nkvd.us and searchpage.cc

Discussion in 'adware, spyware & hijack cleaning' started by barnowl, May 19, 2004.

Thread Status:
Not open for further replies.
  1. barnowl

    barnowl Registered Member

    Joined:
    May 6, 2004
    Posts:
    2
    Location:
    Devon, UK
    hi, I really need some help here, I have been driven to distraction with pop up ads and a searchpage that imposes itself whenever I try to download something.
    I have managed to download spybot, highjackthis and cwshredder on someone elses computer.

    Have run spybot and attach the hjt logfile. the lines containing nkvd seem obvious choices but what else should I delete??

    I shall be very grateful for any guidance.

    Logfile of HijackThis v1.97.7
    Scan saved at 21:40:56, on 19/05/2004
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\lexbces.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\LEXPPS.EXE
    C:\WINNT\System32\cisvc.exe
    C:\WINNT\System32\CTSvcCDA.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\Navnt\npssvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\cidaemon.exe
    C:\WINNT\System32\rundll32.exe
    C:\WINNT\SYSTEM32\starter.exe
    C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    C:\WINNT\system32\deinst_qfe002.exe
    C:\Program Files\Washer\washer.exe
    C:\freeserve\freeserveconnectionkit\atdialler1.exe
    C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\System32\mrtMngr.EXE
    E:\Utility\Norton\Antivirus\English\navntw2kin.exe
    C:\WINNT\system32\ntvdm.exe
    E:\Utility\Norton\Antivirus\English\navntw2kin.exe
    C:\Program Files\New Folder\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=dia
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\ofnbe.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#25047
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.wethere.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
    O2 - BHO: (no name) - {63510627-925A-4209-A9BB-2FEFD13664C3} - C:\WINNT\System32\ofnbe.dll
    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINNT\System32\mshelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\SYSTEM32\starter.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [Shell] C:\WINNT/DOWNLO~1/tray.exe
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\image.dll,Install
    O4 - HKLM\..\Run: [win32.exe] C:\WINNT\win32.exe
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Windows Update Checker] C:\WINNT\system32\deinst_qfe002.exe
    O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
    O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Web Search - c:\winnt\ex.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O13 - DefaultPrefix: http://www.nkvd.us/1525/
    O13 - WWW Prefix: http://www.nkvd.us/1525/
    O13 - Home Prefix: http://www.nkvd.us/1525/
    O13 - Mosaic Prefix: http://www.nkvd.us/1525/
    O16 - DPF: ADVFN US - http://usa.advfn.com/advfn_us8.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\winnt\win.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\nosuch.mht!http://list2004.com/help.chm::/help.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://c:\program files\internet explorer\plugins\awswaxf.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38122.5113541667
    O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAE} - file://C:\Info_sex4.cab
    O19 - User stylesheet: C:\WINNT\win32.bmp
    O19 - User stylesheet: C:\WINNT\hh.htt (HKLM)
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi barnowl,

    Have only HijackThis running and fix :

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=dia
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\ofnbe.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#25047
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1525/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/

    O2 - BHO: (no name) - {63510627-925A-4209-A9BB-2FEFD13664C3} - C:\WINNT\System32\ofnbe.dll
    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINNT\System32\mshelper.dll

    O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\image.dll,Install
    O4 - HKLM\..\Run: [win32.exe] C:\WINNT\win32.exe
    O4 - HKCU\..\Run: [Windows Update Checker] C:\WINNT\system32\deinst_qfe002.exe
    O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install

    O13 - DefaultPrefix: http://www.nkvd.us/1525/
    O13 - WWW Prefix: http://www.nkvd.us/1525/
    O13 - Home Prefix: http://www.nkvd.us/1525/
    O13 - Mosaic Prefix: http://www.nkvd.us/1525/

    O16 - DPF: ADVFN US - http://usa.advfn.com/advfn_us8.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\winnt\win.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\nosuch.mht!http://list2004.com/help.chm::/help.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
    O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAE} - file://C:\Info_sex4.cab

    O19 - User stylesheet: C:\WINNT\win32.bmp
    O19 - User stylesheet: C:\WINNT\hh.htt (HKLM)

    Restart PC after doing so and remove (if still present) :

    C:\WINNT\reg32.exe <- this file
    sys.reg <- this file (search via start -> search)
    C:\WINNT\image.dll <- this file
    C:\WINNT\win32.exe <- this file
    C:\WINNT\system32\deinst_qfe002.exe <- this file
    C:\WINNT\win32.bmp <- this file
    C:\WINNT\hh.htt <- this file

    Run cwshredder again

    Then download killbox :

    http://download.broadbandmedic.com/VbStuff/KillBox.zip , unzip into folder

    do a search for :

    mtwirl.dll and/or mtwirl32.dll , rightclick + delete when found

    When the correct path is found (c:\windows... etc) open killbox and type it in the path box and press kill file

    Hope this helps

    Cheers,
     
  3. barnowl

    barnowl Registered Member

    Joined:
    May 6, 2004
    Posts:
    2
    Location:
    Devon, UK
    Many Thanks Unzy this seems to have done the trick. You are a Star.
    Thanks again.

    Barnowl.
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    That's great to hear :)

    Glad we were able to help and good job cleaning up!

    Take care

    Cheers,
     
Thread Status:
Not open for further replies.