-
March 6th, 2004, 03:49 PM
#1
Junior Member
IE redirected wgen every new web address entered
hi, first let me say how geat i think this site and the knowledgable people here are! i know you can help me, please do.
ok when i enter a new address into my IE address box i am redirected to a search engine:
http://www.smart-finder.biz/www.nomore.com
afterwards the history drop down box shows this:
www.nkvd.us/www.no more.com
my homepage is also redirected:
http://www.nkvd.us/s.htm.
clearly it is a trojan attack. i foolishly did some file sharing before i had my norton antivirus updated and installed a firewall. i have run adaware, got nothing. my norton shows a lot of activity, unfortunately i cant cut and paste it to show you but i think the trojan is called ByteVerify. as it shows several deletions for this one, probably it is being saved somewhere and getting back on to the system. of course i'm no expert, thats why i need you guys to put me right.
i ran cw shredder and this is my log file:
Logfile of HijackThis v1.97.5
Scan saved at 3:35:30 PM, on 3/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\COMMON~1\EACCEL~1\eanthology.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\gray crampton\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = https://blueadit.bluewin.ch/adsl/router/index_e.html
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nkvd.us/s.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nkvd.us/s.htm
O1 - Hosts: 207.68.185.58 auto.search.msn.com
O1 - Hosts: 207.68.185.58 auto.search.msn.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\eanthology.exe /b Startup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O13 - DefaultPrefix: http://www.nkvd.us/
O13 - WWW Prefix: http://www.nkvd.us/
O13 - Home Prefix: http://www.nkvd.us/
O13 - Mosaic Prefix: http://www.nkvd.us/
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downlo...?1078108027151
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} (AxOOdlz Class) - http://www.stop-sign.com/pub/download/stop-sign_stp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
ANY HELP OR ADVICE ANYONE CAN GIVE ME WOULD BE REATLY APPRECIATED
-
March 6th, 2004, 03:51 PM
#2
Junior Member
SORRY, IT WAS OF COURSE HIJACK THIS NOT CW SHREDDER, THOUGH I RAN THAT TOO.
-
March 6th, 2004, 04:00 PM
#3
i see a few things of obvious concern
That could be part or all of the problem. Also, a google turned up some interesting results about BackWeb-8876480.exe
Description: Comes with the software for Logitech products. Automatically checks for software upgrades and new products, services, and special offerings from Logitech.
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
i think it would be adware. special offering from logitech? meh....i wouldnt delete it, or your mouse may not work
slick
\"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller
-
March 6th, 2004, 04:15 PM
#4
crom,
This is a browser hijack and it is also written into your registry. Use www.google.com and type in nkvd.us and then click on google search, and you will find tons of info on how to remove it.
edit: here's some help, other folks have had the same problem, read the links below.
http://forums.net-integration.net/in...showtopic=9811
http://www.nerdhelp.com/forums/index...ST&f=26&t=1213
cheers
-
March 6th, 2004, 05:44 PM
#5
Junior Member
hi thanks for the advice, i have removed the lines listed and did a google search for the info it gave me lots, im quite confused, i found this, i dont understand how to do it, can anyone explain_
Additional line in StartupList log:
Enumerating ShellServiceObjectDelayLoad items:
DDE Control Module: C:\WINDOWS\SYSTEM\mtwirl32.dll
This variant was surprisingly smart: it used two startup methods (ShellServiceObjectDelayLoad and SharedTaskScheduler) that have to be the absolutely rarely used ones seen ever - and it used them differently on Windows 9x/ME and Windows NT/2k/XP. On top of that, both methods ensure that the file is loaded when Explorer is loaded, making it always in memory like CWS.Msconfd. Additionally, the actual responsible files are invisible in HijackThis, and only one shows in a StartupList logfile (ShellServiceObjectDelayLoad). The responsible file is mtwirl32.dll, and to delete it manually you need to rename it (deleting is impossible since it is in use), restart the system, and then delete the file and its Registry key.
here is my new log file log file anything else i need to remove?
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\COMMON~1\EACCEL~1\eanthology.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Documents and Settings\gray crampton\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = https://blueadit.bluewin.ch/adsl/router/index_e.html
O1 - Hosts: 207.68.185.58 auto.search.msn.com
O1 - Hosts: 207.68.185.58 auto.search.msn.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\eanthology.exe /b Startup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downlo...?1078108027151
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} (AxOOdlz Class) - http://www.stop-sign.com/pub/download/stop-sign_stp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
to be honest im none to confident about this stuff and if anyone could give me a walkthrough id be grateful
-
March 6th, 2004, 06:19 PM
#6
crom,
That particular step may not apply to you. Did you check your computer to see if that file existed and have you tried IE to see if it works properly now?
-
March 6th, 2004, 07:03 PM
#7
Junior Member
see, thats why i need you! IE seems to work ok now, but the advice i got from the google search says it often comes back on restart, cant do one for the moment, i searched for the file and it didnt exist. once again thanks for the help, ill post again if the prob comes back
-
March 6th, 2004, 07:25 PM
#8
Here are a few things I noticed... although you say the problem seems resolved for now....if not try the following
1)You need to put HijackThis into its own folder, otherwise you'll end up littering your desktop with backup files. To do so:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
2) fix the following: they are not needed and/or harmful:
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe -not needed running @ startup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe - not needed running @ startup
O4 - Global Startup: BTTray.lnk = ? only a link (.lnk) seems broken - fix it
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE- fix - unnecessary & slows pc down
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} (AxOOdlz Class) - http://www.stop-sign.com/pub/download/stop-sign_stp.cab - This one is harmful!!
3) Do you know what these are? They’re not showing up on any of my sources:
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp ??????
O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\eanthology.exe /b Startup edit - this is adware! remove it. see http://www.pestpatrol.com/PestInfo/e/eanthology.asp for more info
edit2: I can't spell today lol
-
March 7th, 2004, 10:46 AM
#9
Junior Member
hey thanks great advice, anyone see any other probs or unnecessary stuff please let me know.i didn't get rid of
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp ??????
best hang on till i know what it does.
-
March 16th, 2004, 06:17 AM
#10
Junior Member
Originally posted here by slick8790
i see a few things of obvious concern
That could be part or all of the problem. Also, a google turned up some interesting results about BackWeb-8876480.exe
i think it would be adware. special offering from logitech? meh....i wouldnt delete it, or your mouse may not work
slick
I believe BackWeb-8876480.exe is a Kodak process.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|