system
3
Well, I’ll assemble this information. Here is the HijackThis log:
The trojan redirects me to: "http://nkvd.us/1525/ ", and indeed I see such entries in the log. However removing them probably won’t help, I guess this is what Adaware did, but then it returned.
Logfile of HijackThis v1.98.2
Scan saved at 2:45:02 AM, on 8/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\freescan\freescan.exe
C:\WINDOWS\system32\mapiicon.exe
C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.0.exe
C:\Program Files\CiDial\CiDial.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINNT\notepad.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Opera75\opera.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Zend\bin\ZDE.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trillian\users\default\downloads\ICQ\45258545\SpaceMonger.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\eMule\eMule.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\Nero\nero.exe
C:\WINDOWS\System32\imapi.exe
C:\WINNT\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1525/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1525/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\EugeneK\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\EugeneK\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\EugeneK\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\EugeneK\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\EugeneK\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\EugeneK\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {E64E4902-D59E-4428-B5FC-F45D6A7468E8} - C:\WINDOWS\System32\ilaiocl.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [ADSL_A2] A2Installed
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
O4 - HKLM..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Startup: CiDial 2.3.lnk = C:\Program Files\CiDial\CiDial.exe
O4 - Startup: Shortcut to eMule.lnk = C:\Program Files\eMule\eMule.exe
O4 - Startup: Shortcut to startup.lnk = C:\IBDB\BuildDb\commands\startup.bat
O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O4 - Global Startup: EPSON CardMonitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/1525/
O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/1525/
O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/1525/
O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/1525/
O17 - HKLM\System\CCS\Services\Tcpip..{14E8DCDA-3A62-416B-A113-B8301B8BBA98}: NameServer = 212.150.49.10 206.49.94.234
O17 - HKLM\System\CS1\Services\Tcpip..{14E8DCDA-3A62-416B-A113-B8301B8BBA98}: NameServer = 212.150.49.10 206.49.94.234
O18 - Filter: text/html - {40BB00FF-04B9-4547-80F5-D8469E6621BF} - C:\WINDOWS\System32\ilaiocl.dll
O18 - Filter: text/plain - {40BB00FF-04B9-4547-80F5-D8469E6621BF} - C:\WINDOWS\System32\ilaiocl.dll