#37049 Hjacker

Your log file is missing important header information. Please close all open programs (especially your web browser), run HJT again, choose the option of saving the logfile (don't have it fix anything yet!), open the logfile in Windows Notepad, and cut-n-paste the entire contents of the file here.

DMR.... sorry for not giving you enough information to identify my problem. I re-ran HJT and the log is as follows:

Logfile of HijackThis v1.97.7
Scan saved at 7:03:44 PM, on 8/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\javazb32.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\netcw32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AWS\WeatherBug\Weather.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtwAdvCfg.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Michael Harshbarger\Local Settings\Temp\Temporary Directory 16 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xykej.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xykej.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xykej.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xykej.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xykej.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xykej.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {07E4FD77-394B-B875-5A4B-DD790369CC6A} - C:\WINDOWS\sdknz.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_8_6.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe -Show
O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\IPMon32.exe"
O4 - HKLM\..\Run: [netcw32.exe] C:\WINDOWS\system32\netcw32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - HKLM\..\RunOnce: [ieul32.exe] C:\WINDOWS\system32\ieul32.exe
O4 - HKLM\..\RunOnce: [addkp32.exe] C:\WINDOWS\system32\addkp32.exe
O4 - HKLM\..\RunOnce: [atlyi32.exe] C:\WINDOWS\atlyi32.exe
O4 - HKLM\..\RunOnce: [msng32.exe] C:\WINDOWS\system32\msng32.exe
O4 - HKLM\..\RunOnce: [mfctx.exe] C:\WINDOWS\system32\mfctx.exe
O4 - HKLM\..\RunOnce: [atlpm.exe] C:\WINDOWS\atlpm.exe
O4 - HKLM\..\RunOnce: [winod32.exe] C:\WINDOWS\winod32.exe
O4 - HKLM\..\RunOnce: [crtz32.exe] C:\WINDOWS\crtz32.exe
O4 - HKLM\..\RunOnce: [atlgk32.exe] C:\WINDOWS\system32\atlgk32.exe
O4 - HKLM\..\RunOnce: [winfd32.exe] C:\WINDOWS\winfd32.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RtlWake.lnk = ?
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1083618652750
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://download.yahoo.com/dl/sbcy/yinst.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37844.8365972222
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E3F7205F-2AE0-4BF0-816B-2D24A5F20EC7} - http://fr4-download.strip-player.com/download/stripplayer/bin/activestripsetup_minsize.cab

Thanks alot for taking a look at this.

bervooby

Hi. First of all you need to update hijackthis to version 1.98.2. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by deleting the file manually. Unzip the new version into the hijackthis folder.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

Download About:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop. Do not run yet

Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.' Do not run yet

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xykej.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xykej.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xykej.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xykej.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xykej.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xykej.dll/sp.html#37049

O2 - BHO: (no name) - {07E4FD77-394B-B875-5A4B-DD790369CC6A} - C:\WINDOWS\sdknz.dll

O4 - HKLM\..\Run: [netcw32.exe] C:\WINDOWS\system32\netcw32.exe
O4 - HKLM\..\RunOnce: [ieul32.exe] C:\WINDOWS\system32\ieul32.exe
O4 - HKLM\..\RunOnce: [addkp32.exe] C:\WINDOWS\system32\addkp32.exe
O4 - HKLM\..\RunOnce: [atlyi32.exe] C:\WINDOWS\atlyi32.exe
O4 - HKLM\..\RunOnce: [msng32.exe] C:\WINDOWS\system32\msng32.exe
O4 - HKLM\..\RunOnce: [mfctx.exe] C:\WINDOWS\system32\mfctx.exe
O4 - HKLM\..\RunOnce: [atlpm.exe] C:\WINDOWS\atlpm.exe
O4 - HKLM\..\RunOnce: [winod32.exe] C:\WINDOWS\winod32.exe
O4 - HKLM\..\RunOnce: [crtz32.exe] C:\WINDOWS\crtz32.exe
O4 - HKLM\..\RunOnce: [atlgk32.exe] C:\WINDOWS\system32\atlgk32.exe
O4 - HKLM\..\RunOnce: [winfd32.exe] C:\WINDOWS\winfd32.exe

O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {E3F7205F-2AE0-4BF0-816B-2D24A5F20EC7} - http://fr4-download.strip-player.co...tup_minsize.cab

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Still in safe mode, do a full system scan with Adaware. When the scan is finished select *next* & place a check in the boxes to the left of what is found & click *next* again. Let it delete those entries.

Reboot your computer in normal mode.