Navigator Hijacking

Discussion in 'adware, spyware & hijack cleaning' started by Flying Frenchman, Feb 13, 2004.

Thread Status:
Not open for further replies.
  1. Flying Frenchman

    Flying Frenchman Registered Member

    Joined:
    Feb 13, 2004
    Posts:
    2
    Location:
    Ottawa
    Hey,

    I am following snowbound's instructions to remove a potential navigator hijacker.

    Here are the symptoms:

    Though I have installed all kinds of anti-malware software, this "site" keeps hijacking my navigator:
    www.nkvd.us. It seems to be the same as www.smart-finder.biz

    Everytime I start my navigator, it goes to www.nkvd.us/1501/s.htm and it won't go to any address I type after, except if it is in my favorites or history folder.

    Current software on my computer include:
    Hijack this, IE-Spyad, Spybot S&D, Spywareblaster, and Zone Alarm firewall. But they seem to have no effect on the problem. So everytime, I have to run regedit and delete all "nkvd" entries by hand. This shows in the hijackthis log pasted below

    Could you tell me how to end this problem once and for all?

    Thanks in advance for your help.

    Bill

    Logfile of HijackThis v1.97.7
    Scan saved at 22:42:08, on 04-02-13
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
    C:\BILL\UTILITIES\SECURITY\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.ca
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ca
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ca
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.ca
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.ca
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.ca
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://sigparb.uqo.ca/proxy/proxy.pac
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.google.ca
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.google.ca
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Researcher (HKLM)
    O13 - DefaultPrefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38001.764849537
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi there,

    Have you ran this program yet? :

    CWShredder

    Open -> 'fix' -> click 'next'

    Keep us posted if it detected anythingh and also repost a fresh hijackthis log after doing so

    thnx!

    Cheers,
     
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Unzy :)

    I did instruct FF to download CWShredder but it appears Merijin's site was still down last night.

    I tried it again just now, while it is a little slow it did work.

    Hopefully FF will try again. ;)




    snowbound
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Snowbound :)

    yea, the URL I gave for CWShredder is one directing to CC forum, it should work.

    **EDIT

    Changed the link from the latest cwshredder version to one version before, as there seem to be some trouble for some users using the latest one.

    Cheers,
     
  5. Flying Frenchman

    Flying Frenchman Registered Member

    Joined:
    Feb 13, 2004
    Posts:
    2
    Location:
    Ottawa
    Hi there,

    I have downloaded CWS but got the following error message:
    "System error &H80004005 (-2147467259)"
    CWS would not start. I have been receiving the same kind of message for one month approx. when I start MS Excel, except it still works. I have tried HJT and the same message now comes up to my screen. :(

    Anyway, I have updated and rerun Spywareblaster and Spybot S&D on Feb. 14 and the problem has not come back since then.

    Any idea what's happening? o_O

    Bill
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
Thread Status:
Not open for further replies.