nkvd.us

Discussion in 'adware, spyware & hijack cleaning' started by Fredrik_S, Apr 25, 2004.

Thread Status:
Not open for further replies.
  1. Fredrik_S

    Fredrik_S Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    2
    Tried in vain to get rid of this on my wife's machine. I have tried running hijack this (removing the offending entries that I understood), ran adaware and Destroy and Kill. I double checked and she does not have any extra toolbars in IE installed nor any popup blockers. Here's the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:45:49 AM, on 4/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\Rtvscan.exe
    C:\PROGRA~1\SYMANT~1\vptray.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\wuauclt.exe
    C:\WINNT\system32\ntvdm.exe
    D:\jenmail\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1524/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1524/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1524/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1524/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1524/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1524/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1524/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1524/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1524/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1524/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1524/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1524/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1524/
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1524/
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1524/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Kill Popup] C:\Program Files\Kill Popup\KillPopup.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O13 - DefaultPrefix: http://www.nkvd.us/1524/
    O13 - WWW Prefix: http://www.nkvd.us/1524/
    O13 - Home Prefix: http://www.nkvd.us/1524/
    O13 - Mosaic Prefix: http://www.nkvd.us/1524/
    O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
    O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38032.3077662037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks so much for your assistance.
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hello,

    Please Download CWShredder and close any other windows opened. Close the program and Run FIX. Let it do what it can. Reboot and post a fresh log

    Regards
     
  3. Fredrik_S

    Fredrik_S Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    2
    That seemed to fix it. Thanks a ton! Here is the log after running CWShredder.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:49:02 AM, on 4/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\Rtvscan.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\vptray.exe
    C:\WINNT\System32\wuauclt.exe
    D:\jenmail\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Kill Popup] C:\Program Files\Kill Popup\KillPopup.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
    O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38032.3077662037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,141
    Location:
    North Carolina, USA
    Hi Fredrik_S,

    Your log looks clean now so your problems should be fixed.

    Regards,
    Kent
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.