not getting it.
     
Thread Status:
Not open for further replies.