Hijacker points to nkvd.us

If you can get HijackThis onto the machine (it's small & should fit on a floppy), following are the sort of entries you need to fix to be able to visit other sites:

O13 - DefaultPrefix: http://www.nkvd.us/
O13 - WWW Prefix: http://www.nkvd.us/
O13 - Home Prefix: http://www.nkvd.us/
O13 - Mosaic Prefix: http://www.nkvd.us/

There will be additional problems to fix after removing those, but at least you'll be able to get to other parts of the Web again.

If you're not able to get to the machine to copy HijackThis over, let me know & I'll try to post manual fix instructions later on.

If you can run CWShredder, that might be able to fix this.


__________

HijackThis
Spybot
Ad-Aware
CWShredder
SpywareBlaster
Housecall online antivirus scan
Stinger

See This Thread,

This Tread[/b], and

This Thread.

Read through each of them first, before doing anything. Offhand, with no more information to go on than you've provided, I would guess the machine is infected with thebestse, instructions for the removal of which will be found in the above listed threads.

As Monger mentions, if the machine can't be made to access the internet, the first-shot analysis and fix tools will fit on standard floppies; download them with an uninfected machine and transfer them to the sick one.

Your responses...
Thanks much for your responses. I will have access to the machine tomorrow. I plan to run this to the ground and post any useful information back to this forum. Thanks again.

Even after fixing the url prefix hijacks I mentioned above, you still may be redirected when attempting to visit particular sites (such as the sites where spyware removal tools are downloaded from). This is typically done through modifying your "hosts" file.

Here is a discussion about the hosts file.

nkvd.us's IP is 81.211.105.25, so any line with that address is bad, but some sites possibly are being redirected to other addresses as well.

On Windows 95/98/ME the hosts file is located in the "c:\windows" directory and on Windows NT4/2000/XP/2003 in the "c:\winnt\system32\drivers\etc" directory. (A sample hosts file is supplied with Windows named "hosts.sam", located in the same directory.)

But all these hijacks will likely return after a reboot unless you hit at the source of the problem, so make sure to update & run all the removal programs mentioned, & post a hijackthis log here afterwards if need be.

Let us know how it goes.

Cool Web
The hijacker was a variant of cool web and cws shredder did the job. Thanks much.

What i hikack this?
I have been seeing many hijackthis logs on this forum. What exactly is hijackthis, and is it something that one should have handy just i case?

Tomkitten, HiJackThis is a pretty powerful analysis-and-repair tool useful in ridding computers of a variety of yuckwear. Its not a toy ... with a click of your mouse you can give yourself a machine only a full format of the root drive and total fresh full re-install of operating system and applications can revive. If you aren't familiar with how it works and what it does, and you're not comfortable with stuff like manual registry tweaking, defeating or bypassing Window's built-in safeguards, and playing around in hidden system-critical folders, its probably not something you should fool around with without guidance and advice from folks who play with it regularly.