nkvd.us hijacked Need Help

Hi!
I've experienced some problemes with my IE browser. I have an Opera browser, and there's no problem viewing sites with it. But in IE it keeps going to the site nkvd.us. It's set itself to be my homepage and I can't change it. When I type in a pageadress in the adressbar nkvd.us overrides this and it goes back to nkvd.us or a similar page. I've tried to fix it with Spybot and ad-aware, but it woundn't work. Pardon my english, I'm norwegian.
Here is the HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 15:06:47, on 14.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Telenor Plus\Forbruksmåler\Forbruksmåler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Bjørn\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [start_forbruksmåler] C:\Program Files\Telenor Plus\Forbruksmåler\Forbruksmåler.exe C:\Program Files\Telenor Plus\Forbruksmåler
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O13 - DefaultPrefix: http://www.nkvd.us/
O13 - WWW Prefix: http://www.nkvd.us/
O13 - Home Prefix: http://www.nkvd.us/
O13 - Mosaic Prefix: http://www.nkvd.us/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37578.5593518519
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{687BF545-8432-4D39-B799-7271EB42C9D9}: NameServer = 130.67.60.68 193.213.112.4

 

Hi Plexi,

Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
These easily get lost in a Temp folder.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll (file missing)

O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll

O13 - DefaultPrefix: http://www.nkvd.us/
O13 - WWW Prefix: http://www.nkvd.us/
O13 - Home Prefix: http://www.nkvd.us/
O13 - Mosaic Prefix: http://www.nkvd.us/

Then download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
Use the Fix button and follow the instructions you will receive.

Then reboot and delete:
C:\WINDOWS\System32\mshelper.dll

Regards,

Pieter

 

I've run HJT and fix the files. I downloaded CWShedder and run it, but CWS doesn't work, it's all cryptic and funny, only a lot of different signs.. HELP!!

 

Please try the zipped version from our server:
https://www.wilderssecurity.com/attachment.php?attachmentid=136398
If that still doesn't work, could you make a screenshot of what you mean?

Regards,

Pieter

 

Nevermind, my mistake. I hadn't put it in a new folder. I ran CWShedder and it worked. But I can't find mshelper.dll at C:WINDOWS\System32\

 

It's not there Thank you very much for the help!! My day is saved! Now I'm going to shoot the bastard who used my machine during Easter vacation Thanks again!

 

Shoot him this link: https://www.wilderssecurity.com/showthread.php?goto=newpost&t=27971

Glad we could help,

Pieter

 

Man.. it's still there. I've manage to set the homepage to my own. But if I type in a siteadress in the adressbar it still overrides it with nkvd.us. -> if I type www.hotmail.com it's http://nkvd.us/www.hotmail.com in the status bar, and then I view the same page as earlier, and it says http://searchpage.cc/www.hotmail.com in the adressbar. What to do what to do?

 

Spybot did not find anything now. But still when I type a adress in the adressbar I can't get to it, nkvd.us overrides it, and then it says http://searchpage.cc/(the page adress i tried to get to)/. But my homepage is alright. Do I have to change any settings or(?) what's the problem now? I still feel kind of hijacked..

 

I'm jusing Opera browser now to download pv.zip and to write to this forum. Does this have any affection to the log?

 

What shall I do in the PV menu? Internet Explorer Dll's or Explorer Dll's?

 

PV log:


Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll
GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll
SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll
IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL
LPK.DLL 629c0000 32768 C:\WINDOWS\System32\LPK.DLL
USP10.dll 72fa0000 368640 C:\WINDOWS\System32\USP10.dll
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll
ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll
uxtheme.dll 5ad70000 212992 C:\WINDOWS\System32\uxtheme.dll
MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll
CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll
msctfime.ime 9e0000 176128 C:\WINDOWS\System32\msctfime.ime
Msimtf.dll 746f0000 155648 C:\WINDOWS\System32\Msimtf.dll
WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll
shdoclc.dll 1e60000 557056 C:\WINDOWS\System32\shdoclc.dll
mlang.dll 74770000 585728 C:\WINDOWS\System32\mlang.dll
wsock32.dll 71ad0000 32768 C:\WINDOWS\System32\wsock32.dll
WS2_32.dll 71ab0000 81920 C:\WINDOWS\System32\WS2_32.dll
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL
rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll
NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll
TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll
rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll
serwvdrv.dll 5cd70000 28672 C:\WINDOWS\System32\serwvdrv.dll
umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\System32\umdmxfrm.dll
USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll
msi.dll 2590000 2101248 C:\WINDOWS\System32\msi.dll
SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL
rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll
DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll
mshtml.dll 63580000 2818048 C:\WINDOWS\System32\mshtml.dll
MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll
scrauth.dll 10000000 110592 C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll
ScrBlock.dll 3350000 122880 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll
wintrust.dll 76c30000 176128 C:\WINDOWS\System32\wintrust.dll
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll
cryptnet.dll 73d50000 65536 C:\WINDOWS\System32\cryptnet.dll
jscript.dll 6b700000 589824 c:\windows\system32\jscript.dll
vbscript.dll 73300000 479232 c:\windows\system32\vbscript.dll
Flash.ocx 3d40000 1716224 C:\WINDOWS\System32\macromed\flash\Flash.ocx
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll
ddrawex.dll 6d430000 36864 C:\WINDOWS\System32\ddrawex.dll
DDRAW.dll 73760000 278528 C:\WINDOWS\System32\DDRAW.dll
DCIMAN32.dll 73bc0000 24576 C:\WINDOWS\System32\DCIMAN32.dll
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll
drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll
ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll
NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll
NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll
NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll
MSGINA.dll 75970000 991232 C:\WINDOWS\System32\MSGINA.dll
WINSTA.dll 76360000 61440 C:\WINDOWS\System32\WINSTA.dll
ODBC32.dll 35c0000 204800 C:\WINDOWS\System32\ODBC32.dll
odbcint.dll 1f850000 90112 C:\WINDOWS\System32\odbcint.dll
plugin.ocx 72b20000 98304 C:\WINDOWS\System32\plugin.ocx

HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 18:21:10, on 14.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Telenor Plus\Forbruksmåler\Forbruksmåler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [start_forbruksmåler] C:\Program Files\Telenor Plus\Forbruksmåler\Forbruksmåler.exe C:\Program Files\Telenor Plus\Forbruksmåler
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O13 - Home Prefix: http://www.nkvd.us/
O13 - Mosaic Prefix: http://www.nkvd.us/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37578.5593518519
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{687BF545-8432-4D39-B799-7271EB42C9D9}: NameServer = 130.67.60.68 193.213.112.4

 

What kind of safe mode? Safe mode without Internet connection or with? Sorry for all these stupid questions. But I want to do this right..

 

Here is the new HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 18:54:05, on 14.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Telenor Plus\Forbruksmåler\Forbruksmåler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [start_forbruksmåler] C:\Program Files\Telenor Plus\Forbruksmåler\Forbruksmåler.exe C:\Program Files\Telenor Plus\Forbruksmåler
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37578.5593518519
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

I'm about to give up.. It's still there.. I can set my homepage, that's fine. But when I try to go somewhere on the Internet by typing in an adress, that scumshitware kicks in again.. Argh!

 

Nevermind. Now I can't even set my homepage.. I followed your instructions and still!?!

 

OK. This is strange. I tried to open wmp. But nothing happens. The funny thing is that this scumware hijacked my browser while I was away on Easter vacation, and one that I live with or a guest of them has been surfin' the net when this **** happened. I have not talked to this person yet, beacuse the bitch flee when I arrived from Easter. So I just checked the wmplayer file, and it's says it's created: 11.april and modified: 11.april.. Hm.. wmp has been on my machine for a few years now, can this be the way my machine got hijacked? First time i ran Spybot I found some Sextracker and SexTask cockies. Maybe someone tried to download and watch a movie? Any ideas why I can't run wmp and why I can't get rid of this scumware?