Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
My browser got hijacked recently - The browser which appeared was called "Smart-Finder", and was enabled by a series of files in my registry called "nkvd.us/s". No searches on the net revealed any info on either.
Hijack this helped me take out the nkvd files, while I cleaned up with Spybot. My (earlier) version of CWShredder showed nothing left after that, yet the next day, back it came - same procedure - next day, same problem.
I found bootconf.exe in HKEY USERS/DEFAULT/Software/Microsoft/Explorer/Explorer Bars/Files named MRU, and took it out.
For good measure I re-downloaded CWShredder and ran it - it found 3 CWS DirectX infected files.
I am now hoping I am clear of this scumware, but wondered if anyone else had come across this one.
0 
no but i came across this one called web search or something, and what it did was changed all my search keys in reg to that search page, and totally fu...everything up, so I got the address and tracked the ip, and the dude turned out to be a russian, non diplomatic, means diplomatic immunity, which means reformat and move on...lol
0
Can someone send me a Anti-Virus program that swipes stupid viruses. I really need to take out that nkvd or search for GOOD! If you can send me that program then THANK YOU!!!!!! :D please i need help
0
I'm so glad I came across your post. I have the same bloody problem with the nkvd.us take-over, except that I don't have any MRU files in HKEY USERS/DEFAULT/Software/Microsoft/Explorer/Explorer Bars/. How else, than, can I get rid of this malicious trojan? Please help!
0
I think I have this too. Can anyone confirm if the virus seems to be restarted after cleaning when they open AOL Instant Messenger?
0
I'm so glad I found this post.....I have the same nkvd take over problem, and can't seem to fix it....but I can assure you AOL instant messenger isn't part of the problem, because I never use it, and my problem still exists!....someone help!
0
i had problems with the nkvd.us thing too, and ive been searching in my reg and found parts of it here that HT, CWS or AV never found. I just deleted them so hopefully in a few hours it wont come back:
hkey current user/software/microsoft/internetexplorer/explorerbars/C4ee...../filesnamedMRU
same as above: "ContaingtaxtMRU"
and not sure if this affects it or if its from an older trojan
hkey_users/software/microsoft/windows/currentversion/telephone/handoffpropertieshad dialer.exe in there and deleted it.
hope this helps guys.
gary
0
oh yeah, sorry John, I didnt see you posted that already.
and I found a myway folder too.
under hkey_user/software/myway
looks like a search redirect so i got rid of that too
and also check out
hkey_current_user/software/microsoft/internetexplorer/search and search propertiesi found 2 more redirects in there and erased the default name instead of deleting it
hope this helps too guys.g*
0
I have the same problem and cannot get rid of nkvd.us.
I have updated spybot S&D, Hijack this, and cwshredder to the latest versions and includes.
Hijack this catches it and I have deleted EVERYTHING it catches, shredded the backups, ran spybot s&d, and ran CW shredder, as well as uninstalled myway websearch and cleaned up all of the regestries, all with no luck.It still comes back in about 6-8 hours.
I have run Norton, Mcaffee, Avast, and a few other AV programs, all updated, and all with no luck.
I have also deleted (shredded)any files that were created after I received this hijack, including mserv.exe which was coming back as a possible trojan during one of my many virus scans, and anything I didn't recognise as being a needed file.
I have also uninstalled any programs that are not necessary to the basic OS to function (ie, office 2000, print drivers, etc), and completely cleaned out the system reg.
I have a reg edit program which catches any new registery entries and lables them as new when they are added after the last date I checked them, and it did not catch any new registry entries around the time this started happening.
I am out of ideas and reformatting my HDD is not an option. They really got us on this one, them B@#tards...
0
This info was obtained from http://www.merijn.org/cwschronicles.htm (cwshredder)
Regarding nkvd.us:
Approx date first sighted: January 11, 2004
Log reference: http://forums.spywareinfo.com/index.php?showtopic=27673&hl=nkvd\.us
Symptoms: IE hijacked to nkvd.us and smart-finder.biz, redirections to nkvd.us and smart-finder.biz when typing incomplete URLs into address bar.
Cleverness: 10/10
Manual removal difficulty: Involves some registry editing, and renaming the trojan file, restarting, and deleting it
Identifying lines in HijackThis log:R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nkvd.us/s.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nkvd.us/s.htm
O13 - DefaultPrefix: http://www.nkvd.us/1507/
O13 - WWW Prefix: http://www.nkvd.us/1507/
O13 - Home Prefix: http://www.nkvd.us/1507/
O13 - Mosaic Prefix: http://www.nkvd.us/1507/Additional line in StartupList log:
Enumerating ShellServiceObjectDelayLoad items:
DDE Control Module: C:\WINDOWS\SYSTEM\mtwirl32.dll
This variant was surprisingly smart: it used two startup methods (ShellServiceObjectDelayLoad and SharedTaskScheduler) that have to be the absolutely rarely used ones seen ever - and it used them differently on Windows 9x/ME and Windows NT/2k/XP. On top of that, both methods ensure that the file is loaded when Explorer is loaded, making it always in memory like CWS.Msconfd. Additionally, the actual responsible files are invisible in HijackThis, and only one shows in a StartupList logfile (ShellServiceObjectDelayLoad). The responsible file is mtwirl32.dll, and to delete it manually you need to rename it (deleting is impossible since it is in use), restart the system, and then delete the file and its Registry key.
Thanks to cwshredder for the info,
hope this helpsNeo
0
To remove this browser tak over you need to do as follows…Click on start
Open Run
Type “regedit” and click okThen Click on the following pluses:
HKEY_LOCAL_MACHINE
SOFTWARE
MICROSOFT
WINDOWS
CURRENT VERSION
SHELLSERVICEOBJECTDELAYLOADDouble click on
SHELL SERVICE OBJECT DELAY LOAD
And delete the following file(DDE CONTROL MODULE)
Once you’ve done this open
C:\Windows\System
And delete the following two files
MTWIRL32.DLL
MTWCNL32.DLLOnce you’ve done this run CWShredder
AND URE DONE =p
0
hey guyz
da above works for Windows Me...dats what im running so if ure running something else im not a hundred percent dat it will work...but giv it a go and tell me what happens
jegz
0
hey guyz
if when you try delete
MTWIRL32.DLL
MTWCNL32.DLLi suggest you reboot ure system and try if there are any problems plz post up..thx
0
Try going here:
http://www.smart-finder.biz/uninstall.htm
but remain sceptical - scan again to make sure
0
"This info was obtained from http://www.merijn.org/cwschronicles.htm (cwshredder)
Regarding nkvd.us:Approx date first sighted: January 11, 2004"
This thread was started December 30, 2003
Deleted files show my computer picked up the infection October 25, 2003
This little sucker has been around for a while now - glad to see folks have picked up on it.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
