hand-book, start page

Discussion in 'adware, spyware & hijack cleaning' started by compadre, Nov 29, 2003.

Thread Status:
Not open for further replies.
  1. compadre

    compadre Registered Member

    Joined:
    Nov 29, 2003
    Posts:
    1
    Hi, I need help please, there is a start page that still coming back..
    Thanks.

    here is the hijack log:
    Logfile of HijackThis v1.97.7
    Scan saved at 07:03:24 p.m., on 29/11/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE
    C:\ARCHIVOS DE PROGRAMA\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\ARCHIVOS DE PROGRAMA\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\ARCHIVOS DE PROGRAMA\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\ARCHIVOS DE PROGRAMA\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE
    C:\ARCHIVOS DE PROGRAMA\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
    C:\ARCHIVOS DE PROGRAMA\MSWORKS\CALENDARIO\WKCALREM.EXE
    C:\ARCHIVOS DE PROGRAMA\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\ARCHIVOS DE PROGRAMA\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\ARCHIV~1\NETROPA\ONSCRE~1\OSD.EXE
    C:\ARCHIVOS DE PROGRAMA\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\D.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\CMMON32.EXE
    C:\MIS DOCUMENTOS\ALBERTO\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://webcoolsearch.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.psn.cn/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.psn.cn/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hand-book.com/hp/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hand-book.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hand-book.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hand-book.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hand-book.com/hp/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hand-book.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.psn.cn/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.psn.cn/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.psn.cn/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.psn.cn/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Explorer
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hand-book.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://webcoolsearch.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Archivos de programa\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HP Simple Trax] C:\Archivos de programa\CD-Writer Plus\HP Simple Trax\hpcron.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Archivos de programa\CD-Writer Plus\DirectCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [Vshwin32EXE] C:\ARCHIVOS DE PROGRAMA\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    O4 - HKLM\..\Run: [VsStatEXE] C:\Archivos de programa\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
    O4 - HKLM\..\Run: [McAfeeWebScanX] C:\ARCHIVOS DE PROGRAMA\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
    O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
    O4 - HKLM\..\Run: [knegypm] rundll32 C:\WINDOWS\SYSTEM\knegypm.dll,Init 1
    O4 - HKLM\..\Run: [Updates] C:\WINDOWS\system32\msupdate.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Encompass\ENCMONTR.EXE
    O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\ARCHIVOS DE PROGRAMA\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\ARCHIVOS DE PROGRAMA\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
    O4 - HKLM\..\RunServices: [MOSearch] c:\ARCHIV~1\ARCHIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKLM\..\RunServices: [MDM7] "C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [Desktop] rundll32.exe msconfd,Restore ControlPanel
    O4 - HKCU\..\Run: [Reminder] C:\Archivos de programa\Microsoft Money\System\reminder.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "c:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE
    O4 - HKCU\..\RunServices: [Reminder] C:\Archivos de programa\Microsoft Money\System\reminder.exe
    O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\RunServices: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\RunServices: [MsnMsgr] "c:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\RunServices: [AddClass] C:\WINDOWS\ADDCLASS.EXE
    O4 - HKLM\..\RunOnce: [*knegypm] rundll32 C:\WINDOWS\SYSTEM\knegypm.dll,Init 1
    O4 - Startup: Avisos de Calendario de Microsoft Works.lnk = C:\Archivos de programa\MSWorks\Calendario\WKCALREM.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://c:\ARCHIV~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?
    O13 - WWW. Prefix: http://ehttp.cc/?
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O19 - User stylesheet: C:\WINDOWS\my.css
    O19 - User stylesheet: C:\WINDOWS\my.css (HKLM)
     
    compadre, Nov 29, 2003
    #1
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    hi compadre

    Welcome to wilders

    follow this link and download CW SHREDDER , then run it.

    http://www.wilderssecurity.com/showthread.php?t=14086

    Then wait for one of the moderators to advise u with your hijackthis log.



    Snowbound
     
    snowbound, Nov 29, 2003
    #2
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    The moderators will also ask u to follow the steps in this link,
    http://www.wilderssecurity.com/showthread.php?t=15913

    Before u post a hijackthis log.



    Snowbound
     
    snowbound, Nov 29, 2003
    #3
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi compadre,

    One more thing to do before you post a new log.

    Click "Start" > "Run" > type or copy&paste rundll32 C:\WINDOWS\SYSTEM\knegypm.dll,Uninstall > "OK"

    Excellent advise, snowbound. :)

    Regards,

    Pieter
     
    Pieter_Arntz, Nov 30, 2003
    #4
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...