Approx date first sighted: January 11, 2004
Log reference:
http://forums.spywareinfo.com/index....73&hl=nkvd\.us
Symptoms: IE hijacked to nkvd.us and smart-finder.biz, redirections to nkvd.us and smart-finder.biz when typing incomplete URLs into address bar.
Cleverness: 10/10
Manual removal difficulty: Involves some registry editing, and renaming the trojan file, restarting, and deleting it
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.nkvd.us/s.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.nkvd.us/s.htm
O13 - DefaultPrefix:
http://www.nkvd.us/1507/
O13 - WWW Prefix:
http://www.nkvd.us/1507/
O13 - Home Prefix:
http://www.nkvd.us/1507/
O13 - Mosaic Prefix:
http://www.nkvd.us/1507/
Additional line in StartupList log:
Enumerating ShellServiceObjectDelayLoad items:
DDE Control Module: C:\WINDOWS\SYSTEM\mtwirl32.dll
This variant was surprisingly smart: it used two startup methods (ShellServiceObjectDelayLoad and SharedTaskScheduler) that have to be the absolutely rarely used ones seen ever - and it used them differently on Windows 9x/ME and Windows NT/2k/XP. On top of that, both methods ensure that the file is loaded when Explorer is loaded, making it always in memory like CWS.Msconfd. Additionally, the actual responsible files are invisible in HijackThis, and only one shows in a StartupList logfile (ShellServiceObjectDelayLoad). The responsible file is mtwirl32.dll, and to delete it manually you need to rename it (deleting is impossible since it is in use), restart the system, and then delete the file and its Registry key.
Thanks to cwshredder for the info,
(From page previously posted)
Good luck
Linear Mode
