Solved

HiJacker

Posted on 2004-04-27
8
2,862 Views
Last Modified: 2013-12-04
Helou!

This dude has a bit of a problem, been spending hours to get my machine running properly again...
world-search.biz is coming back all the time, I've tried to remove these

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://world-search.biz/
O13 - DefaultPrefix: http://world-search.biz/search.php?url=
O13 - WWW Prefix: http://world-search.biz/search.php?url=

No success so far

Here is the log


Logfile of HijackThis v1.97.7
Scan saved at 16:25:22, on 27.4.2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\kqpbih.exe
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
C:\WINNT\Explorer.EXE
C:\WINNT\kqpbih.exe
C:\WINNT\System32\Promon.exe
C:\PROGRA~1\ANALOG~1\SoundMAX\Smtray.exe
C:\WINNT\System32\svcc.exe
C:\PROGRA~1\F-SECU~1\Common\FSM32.EXE
C:\WINNT\System32\ctfmon.exe
C:\WINNT\System\services.exe
C:\PROGRA~1\WinZip\WZQKPICK.EXE
C:\Program Files\F-Secure Anti-Virus\backweb\4476822\Program\BackWeb-4476822.exe
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE
C:\DOCUME~1\KYLLNE~1\TYPYT~1\HIJACK~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://world-search.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.fi
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\System32\svcc.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [System Update] C:\WINNT\System\services.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm
O13 - DefaultPrefix: http://world-search.biz/search.php?url=
O13 - WWW Prefix: http://world-search.biz/search.php?url=
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.fi
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.fi
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0
Comment
Question by:einolatu
  • 4
  • 3
8 Comments
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
install msconfig from here
http://www.techadvice.com/win2000/m/msconfig_w2k.htm

Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there.Reboot the machine and check if the error occurs

post back
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
Have you tried these tools aswell


SpyBot-S&D : http://www.safer-networking.org/

Ad-aware : http://www.webattack.com/download/dladaware.shtml

CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

Install them , update and then run.

Post back
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
Not sure about this

C:\WINNT\kqpbih.exe
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 50 total points
Comment Utility
Hi!
Took a look at your HJT log.
I looked for info. on kqpbih.exe and found nothing.
That's not a good sign.

Also, not sure about this one:
C:\WINNT\System32\svcc.exe

This one, on the other hand, is a sign of a problem:
C:\WINNT\System\services.exe
Note, this is not the same as the previous entry: C:\WINNT\system32\services.exe, which is a Windows Service.
I would do an online virus scan:

http://housecall.trendmicro.com/housecall/start_corp.asp

http://www.bitdefender.com/scan/licence.php

Let us know.
Good luck!
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
By the way, I would suggest to your friend, that they update Win 2000 and Internet Explorer.
0
 

Author Comment

by:einolatu
Comment Utility
Ok, thanks for help everyone! Services.exe was the thing, now its working again.
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!

Glad we could help!

However, I would wait a day or two and then post a new HijackThis log.
Quite often with these things, after you attempt to deal with them, at first it appears that you've been successful - then
something comes back.
Thanks and good luck!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now