1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

nkvd.us/1507/ (again!!!)

Discussion in 'Web & Email' started by bglendy, Apr 26, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. bglendy

    bglendy Thread Starter

    Joined:
    Apr 26, 2004
    Messages:
    3
    Hi everyone,

    I know its been mentioned here before but I have a problem with nkvd.us/1507/ i cant get rid of it. any help would be greatfully recieved!
    (by the way i am a beginner at all this)

    Here is my logfile,

    Logfile of HijackThis v1.97.7
    Scan saved at 20:33:39, on 26/04/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\AOL 8.0a\aoltray.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\AOL 8.0a\waol.exe
    C:\Program Files\AOL 8.0a\shellmon.exe
    C:\DOCUME~1\Glen\LOCALS~1\Temp\CWShredder.exe
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\DOCUME~1\Glen\LOCALS~1\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1507/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1507/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1507/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1507/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1507/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1507/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1507/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1507/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1507/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1507/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1507/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1507/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1507/
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1507/
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1507/
    O2 - BHO: clitor - {1E1B2879-88FF-11D2-8D96-123457123457} - c:\windows\explorer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Program Files\TimeSink\AdGateway\TSAdBot.exe"
    O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKLM\..\RunOnce: [washindex] C:\Program Files\Washer\washidx.exe "Glen"
    O4 - HKCU\..\RunOnce: [washindex] C:\Program Files\Washer\washidx.exe "Glen"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O13 - DefaultPrefix: http://www.nkvd.us/1507/
    O13 - WWW Prefix: http://www.nkvd.us/1507/
    O13 - Home Prefix: http://www.nkvd.us/1507/
    O13 - Mosaic Prefix: http://www.nkvd.us/1507/
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
    O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} - http://download.online-dialer.com/MaConnect.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - file://C:\Program Files\Internet Explorer\Q330994.exe
    O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://64.156.31.70/058569uk.exe
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://www.phonesys.net/EPlugin.cab
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.movies4free.net/AdultMovies.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{41C425B6-2F27-488E-8F86-11DDE26D7181}: NameServer = 152.163.0.26 205.188.64.153
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C3359CE0-8F0A-4403-83BB-C818AE3B95F5}: NameServer = 195.93.33.134
    O17 - HKLM\System\CS1\Services\Tcpip\..\{41C425B6-2F27-488E-8F86-11DDE26D7181}: NameServer = 152.163.0.26 205.188.64.153
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  3. bglendy

    bglendy Thread Starter

    Joined:
    Apr 26, 2004
    Messages:
    3
    The problem I have now is that when I tried to restart in safe mode the computer goes through setup ok, but instead of getting to the desktop it just goes to a black screen and nothing happens. Ive tried restarting in every mode available but get the same result.

    Please help!
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    First thing to do is move hijackthis.exe into a folder, don't run it from your temp folder. Make a folder on your hard drive, like c:\hjt.

    Clear you temp folder(s) and temporary internet files.

    Search for these two files in windows\system32
    mtwirl.dll
    mtwirl32.dll

    If you find them delete them.

    Run HJT again and check:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1507/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1507/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1507/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1507/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1507/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1507/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1507/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1507/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1507/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1507/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1507/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1507/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1507/
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1507/
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1507/
    O2 - BHO: clitor - {1E1B2879-88FF-11D2-8D96-123457123457} - c:\windows\explorer.dll
    O13 - DefaultPrefix: http://www.nkvd.us/1507/
    O13 - WWW Prefix: http://www.nkvd.us/1507/
    O13 - Home Prefix: http://www.nkvd.us/1507/
    O13 - Mosaic Prefix: http://www.nkvd.us/1507/
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
    O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} - http://download.online-dialer.com/MaConnect.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - file://C:\Program Files\Internet Explorer\Q330994.exe
    O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://64.156.31.70/058569uk.exe
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://www.phonesys.net/EPlugin.cab
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.movies4free.net/AdultMovies.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{41C425B6-2F27-488E-8F86-11DDE26D7181}: NameServer = 152.163.0.26 205.188.64.153
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C3359CE0-8F0A-4403-83BB-C818AE3B95F5}: NameServer = 195.93.33.134
    O17 - HKLM\System\CS1\Services\Tcpip\..\{41C425B6-2F27-488E-8F86-11DDE26D7181}: NameServer = 152.163.0.26 205.188.64.153


    Close all applications and browser windows before you click "fix checked".



    Restart in safe mode Click here to see how


    Open My Computer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find these files and folders and delete them.

    c:\windows\explorer.dll --> file
    C:\Program Files\Internet Explorer\Q330994.exe --> file


    Reboot and see if you can get to safe mode to run CWShredder.

    You need to upgrade both W2K and IE. Start with Win2k SP4 here:
    http://www.microsoft.com/windows2000/do...efault.asp

    Go back to Windows Update and upgrade to Internet Explorer 6 Sp1

    Get all the other security patches at Windows Update.

    Post another HJT log.
     
  5. bglendy

    bglendy Thread Starter

    Joined:
    Apr 26, 2004
    Messages:
    3
    the problem is sorted now - with a disk format!

    thanks for your help
     
  6. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Thats a bit of overkill especially after Cybertech diagnosing and providing the proper instructions but nevertheless your up and running anyway..
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/224097

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice