Content Top
DAL Computer Help » Internet Security Help » Spyware, Adware, Viruses and HijackThis Logs » v73.us Spyware on Windows 2000

Recommended Fix

Click here to fix Windows Errors and Optimize Windows Performance

Need Computer Help?
Register Now for FREE

v73.us Spyware on Windows 2000

Reply
Thread Tools
Spyware, Adware, Viruses and HijackThis Logs
  #1 (permalink)  
Old 16-01-2005, 03:58 PM
Ron Ron is offline
Newbie
D-A-L Newbie
  
Join Date: Jan 2005
Posts: 1
Ron Is a beginner here at D-A-L
v73.us Spyware on Windows 2000
Ok. This v73.us hijacker in Internet Explorer is driving me insane for some time now. Everytime i start Internet Explorer, i get about 60 Popups, all pointing at v73.us.

I have tried all spyware scanners ever made Hitman Pro has runned atleast 8 times, AdAware, Spybot S&D.. I Tried to delete the Registry Keys with HijackThis all the time, but not one of them is able to find the executable which regenerates all those Registry Keys. They keep coming back..

This is my HijackThis Log:

Quote:
Logfile of HijackThis v1.99.0
Scan saved at 1508, on 16-1-2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\MSSQL\Binn\sqlservr.exe
d:\aegon\amedia\avw\oracle\ora81\bin\ORACLE.EXE
C:\WINNT\Explorer.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\pctspk.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINNT\loadqm.exe
C:\PROGRA~1\GIM\Bin\GIM.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\internat.exe
C:\Program Files\NewSoft\Presto! PageManager 7\Pmsb.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\regedit.exe
C:\HJT\MWAV\mwavscan.com
C:\HJT\MWAV\kavss.exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\The Cleaner\cleaner.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v73.us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.v73.us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.v73.us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v73.us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v73.us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.v73.us/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.v73.us/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v73.us
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.v73.us/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.v73.us/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.v73.us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.v73.us
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.v73.us
O1 - Hosts: 65.125.226.82 http://yahoo.com
O1 - Hosts: 65.125.226.82 http://google.com
O1 - Hosts: 65.125.226.82 http://lycos.com
O1 - Hosts: 65.125.226.82 http://altavista.com
O1 - Hosts: 65.125.226.82 http://msn.com
O1 - Hosts: 65.125.226.82 http://search.msn.com
O1 - Hosts: 65.125.226.82 http://cnn.com
O1 - Hosts: 65.125.226.82 http://excite.com
O1 - Hosts: 65.125.226.82 http://alltheweb.com
O1 - Hosts: 65.125.226.82 http://looksmart.com
O1 - Hosts: 65.125.226.82 http://northernlight.com
O1 - Hosts: 65.125.226.82 http://alexa.com
O1 - Hosts: 65.125.226.82 http://search.aol.com
O1 - Hosts: 65.125.226.82 http://epilot.com
O1 - Hosts: 65.125.226.82 http://hotbot.com
O1 - Hosts: 65.125.226.82 http://search.netscape.com
O1 - Hosts: 65.125.226.82 http://infospace.com
O1 - Hosts: 65.125.226.82 http://www.epilot.com
O1 - Hosts: 65.125.226.82 http://www.hotbot.com
O1 - Hosts: 65.125.226.82 http://www.infospace.com
O1 - Hosts: 65.125.226.82 http://www.cnn.com
O1 - Hosts: 65.125.226.82 http://www.msn.com
O1 - Hosts: 65.125.226.82 http://www.altavista.com
O1 - Hosts: 65.125.226.82 http://www.lycos.com
O1 - Hosts: 65.125.226.82 http://www.google.com
O1 - Hosts: 65.125.226.82 http://www.yahoo.com
O1 - Hosts: 65.125.226.82 http://www.alexa.com
O1 - Hosts: 65.125.226.82 http://www.excite.com
O1 - Hosts: 65.125.226.82 http://www.alltheweb.com
O1 - Hosts: 65.125.226.82 http://www.looksmart.com
O1 - Hosts: 65.125.226.82 http://www.northernlight.com
O1 - Hosts: 65.125.226.85 http://thehun.com
O1 - Hosts: 65.125.226.85 http://thehun.net
O1 - Hosts: 65.125.226.85 http://worldsex.com
O1 - Hosts: 65.125.226.85 http://al4a.com
O1 - Hosts: 65.125.226.85 http://book-mark.net
O1 - Hosts: 65.125.226.85 http://easypic.com
O1 - Hosts: 65.125.226.85 http://call-kelly.com
O1 - Hosts: 65.125.226.85 http://sleazydream.com
O1 - Hosts: 65.125.226.85 http://amplandmovies.com
O1 - Hosts: 65.125.226.85 http://mature-post.com
O1 - Hosts: 65.125.226.85 http://www.thehun.com
O1 - Hosts: 65.125.226.85 http://www.thehun.net
O1 - Hosts: 65.125.226.85 http://www.worldsex.com
O1 - Hosts: 65.125.226.85 http://www.al4a.com
O1 - Hosts: 65.125.226.85 http://www.book-mark.net
O1 - Hosts: 65.125.226.85 http://www.easypic.com
O1 - Hosts: 65.125.226.85 http://www.call-kelly.com
O1 - Hosts: 65.125.226.85 http://www.sleazydream.com
O1 - Hosts: 65.125.226.85 http://www.amplandmovies.com
O1 - Hosts: 65.125.226.85 http://www.mature-post.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [GIM] C:\PROGRA~1\GIM\Bin\GIM.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Program Files\Bouncer\LiveUpdate.exe 110
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\RunOnce: [PixelInstall] 
O4 - HKLM\..\RunOnce: [Reboot] 
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Scan Buttons] C:\Program Files\NewSoft\Presto! PageManager 7\Pmsb.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O21 - SSODL: eplrr9 - {B0CFDE1A-8F26-457B-8D00-8B24D2409652} - C:\WINNT\System32\mspdnx.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative-service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: OracleServiceAVW - Oracle Corporation - d:\aegon\amedia\avw\oracle\ora81\bin\ORACLE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12. exe
Help will be appericiated alot!

