Solved

HiJacker

Posted on 2004-04-27
8
2,877 Views
Last Modified: 2013-12-04
Helou!

This dude has a bit of a problem, been spending hours to get my machine running properly again...
world-search.biz is coming back all the time, I've tried to remove these

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://world-search.biz/
O13 - DefaultPrefix: http://world-search.biz/search.php?url=
O13 - WWW Prefix: http://world-search.biz/search.php?url=

No success so far

Here is the log


Logfile of HijackThis v1.97.7
Scan saved at 16:25:22, on 27.4.2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\kqpbih.exe
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
C:\WINNT\Explorer.EXE
C:\WINNT\kqpbih.exe
C:\WINNT\System32\Promon.exe
C:\PROGRA~1\ANALOG~1\SoundMAX\Smtray.exe
C:\WINNT\System32\svcc.exe
C:\PROGRA~1\F-SECU~1\Common\FSM32.EXE
C:\WINNT\System32\ctfmon.exe
C:\WINNT\System\services.exe
C:\PROGRA~1\WinZip\WZQKPICK.EXE
C:\Program Files\F-Secure Anti-Virus\backweb\4476822\Program\BackWeb-4476822.exe
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE
C:\DOCUME~1\KYLLNE~1\TYPYT~1\HIJACK~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://world-search.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.fi
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\System32\svcc.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [System Update] C:\WINNT\System\services.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm
O13 - DefaultPrefix: http://world-search.biz/search.php?url=
O13 - WWW Prefix: http://world-search.biz/search.php?url=
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.fi
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.fi
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0
Comment
Question by:einolatu
  • 4
  • 3
8 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10929097
install msconfig from here
http://www.techadvice.com/win2000/m/msconfig_w2k.htm

Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there.Reboot the machine and check if the error occurs

post back
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10929117
Have you tried these tools aswell


SpyBot-S&D : http://www.safer-networking.org/

Ad-aware : http://www.webattack.com/download/dladaware.shtml 

CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

Install them , update and then run.

Post back
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10929161
Not sure about this

C:\WINNT\kqpbih.exe
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 12

Accepted Solution

by:
rossfingal earned 50 total points
ID: 10930990
Hi!
Took a look at your HJT log.
I looked for info. on kqpbih.exe and found nothing.
That's not a good sign.

Also, not sure about this one:
C:\WINNT\System32\svcc.exe

This one, on the other hand, is a sign of a problem:
C:\WINNT\System\services.exe
Note, this is not the same as the previous entry: C:\WINNT\system32\services.exe, which is a Windows Service.
I would do an online virus scan:

http://housecall.trendmicro.com/housecall/start_corp.asp

http://www.bitdefender.com/scan/licence.php 

Let us know.
Good luck!
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10931169
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10931205
By the way, I would suggest to your friend, that they update Win 2000 and Internet Explorer.
0
 

Author Comment

by:einolatu
ID: 10946686
Ok, thanks for help everyone! Services.exe was the thing, now its working again.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10952105
Hi!

Glad we could help!

However, I would wait a day or two and then post a new HijackThis log.
Quite often with these things, after you attempt to deal with them, at first it appears that you've been successful - then
something comes back.
Thanks and good luck!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question