asked on

HiJacker

Helou!

This dude has a bit of a problem, been spending hours to get my machine running properly again...
world-search.biz is coming back all the time, I've tried to remove these

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://world-search.biz/
O13 - DefaultPrefix: http://world-search.biz/search.php?url=
O13 - WWW Prefix: http://world-search.biz/search.php?url=

No success so far

Here is the log

Logfile of HijackThis v1.97.7
Scan saved at 16:25:22, on 27.4.2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\kqpbih.exe
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
C:\WINNT\Explorer.EXE
C:\WINNT\kqpbih.exe
C:\WINNT\System32\Promon.exe
C:\PROGRA~1\ANALOG~1\SoundMAX\Smtray.exe
C:\WINNT\System32\svcc.exe
C:\PROGRA~1\F-SECU~1\Common\FSM32.EXE
C:\WINNT\System32\ctfmon.exe
C:\WINNT\System\services.exe
C:\PROGRA~1\WinZip\WZQKPICK.EXE
C:\Program Files\F-Secure Anti-Virus\backweb\4476822\Program\BackWeb-4476822.exe
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE
C:\DOCUME~1\KYLLNE~1\TYPYT~1\HIJACK~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://world-search.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.fi
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\System32\svcc.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [System Update] C:\WINNT\System\services.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm
O13 - DefaultPrefix: http://world-search.biz/search.php?url=
O13 - WWW Prefix: http://world-search.biz/search.php?url=
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.fi
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.fi
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

sunray_2003

install msconfig from here
http://www.techadvice.com/win2000/m/msconfig_w2k.htm

Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there.Reboot the machine and check if the error occurs

post back

sunray_2003

Have you tried these tools aswell

SpyBot-S&D : http://www.safer-networking.org/

Ad-aware : http://www.webattack.com/download/dladaware.shtml

CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

Install them , update and then run.

Post back

sunray_2003

Not sure about this

C:\WINNT\kqpbih.exe

ASKER CERTIFIED SOLUTION

rossfingal

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

rossfingal

Here are a couple of links to info. on this "services.exe" entry:

http://www.answersthatwork.com/Tasklist_pages/tasklist_s.htm

http://www.kephyr.com/filedb/index.php?viewtopic=SERVlCES.exe

Good luck!

rossfingal

By the way, I would suggest to your friend, that they update Win 2000 and Internet Explorer.

einolatu

ASKER

Ok, thanks for help everyone! Services.exe was the thing, now its working again.

rossfingal

Hi!

Glad we could help!

However, I would wait a day or two and then post a new HijackThis log.
Quite often with these things, after you attempt to deal with them, at first it appears that you've been successful - then
something comes back.
Thanks and good luck!