NKVD.US !!!!?????

Discussion in 'adware, spyware & hijack cleaning' started by helpmepleasemycomp, Jun 13, 2004.

Thread Status:
Not open for further replies.
  1. helpmepleasemycomp

    helpmepleasemycomp Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    33
    HI,
    PLEASE help me! I have used the spybot s&d program, the problem is that every time i start IE it comes up with my "my search" searching for "nkvd.us" and if i try to change this it just sets back to it again. The main problem though is i cannot access any websites because it always puts nkvd.us before what i typed ("nkvd.us/www....") and redirects me back to the "my search" and searches for nkvd.us again.
    I do not know anything about viruses and that sort of thing but it just seems stupid that the virus would tell me what it was called and even search for itself!
    Anyway it seems like this problem is common so could anyone maybe explain to me more about what this is and why i have got it etc, but mainly HOW DO I GET RID OF NKVD.USo_O
    I have done the spybot and hijackthis, here is a copy of hijack this, PLEASE HELP!!

    Logfile of HijackThis v1.97.7
    Scan saved at 18:45:25, on 13/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Dell\AccessDirect\DadTray.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\Digital Imaging\Promotions\HPpromo.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\program files\altnet\points manager\points manager.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\documents and settings\eminem\local settings\temp\feXwV0.exe
    C:\documents and settings\eminem\local settings\temp\eSathi.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Polaroid\iON PhotoBase\iON Monitor.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
    C:\Documents and Settings\Eminem\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
    R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
    O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Program Files\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [feXwV0] C:\documents and settings\eminem\local settings\temp\feXwV0.exe
    O4 - HKLM\..\Run: [eSathi] C:\documents and settings\eminem\local settings\temp\eSathi.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Polaroid iON PhotoBase .lnk = C:\Program Files\Polaroid\iON PhotoBase\iON Monitor.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O13 - DefaultPrefix: http://nkvd.us/
    O13 - WWW Prefix: http://nkvd.us/
    O13 - Home Prefix: http://nkvd.us/
    O13 - Mosaic Prefix: http://nkvd.us/
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/CRYPT_Installer.exe
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
     
  2. Yellowhammer

    Yellowhammer Spyware Fighter

    Joined:
    May 23, 2004
    Posts:
    53
    Location:
    Alabama, USA
    Make sure you can view hidden and system files: Instructions here.

    Then Download cwshredder here. Close all browser windows and click on the fix/next button.

    Then uninstall P2P Networking, Altnet and whatever file sharing program such as Kazaa you have installed in add/remove programs.

    Boot to safe mode: Instructions here.

    Then Close all windows and have hijackthis fix the following that remain:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)

    R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

    O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll

    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKLM\..\Run: [feXwV0] C:\documents and settings\eminem\local settings\temp\feXwV0.exe
    O4 - HKLM\..\Run: [eSathi] C:\documents and settings\eminem\local settings\temp\eSathi.exe
    O4 - Startup: PowerReg Scheduler V3.exe

    O13 - DefaultPrefix: http://nkvd.us/
    O13 - WWW Prefix: http://nkvd.us/
    O13 - Home Prefix: http://nkvd.us/
    O13 - Mosaic Prefix: http://nkvd.us/

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab

    Then while in safe mode delete the following:

    C:\Program Files\MyWay <-Folder
    C:\WINDOWS\System32\mshelper.dll <-File
    C:\WINDOWS\System32\P2P Networking <-Folder
    c:\program files\altnet <-Folder

    Then browse to the C:\documents and settings\Eminem\local settings\temp folder and delete all files and folders in it.
    Then browse to the C:\Windows\Temp folder and delete all files in it.
    Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

    Then empty the recycle bin.

    Then reboot to normal mode.

    Then,

    Download ad-aware here -> http://fileforum.betanews.com/detail.php3?fid=965718306

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

    Then ........

    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    Click the "Tweak" button.

    Open up the "Scanning Engine" section and tick "Unload recognized processes during scanning"

    Then........"Cleaning engine" and "Let windows remove files in use at next reboot" and "Automatically try to unregister objects prior to deletion"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Next" button.

    When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    Then,

    Download SPYBOT Search and Destroy here-> http://www.safer-networking.org/index.php?page=mirrors
    Install the program and then start it. Once the program has started make sure you are in the Spybot-S&D section. Click on the "Search for Updates" button. Download all updates. In some cases the program will restart after an update. When updated, click on the "Check for Problems" button. When the Check is over All problems displayed in red are regarded as real threats and should be dealt with. Make sure they are all selected and click the "Fix selected problems" button.

    Then Disable system restore: Instructions here.

    Reboot

    Enable system restore.

    Scan and post another hijackthis log.
     
  3. helpmepleasemycomp

    helpmepleasemycomp Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    33
    hi, thank you s much for that, it HAS worked and got rid of th NKVD.US however it has just exchanched it so that now it puts "searchpage.cwww..." so HELP me again please!
    PS i really appreciate the help that you guys are giving me and is there any way i can thank u! (eg donation 2 this server or whatever!)
    (there were a few problems with the actions u said to take:
    i could not find: O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
    or:
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    or:
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    or: C:/WINDOWS/system32/P2P Networking
    finally i did not delete the folders inside C:/documents and settings/eminem/local settings/temp folder
    all i did was open the folders and delete the files that were in them,
    so i do not know if any of the mentioned could have affected it?)


