Solved

nkvd.us redirecting anything I put into AOL or IE's URL

Posted on 2004-04-15
15
12,891 Views
Last Modified: 2010-04-11
Every time I go into IE I'm redirected to a search page.  Its something to do with nkvd.us as it constantly reappears in my internet settings as my default home page.  It also keeps coming up with a dodgy site which seems to  keep reappearing in my favourites (I never visited the site and can't delete it).  I also get redirected ("http://searchpage.cc/www.whateverI've typed.co.uk") if I attempt to type directly into my AOL URL bar, without even opening IE.

I've done everything with all the programs you'd expect (virus, spyware, adware).  can someone advise me on the following system info I got from hyjack this- i.e. what should I delete - I'm worried about messing up my system.  Help!

Logfile of HijackThis v1.97.7
Scan saved at 10:42:21, on 15/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AOL 8.0b\aoltray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\AOL 8.0b\waol.exe
C:\Program Files\AOL 8.0b\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Edward Newton\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netcom.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [redirect] C:\WINDOWS\redirect2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0b\aoltray.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.nkvd.us/
O13 - WWW Prefix: http://www.nkvd.us/
O13 - Home Prefix: http://www.nkvd.us/
O13 - Mosaic Prefix: http://www.nkvd.us/
O14 - IERESET.INF: START_PAGE_URL=http://www.netcom.co.uk/
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com 
O15 - Trusted Zone: http://*.windowsupdate.com 
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37722.2221180556
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DC51848-9FEC-4DD4-ACE7-CFF76408DE97}: NameServer = 152.163.0.26 205.188.64.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{B70947D5-24B6-40FD-BD4E-3D076ED28112}: NameServer = 195.93.32.134

0
Comment
Question by:11Edward23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 3
  • +2
15 Comments
 
LVL 4

Expert Comment

by:andydis
ID: 10831685
C:\WINDOWS\System32\brsvc01a.exe
O4 - HKLM\..\Run: [redirect] C:\WINDOWS\redirect2.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.nkvd.us/
O13 - WWW Prefix: http://www.nkvd.us/
O13 - Home Prefix: http://www.nkvd.us/
O13 - Mosaic Prefix: http://www.nkvd.us/

Seem the above are all suspect, do the usual, remove, update AV softwware, get ad-aware etc etc, make sure IE is fully patched. Just to let you know everyone is having these problems with IE at the minute
0
 
LVL 32

Expert Comment

by:LucF
ID: 10831756
Hi 11Edward23,

This is a version of the coolweb bug. Use this tool, afterwards, post another logfile:
http://209.133.47.200/~merijn/files/CWShredder.exe

Greetings,

LucF
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10831779
Hi 11Edward23,

Did you try using Spy Bot from

www.safer-networking.org

I would be interested in knowing the answer even if your problem is solved elsewhere.

IceRaven
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 32

Expert Comment

by:LucF
ID: 10831783
andydis, why did you include C:\WINDOWS\System32\brsvc01a.exe on your list above? It's part of a brother printer driver.
0
 
LVL 4

Expert Comment

by:andydis
ID: 10831805
C:\WINDOWS\System32\brsvc01a.exe

becuz i hate all the little icons at the bottom right hand corner of the PC (next to the clock) THEY SHOULD ALL be banned
all they do is eat your RAM, whats your problem?> you will stillbe able to print, just free up some RAM.
all these people that have loadsa tray icons and never use them and then they say "why is my pc running slow"
#

l4m3
0
 
LVL 4

Expert Comment

by:andydis
ID: 10831813
the best way to keep a pc clean and never end up re-installing it every year is to TAKE EVERYTHING OFF STARTUP
0
 
LVL 4

Expert Comment

by:andydis
ID: 10831821

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netcom.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/

get rid of these too
0
 

Author Comment

by:11Edward23
ID: 10831836
Thanks for all these suggestions.  I've exhausted all Spy Bot, CWShredder previously and problem is still there.  andydis: Is that list exactly what I need to delete?  It seemed as though there were more strings with nkvd.us listed in them?
0
 
LVL 32

Expert Comment

by:LucF
ID: 10831847
>>becuz i hate all the little icons at the bottom right hand corner of the PC (next to the clock) THEY SHOULD ALL be banned
all they do is eat your RAM, whats your problem?<<

Is it your choice what people want to have running on their computer? Let them decide for them selves.
No need for personal insults here.
0
 

Author Comment

by:11Edward23
ID: 10831849
Sorry just got your last comment!  I'll let you know.
0
 
LVL 4

Expert Comment

by:andydis
ID: 10831850
yea delete verything todo with nkvd.us (see above)
if that really doesnt sort it, (it should) really, try getting google toolbar and install that to see if that will overwrite your defaulkt search engine
0
 
LVL 4

Expert Comment

by:andydis
ID: 10831870
"No need for personal insults here"
who is dishing out the insults chap???¿ what insults?  
fine my personal prferance is to remove all taskbar icons, but if you call yourself an It admin and let them keep them, then sureley are you only making yourself more problems?
0
 

Author Comment

by:11Edward23
ID: 10831947
Thanks to everyone who helped out.  The problem is now fixed as a result of deleting what andydis suggested after running a hyjackthis log.  What a pain in the a**! It's taken me about 5 hours to work through all the various possibilities (I'm not an IT expert you will gather).  Honestly, who comes up with this stuff??! What's the point!

Anyway, problem solved - how do I award points?
0
 
LVL 4

Accepted Solution

by:
andydis earned 500 total points
ID: 10831958
Dont worry everyone is having this problem with I.E. , all the spyware and stuff people just want you to ethier visit their webpage or promote their brand name/site.


to award points you should have "accept answer" button next to a comment, that will award points.
glad its working now.

andy.
0
 

Expert Comment

by:carlo1021
ID: 12310275
I always get the nkvd.us as a web page. cano not get rid of it. can you help me?
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question