Jump to content


Photo

Being hijacked by nkvd.us


  • Please log in to reply
1 reply to this topic

#1 igillman

igillman

    Member

  • New Member
  • Pip
  • 2 posts

Posted 08 July 2004 - 09:11 PM

The following is the log from HijackThis. I also have Spybot S&D v1.3 installed. This hijacker keeps coming back after I run HijackThis and Spybot.

I hope someone can help me!

Thanks in advance . . .


Logfile of HijackThis v1.97.7
Scan saved at 10:09:18 PM, on 08/07/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\ZipGenius\zipgenius.exe
C:\ZGtemp\2985082\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/
O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/

#2 igillman

igillman

    Member

  • New Member
  • Pip
  • 2 posts

Posted 10 July 2004 - 04:46 PM

After searching this board for any post mentionning "nkvd" or "searchpage.cc", I dowloaded TrojanHunter and CWShredder. After running TH once and CWS twice, I seem to finally have gotten rid of my hijacking problem, at least for now. I'll let you guys know if it comes back.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button