    Also i have got a lot of "backup" files in my documents can i delete these??


    here is the hijackthis log


    Logfile of HijackThis v1.97.7
    Scan saved at 00:15:12, on 14/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell\AccessDirect\DadTray.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\Digital Imaging\Promotions\HPpromo.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Polaroid\iON PhotoBase\iON Monitor.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Documents and Settings\Eminem\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Program Files\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Polaroid iON PhotoBase .lnk = C:\Program Files\Polaroid\iON PhotoBase\iON Monitor.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O13 - DefaultPrefix: http://nkvd.us/
    O13 - WWW Prefix: http://nkvd.us/
    O13 - Home Prefix: http://nkvd.us/
    O13 - Mosaic Prefix: http://nkvd.us/
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/CRYPT_Installer.exe
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
     
  4. helpmepleasemycomp

    helpmepleasemycomp Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    33
    sorry i meant to say " searchpage.cc/www....."
     
  5. Yellowhammer

    Yellowhammer Spyware Fighter

    Joined:
    May 23, 2004
    Posts:
    53
    Location:
    Alabama, USA
    Boot to safe mode and run cwshredder again. Follow that with ad-aware in safe mode.
     
  6. helpmepleasemycomp

    helpmepleasemycomp Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    33
    Thankyou SO much yellowhammer, everything appears to be back to normal!

    I have got a few more questions that i would appreciate u answering though if this is possible (you may not be able to answer them all!)

    1) what did i do to get rid of this thing...
    2) what is this thing (nkvd.us) eg trojan, spyware, worm...
    3) what are the different types of things! (trojan, spyware, worm etc)

    But these are the main questions:

    4) I have written down the websites i visisted before i got the nkvd.us, but none of these websites had www. before them, does this mean they are illegal!?
    5) If i go back onto these websites is there a way that i can protect or stop my computer getting nkvd.us again?
    6) what should i do if i get nkvd.us again? (run hijack this and post it here again or is there a quicker and easier way to remove it?)
    7) I am going to contact symantec tomorrow would you recommend mentioning nkvd.us to them (note: these websites that i caught it off may be illegal so i could get into trouble!)
    :cool: I have got a thing on my desktop called "thumbs" can i delete this?

    And finally just some general questions ( i may have to set another thread for these!)

    9) When you send items to the recycle bin and delete them are they permanently removed?...
    10) If they are not permamently removed is there a way i can access these files to permanently remove them?
    11) Is there any sooftware you would recomend me to download at all? (anything for any reason! as long as it could help protect my computer! Note: i already have norton internet security installed)

    Thank you again
     
  7. Yellowhammer

    Yellowhammer Spyware Fighter

    Joined:
    May 23, 2004
    Posts:
    53
    Location:
    Alabama, USA
    Lots of questions to answer. ;)

    You had a coolwebsearch infection. There are hundreds of variations. They hijack your homepage and search pages. CWShredder is the best tool for removing these. Adaware does a good job as well.

    None of the sites are illegal as far as I know.

    There are ways to keep from getting infected again. I will cover them in a minute.

    It won't do any good to contact Symantec on these. They are not capable of preventing this. The coolwebsearch stuff is not considered a virus or trojan.

    Items are not permanently gone until the recycle bin is emptied.

    How to protect yourself.

    1. Keep windows updated at the windows update site.
    2. Set up IE Security correctly. http://www.jfitz.com/tips/ie_security_config.html
    3. Keep an up to date antivirus - I prefer NOD32 to any other.
    4. Run a good firewall - I prefer Sygate Personal Free Version
    5. Update and run adaware and Spybot S&D on a weekly basis.
    6. Install SpywareBlaster - The paid version that automatically updates.
    7. Install SpywareGuard.
    8. Install IE-SpyAd

    Links to most of these are available on my website here.
     
  8. helpmepleasemycomp

    helpmepleasemycomp Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    33
    Thankyou!
    I have got more questions if u care 2 answer them!

    1) If i go back onto these websites it is DEFINATELY going to try and download the nkvd.us/ coolwebsearch thing again, with the things i have currently got eg. adaware will these be enough to stop my computer getting the same thing again or not (so really would you say that it is safe to enter the website that i caught coolwebsearch off?)

    2) All of the things which you have suggested downloading, won't norton internet security be sufficient? (it has got antivirus and a firewall and anti-intrusion)

    3) How do you know so much about these sort of files and computers!? (this is more a personal question!)
     
  9. Yellowhammer

    Yellowhammer Spyware Fighter

    Joined:
    May 23, 2004
    Posts:
    53
    Location:
    Alabama, USA
    1. Adaware only removes what is already there. The other methods I described will most likely protect you. I never get infected and I check many of these sites out while helping. There are no guarantees. If you know what sites they are you can avoid them and/or put them in the restricted zone in your IE security settings.
    2. Norton Internet Security might be sufficient as a firewall and antivirus. I don't use any Norton Products and won't. It is not sufficient to totally protect you. The other suggestions I made are also critical I think.
    3. Lot's of research. ;)
     
Thread Status:
Not open for further replies.