Solved

HiJacker

Posted on 2004-04-27
8
2,873 Views
Last Modified: 2013-12-04
Helou!

This dude has a bit of a problem, been spending hours to get my machine running properly again...
world-search.biz is coming back all the time, I've tried to remove these

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://world-search.biz/
O13 - DefaultPrefix: http://world-search.biz/search.php?url=
O13 - WWW Prefix: http://world-search.biz/search.php?url=

No success so far

Here is the log


Logfile of HijackThis v1.97.7
Scan saved at 16:25:22, on 27.4.2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\kqpbih.exe
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
C:\WINNT\Explorer.EXE
C:\WINNT\kqpbih.exe
C:\WINNT\System32\Promon.exe
C:\PROGRA~1\ANALOG~1\SoundMAX\Smtray.exe
C:\WINNT\System32\svcc.exe
C:\PROGRA~1\F-SECU~1\Common\FSM32.EXE
C:\WINNT\System32\ctfmon.exe
C:\WINNT\System\services.exe
C:\PROGRA~1\WinZip\WZQKPICK.EXE
C:\Program Files\F-Secure Anti-Virus\backweb\4476822\Program\BackWeb-4476822.exe
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE
C:\DOCUME~1\KYLLNE~1\TYPYT~1\HIJACK~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://world-search.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.fi
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\System32\svcc.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [System Update] C:\WINNT\System\services.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm
O13 - DefaultPrefix: http://world-search.biz/search.php?url=
O13 - WWW Prefix: http://world-search.biz/search.php?url=
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.fi
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.fi
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0
Comment
Question by:einolatu
  • 4
  • 3
8 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10929097
install msconfig from here
http://www.techadvice.com/win2000/m/msconfig_w2k.htm

Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there.Reboot the machine and check if the error occurs

post back
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10929117
Have you tried these tools aswell


SpyBot-S&D : http://www.safer-networking.org/

Ad-aware : http://www.webattack.com/download/dladaware.shtml 

CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

Install them , update and then run.

Post back
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10929161
Not sure about this

C:\WINNT\kqpbih.exe
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 12

Accepted Solution

by:
rossfingal earned 50 total points
ID: 10930990
Hi!
Took a look at your HJT log.
I looked for info. on kqpbih.exe and found nothing.
That's not a good sign.

Also, not sure about this one:
C:\WINNT\System32\svcc.exe

This one, on the other hand, is a sign of a problem:
C:\WINNT\System\services.exe
Note, this is not the same as the previous entry: C:\WINNT\system32\services.exe, which is a Windows Service.
I would do an online virus scan:

http://housecall.trendmicro.com/housecall/start_corp.asp

http://www.bitdefender.com/scan/licence.php 

Let us know.
Good luck!
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10931169
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10931205
By the way, I would suggest to your friend, that they update Win 2000 and Internet Explorer.
0
 

Author Comment

by:einolatu
ID: 10946686
Ok, thanks for help everyone! Services.exe was the thing, now its working again.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10952105
Hi!

Glad we could help!

However, I would wait a day or two and then post a new HijackThis log.
Quite often with these things, after you attempt to deal with them, at first it appears that you've been successful - then
something comes back.
Thanks and good luck!
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question