Jump to content


Photo

Homepage Hijacker http://%6E%6B%76%64%2E%75%73/


  • Please log in to reply
3 replies to this topic

#1 Oatland

Oatland

    Member

  • New Member
  • Pip
  • 3 posts

Posted 08 June 2004 - 10:15 AM

Hi, I am new to this forum, have tried to look for threads that would possibly shed some light, but can't find any. My I.E. Homepage in Win2K shows

http://%6E%6B%76%64%2E%75%73/ and no matter what you change it to it will revert back to to http://%6E%6B%76%64%2E%75%73/ Extremely persistent.

Have read the FAQ, and applied, have run latest version/update of HijackThis & Ad-aware both of which have detected but failed to remove, have searched the registry for http://%6E%6B%76%64%2E%75%73/ and manually deleted the values, but still to no avail, what is more unbelievable is that by the time the registry search is complete the string appears back in exactly the same places that I deleted them from, how is this possible?? the string in the home page takes me to a site called http://searchpage.cc/ which displays a page with a search feature along with a lot of links to other places and if that wasn't enough a pop up add in a separate window appears showing the following:

""Your computer is infected with Spyware and Adware
The results of SpyWare and AdWare vary, but can include:
hijacked browsers
reset home pages
changed search results
spam emails sent to you
pop up ads displayed
slow browsers
toolbars added to your browser
and many more....
FIND OUT HOW TO REMOVE SPYWARE AND ADWARE ""

So far I have spent 5 solid days looking for ways to remove and I am getting awfully close to reformatting the HD. I am running up to date Norton Antivirus and Int security and that did not stop this replicater but I did manage to find a dll file thanks to HijackThis in my system folder called "dcbm.dll" which certaintly had references inside it to names and links to the "searchpage.cc" home page site, and despite of the fact that the DLL file is now isolated the culprit replicates itself if you delete or attempt to change the home page back to http://%6E%6B%76%64%2E%75%73/

Eager to listen to any sugestions Thanks. Please let me know if you need the logs.

#2 expertec

expertec

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 690 posts

Posted 08 June 2004 - 10:41 AM

Post a Hijackthis log please.

#3 Oatland

Oatland

    Member

  • New Member
  • Pip
  • 3 posts

Posted 08 June 2004 - 06:20 PM

Sorry took so long here is the logs. If you need Ad-aware or CWShredder please let me know, Thanks.

Logfile of HijackThis v1.97.7
Scan saved at 7:37:56 PM, on 07-Jun-04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\RunDLL32.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [System Terminal] SYSTEM2.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/
O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8030.0946759259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF3BC2A3-8B3F-4DF9-BC25-BBFD36C629A7}: NameServer = 203.194.27.57 203.194.56.150
-----------------------------------------------------------------------------------------------------------------------------------------------------------------

#4 Oatland

Oatland

    Member

  • New Member
  • Pip
  • 3 posts

Posted 09 June 2004 - 12:29 AM

I have no idea why the problem was fixed but for the benefit of the readers this is basically what I did in chronological order.

Ran HijackThis which showed the same as what I posted in the log the suspicious entries being:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)


and

O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/
O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/


I was more interested in the last 4 as these were the ones I would always find each time I searched the registry manually and deleted them, they would return again in exactly the same place,

HKEY_CU\Software\Microsoft\Internet Explorer &
HKEY_LM\Software\Microsoft\Internet Explorer

and particularly since I found nothing with nkvd.us in the registry or on the drive as files.

HijackThis had previously found a dcbm.dll in my system folder which I had previously isolated but I think all that was a listing for the hijacker sites.

I ran Ad-aware as I had done previously and It also picked up 4 entries in the registry:

Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Windows Object recognized!
Type : RegData
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
Value :
Data :


Windows Object recognized!
Type : RegData
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\URL\Prefixes
Value : home
Data :


Windows Object recognized!
Type : RegData
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\URL\Prefixes
Value : mosaic
Data :


Windows Object recognized!
Type : RegData
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\URL\Prefixes
Value : www
Data :


Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 4
Objects found so far: 4


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 4


In addition to that to my surprise it also found:

Tracking Cookie Object recognized!
Type : File
Data : administrator@cgi-bin[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\

Created on : 08-Jun-04 7:46:07 AM
Last accessed : 08-Jun-04 2:00:00 PM
Last modified : 08-Jun-04 7:46:08 AM



Tracking Cookie Object recognized!
Type : File
Data : administrator@revenue[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\

Created on : 08-Jun-04 11:45:12 AM
Last accessed : 08-Jun-04 2:00:00 PM
Last modified : 08-Jun-04 11:45:14 AM



Tracking Cookie Object recognized!
Type : File
Data : administrator@overture[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\

Created on : 08-Jun-04 11:46:34 AM
Last accessed : 08-Jun-04 2:00:00 PM
Last modified : 08-Jun-04 11:46:36 AM


Now how is this possible when I had deleted all cookies several times before as well as clearing the cache and history the day before?

Anyway I exitted Ad-aware without deleting anything and cleared all the cookies manually and ran Ad-aware again, it showed just the same 4 registry entries with no cookies, I deleted them in Ad-aware. Ran HijackThis and lord & behold the replicater was gone this time for good.
Now none of this makes any sense since I had run Ad-aware before and deleted all 7 items yet they were there again, could it be that I downloaded a number of security patches last night for Win 2K, but I wouldn't have thought that downloading patches after the event ie after being infected with Malware would make any difference to what has already been infected.

The only surfing that I did from last night to today was to this forum and half a dozen other sites which generated some 11 cookies of which 3 were ones picked up by Ad-aware. and yet there was no cookies from before since I cleared the cache/cookie/history. So I suspect that those 3 cookies had nothing to do with that Malware.

Any thoughts would be welcome, particularly with regard to the name of this parasite and who the owner might be ?

PS: I think I will buy an identical drive to the one thats running and Norton Ghost it once I am sure there are absolutely no other problems, and simply surf until you get virused/malwared/trojaned then restore from the mirrored drive. I honestly can't think of what other precaution one should take since we now have virus protection, Internet security, security patches and now malware security which no doubt will add to the overhead.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button