hand-book, start page

Discussion in 'adware, spyware & hijack cleaning' started by compadre, Nov 29, 2003.

Thread Status:
Not open for further replies.
  1. compadre

    compadre Registered Member

    Joined:
    Nov 29, 2003
    Posts:
    1
    Hi, I need help please, there is a start page that still coming back..
    Thanks.

    here is the hijack log:
    Logfile of HijackThis v1.97.7
    Scan saved at 07:03:24 p.m., on 29/11/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE
    C:\ARCHIVOS DE PROGRAMA\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\ARCHIVOS DE PROGRAMA\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\ARCHIVOS DE PROGRAMA\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\ARCHIVOS DE PROGRAMA\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE
    C:\ARCHIVOS DE PROGRAMA\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
    C:\ARCHIVOS DE PROGRAMA\MSWORKS\CALENDARIO\WKCALREM.EXE
    C:\ARCHIVOS DE PROGRAMA\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\ARCHIVOS DE PROGRAMA\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\ARCHIV~1\NETROPA\ONSCRE~1\OSD.EXE
    C:\ARCHIVOS DE PROGRAMA\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\D.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\CMMON32.EXE
    C:\MIS DOCUMENTOS\ALBERTO\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://webcoolsearch.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.psn.cn/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.psn.cn/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hand-book.com/hp/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hand-book.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hand-book.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hand-book.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hand-book.com/hp/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hand-book.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.psn.cn/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.psn.cn/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.psn.cn/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.psn.cn/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Explorer
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hand-book.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://webcoolsearch.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Archivos de programa\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HP Simple Trax] C:\Archivos de programa\CD-Writer Plus\HP Simple Trax\hpcron.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Archivos de programa\CD-Writer Plus\DirectCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [Vshwin32EXE] C:\ARCHIVOS DE PROGRAMA\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    O4 - HKLM\..\Run: [VsStatEXE] C:\Archivos de programa\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
    O4 - HKLM\..\Run: [McAfeeWebScanX] C:\ARCHIVOS DE PROGRAMA\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
    O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
    O4 - HKLM\..\Run: [knegypm] rundll32 C:\WINDOWS\SYSTEM\knegypm.dll,Init 1
    O4 - HKLM\..\Run: [Updates] C:\WINDOWS\system32\msupdate.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Encompass\ENCMONTR.EXE
    O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\ARCHIVOS DE PROGRAMA\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\ARCHIVOS DE PROGRAMA\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
    O4 - HKLM\..\RunServices: [MOSearch] c:\ARCHIV~1\ARCHIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKLM\..\RunServices: [MDM7] "C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [Desktop] rundll32.exe msconfd,Restore ControlPanel
    O4 - HKCU\..\Run: [Reminder] C:\Archivos de programa\Microsoft Money\System\reminder.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "c:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE
    O4 - HKCU\..\RunServices: [Reminder] C:\Archivos de programa\Microsoft Money\System\reminder.exe
    O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\RunServices: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\RunServices: [MsnMsgr] "c:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\RunServices: [AddClass] C:\WINDOWS\ADDCLASS.EXE
    O4 - HKLM\..\RunOnce: [*knegypm] rundll32 C:\WINDOWS\SYSTEM\knegypm.dll,Init 1
    O4 - Startup: Avisos de Calendario de Microsoft Works.lnk = C:\Archivos de programa\MSWorks\Calendario\WKCALREM.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://c:\ARCHIV~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?
    O13 - WWW. Prefix: http://ehttp.cc/?
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O19 - User stylesheet: C:\WINDOWS\my.css
    O19 - User stylesheet: C:\WINDOWS\my.css (HKLM)
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    hi compadre

    Welcome to wilders

    follow this link and download CW SHREDDER , then run it.

    http://www.wilderssecurity.com/showthread.php?t=14086

    Then wait for one of the moderators to advise u with your hijackthis log.



    Snowbound
     
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    The moderators will also ask u to follow the steps in this link,
    http://www.wilderssecurity.com/showthread.php?t=15913

    Before u post a hijackthis log.



    Snowbound
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi compadre,

    One more thing to do before you post a new log.

    Click "Start" > "Run" > type or copy&paste rundll32 C:\WINDOWS\SYSTEM\knegypm.dll,Uninstall > "OK"

    Excellent advise, snowbound. :)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.