Solved

nkvd.us redirecting anything I put into AOL or IE's URL

Posted on 2004-04-15
15
12,850 Views
Last Modified: 2010-04-11
Every time I go into IE I'm redirected to a search page.  Its something to do with nkvd.us as it constantly reappears in my internet settings as my default home page.  It also keeps coming up with a dodgy site which seems to  keep reappearing in my favourites (I never visited the site and can't delete it).  I also get redirected ("http://searchpage.cc/www.whateverI've typed.co.uk") if I attempt to type directly into my AOL URL bar, without even opening IE.

I've done everything with all the programs you'd expect (virus, spyware, adware).  can someone advise me on the following system info I got from hyjack this- i.e. what should I delete - I'm worried about messing up my system.  Help!

Logfile of HijackThis v1.97.7
Scan saved at 10:42:21, on 15/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AOL 8.0b\aoltray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\AOL 8.0b\waol.exe
C:\Program Files\AOL 8.0b\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Edward Newton\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netcom.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [redirect] C:\WINDOWS\redirect2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0b\aoltray.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.nkvd.us/
O13 - WWW Prefix: http://www.nkvd.us/
O13 - Home Prefix: http://www.nkvd.us/
O13 - Mosaic Prefix: http://www.nkvd.us/
O14 - IERESET.INF: START_PAGE_URL=http://www.netcom.co.uk/
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37722.2221180556
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DC51848-9FEC-4DD4-ACE7-CFF76408DE97}: NameServer = 152.163.0.26 205.188.64.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{B70947D5-24B6-40FD-BD4E-3D076ED28112}: NameServer = 195.93.32.134

0
Comment
Question by:11Edward23
  • 7
  • 3
  • 3
  • +2
15 Comments
 
LVL 4

Expert Comment

by:andydis
ID: 10831685
C:\WINDOWS\System32\brsvc01a.exe
O4 - HKLM\..\Run: [redirect] C:\WINDOWS\redirect2.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.nkvd.us/
O13 - WWW Prefix: http://www.nkvd.us/
O13 - Home Prefix: http://www.nkvd.us/
O13 - Mosaic Prefix: http://www.nkvd.us/

Seem the above are all suspect, do the usual, remove, update AV softwware, get ad-aware etc etc, make sure IE is fully patched. Just to let you know everyone is having these problems with IE at the minute
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 10831756
Hi 11Edward23,

This is a version of the coolweb bug. Use this tool, afterwards, post another logfile:
http://209.133.47.200/~merijn/files/CWShredder.exe

Greetings,

LucF
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10831779
Hi 11Edward23,

Did you try using Spy Bot from

www.safer-networking.org

I would be interested in knowing the answer even if your problem is solved elsewhere.

IceRaven
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 10831783
andydis, why did you include C:\WINDOWS\System32\brsvc01a.exe on your list above? It's part of a brother printer driver.
0
 
LVL 4

Expert Comment

by:andydis
ID: 10831805
C:\WINDOWS\System32\brsvc01a.exe

becuz i hate all the little icons at the bottom right hand corner of the PC (next to the clock) THEY SHOULD ALL be banned
all they do is eat your RAM, whats your problem?> you will stillbe able to print, just free up some RAM.
all these people that have loadsa tray icons and never use them and then they say "why is my pc running slow"
#

l4m3
0
 
LVL 4

Expert Comment

by:andydis
ID: 10831813
the best way to keep a pc clean and never end up re-installing it every year is to TAKE EVERYTHING OFF STARTUP
0
 
LVL 4

Expert Comment

by:andydis
ID: 10831821

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netcom.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/

get rid of these too
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:11Edward23
ID: 10831836
Thanks for all these suggestions.  I've exhausted all Spy Bot, CWShredder previously and problem is still there.  andydis: Is that list exactly what I need to delete?  It seemed as though there were more strings with nkvd.us listed in them?
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 10831847
>>becuz i hate all the little icons at the bottom right hand corner of the PC (next to the clock) THEY SHOULD ALL be banned
all they do is eat your RAM, whats your problem?<<

Is it your choice what people want to have running on their computer? Let them decide for them selves.
No need for personal insults here.
0
 

Author Comment

by:11Edward23
ID: 10831849
Sorry just got your last comment!  I'll let you know.
0
 
LVL 4

Expert Comment

by:andydis
ID: 10831850
yea delete verything todo with nkvd.us (see above)
if that really doesnt sort it, (it should) really, try getting google toolbar and install that to see if that will overwrite your defaulkt search engine
0
 
LVL 4

Expert Comment

by:andydis
ID: 10831870
"No need for personal insults here"
who is dishing out the insults chap???¿ what insults?  
fine my personal prferance is to remove all taskbar icons, but if you call yourself an It admin and let them keep them, then sureley are you only making yourself more problems?
0
 

Author Comment

by:11Edward23
ID: 10831947
Thanks to everyone who helped out.  The problem is now fixed as a result of deleting what andydis suggested after running a hyjackthis log.  What a pain in the a**! It's taken me about 5 hours to work through all the various possibilities (I'm not an IT expert you will gather).  Honestly, who comes up with this stuff??! What's the point!

Anyway, problem solved - how do I award points?
0
 
LVL 4

Accepted Solution

by:
andydis earned 500 total points
ID: 10831958
Dont worry everyone is having this problem with I.E. , all the spyware and stuff people just want you to ethier visit their webpage or promote their brand name/site.


to award points you should have "accept answer" button next to a comment, that will award points.
glad its working now.

andy.
0
 

Expert Comment

by:carlo1021
ID: 12310275
I always get the nkvd.us as a web page. cano not get rid of it. can you help me?
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now