einolatu
asked on
HiJacker
Helou!
This dude has a bit of a problem, been spending hours to get my machine running properly again...
world-search.biz is coming back all the time, I've tried to remove these
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://world-search.biz/
O13 - DefaultPrefix: http://world-search.biz/search.php?url=
O13 - WWW Prefix: http://world-search.biz/search.php?url=
No success so far
Here is the log
Logfile of HijackThis v1.97.7
Scan saved at 16:25:22, on 27.4.2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\PROGRA~1\F-SECU~1\backw eb\4476822 \Program\S ERVIC~1.EX E
C:\WINNT\System32\svchost. exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk 32st.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK 32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm 32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\F-Secure Anti-Virus\backweb\4476822 \program\f sbwsys.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.E XE
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.E XE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.e xe
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EX E
C:\WINNT\system32\MSTask.e xe
C:\WINNT\kqpbih.exe
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32. EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav 32.exe
C:\Program Files\F-Secure Anti-Virus\FWES\Program\fs dfwd.exe
C:\WINNT\Explorer.EXE
C:\WINNT\kqpbih.exe
C:\WINNT\System32\Promon.e xe
C:\PROGRA~1\ANALOG~1\Sound MAX\Smtray .exe
C:\WINNT\System32\svcc.exe
C:\PROGRA~1\F-SECU~1\Commo n\FSM32.EX E
C:\WINNT\System32\ctfmon.e xe
C:\WINNT\System\services.e xe
C:\PROGRA~1\WinZip\WZQKPIC K.EXE
C:\Program Files\F-Secure Anti-Virus\backweb\4476822 \Program\B ackWeb-447 6822.exe
C:\PROGRA~1\INTERN~1\IEXPL ORE.EXE
C:\DOCUME~1\KYLLNE~1\TYPYT ~1\HIJACK~ 1.EXE
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://world-search.biz/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.msn.fi
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = about:blank
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = about:blank
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page = C:\WINNT\secure.html
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page = C:\WINNT\secure.html
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName = Linkit
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,SearchAssist ant = about:blank
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,SearchAssist ant = about:blank
R1 - HKLM\Software\Microsoft\In ternet Explorer\Search,(Default) = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.ex e
O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\System32\svcc.exe internat.dll,LoadKeyboardP rofile
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EX E" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe " /CHECKALL
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [System Update] C:\WINNT\System\services.e xe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2 \Office10\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm
O13 - DefaultPrefix: http://world-search.biz/search.php?url=
O13 - WWW Prefix: http://world-search.biz/search.php?url=
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.fi
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.fi
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
This dude has a bit of a problem, been spending hours to get my machine running properly again...
world-search.biz is coming back all the time, I've tried to remove these
R0 - HKCU\Software\Microsoft\In
O13 - DefaultPrefix: http://world-search.biz/search.php?url=
O13 - WWW Prefix: http://world-search.biz/search.php?url=
No success so far
Here is the log
Logfile of HijackThis v1.97.7
Scan saved at 16:25:22, on 27.4.2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\PROGRA~1\F-SECU~1\backw
C:\WINNT\System32\svchost.
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\F-Secure Anti-Virus\backweb\4476822
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.E
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.E
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.e
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EX
C:\WINNT\system32\MSTask.e
C:\WINNT\kqpbih.exe
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav
C:\Program Files\F-Secure Anti-Virus\FWES\Program\fs
C:\WINNT\Explorer.EXE
C:\WINNT\kqpbih.exe
C:\WINNT\System32\Promon.e
C:\PROGRA~1\ANALOG~1\Sound
C:\WINNT\System32\svcc.exe
C:\PROGRA~1\F-SECU~1\Commo
C:\WINNT\System32\ctfmon.e
C:\WINNT\System\services.e
C:\PROGRA~1\WinZip\WZQKPIC
C:\Program Files\F-Secure Anti-Virus\backweb\4476822
C:\PROGRA~1\INTERN~1\IEXPL
C:\DOCUME~1\KYLLNE~1\TYPYT
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.ex
O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\System32\svcc.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EX
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [System Update] C:\WINNT\System\services.e
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm
O13 - DefaultPrefix: http://world-search.biz/search.php?url=
O13 - WWW Prefix: http://world-search.biz/search.php?url=
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.fi
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.fi
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
Have you tried these tools aswell
SpyBot-S&D : http://www.safer-networking.org/
Ad-aware : http://www.webattack.com/download/dladaware.shtml
CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Install them , update and then run.
Post back
SpyBot-S&D : http://www.safer-networking.org/
Ad-aware : http://www.webattack.com/download/dladaware.shtml
CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Install them , update and then run.
Post back
Not sure about this
C:\WINNT\kqpbih.exe
C:\WINNT\kqpbih.exe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here are a couple of links to info. on this "services.exe" entry:
http://www.answersthatwork.com/Tasklist_pages/tasklist_s.htm
http://www.kephyr.com/filedb/index.php?viewtopic=SERVlCES.exe
Good luck!
http://www.answersthatwork.com/Tasklist_pages/tasklist_s.htm
http://www.kephyr.com/filedb/index.php?viewtopic=SERVlCES.exe
Good luck!
By the way, I would suggest to your friend, that they update Win 2000 and Internet Explorer.
ASKER
Ok, thanks for help everyone! Services.exe was the thing, now its working again.
Hi!
Glad we could help!
However, I would wait a day or two and then post a new HijackThis log.
Quite often with these things, after you attempt to deal with them, at first it appears that you've been successful - then
something comes back.
Thanks and good luck!
Glad we could help!
However, I would wait a day or two and then post a new HijackThis log.
Quite often with these things, after you attempt to deal with them, at first it appears that you've been successful - then
something comes back.
Thanks and good luck!
http://www.techadvice.com/win2000/m/msconfig_w2k.htm
Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there.Reboot the machine and check if the error occurs
post back