Thanks in advance,
Ron.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 17-01-2005, 10:48 PM
owen's Avatar
D-A-L Team Member (UK)
Loyal Contributor
  
Join Date: Jun 2004
Posts: 5,272
owen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furniture
Re: v73.us Spyware on Windows 2000
Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v73.us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.v73.us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.v73.us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v73.us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v73.us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.v73.us/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.v73.us/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v73.us
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.v73.us/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.v73.us/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.v73.us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.v73.us
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.v73.us
O1 - Hosts: 65.125.226.82 http://yahoo.com
O1 - Hosts: 65.125.226.82 http://google.com
O1 - Hosts: 65.125.226.82 http://lycos.com
O1 - Hosts: 65.125.226.82 http://altavista.com
O1 - Hosts: 65.125.226.82 http://msn.com
O1 - Hosts: 65.125.226.82 http://search.msn.com
O1 - Hosts: 65.125.226.82 http://cnn.com
O1 - Hosts: 65.125.226.82 http://excite.com
O1 - Hosts: 65.125.226.82 http://alltheweb.com
O1 - Hosts: 65.125.226.82 http://looksmart.com
O1 - Hosts: 65.125.226.82 http://northernlight.com
O1 - Hosts: 65.125.226.82 http://alexa.com
O1 - Hosts: 65.125.226.82 http://search.aol.com
O1 - Hosts: 65.125.226.82 http://epilot.com
O1 - Hosts: 65.125.226.82 http://hotbot.com
O1 - Hosts: 65.125.226.82 http://search.netscape.com
O1 - Hosts: 65.125.226.82 http://infospace.com
O1 - Hosts: 65.125.226.82 http://www.epilot.com
O1 - Hosts: 65.125.226.82 http://www.hotbot.com
O1 - Hosts: 65.125.226.82 http://www.infospace.com
O1 - Hosts: 65.125.226.82 http://www.cnn.com
O1 - Hosts: 65.125.226.82 http://www.msn.com
O1 - Hosts: 65.125.226.82 http://www.altavista.com
O1 - Hosts: 65.125.226.82 http://www.lycos.com
O1 - Hosts: 65.125.226.82 http://www.google.com
O1 - Hosts: 65.125.226.82 http://www.yahoo.com
O1 - Hosts: 65.125.226.82 http://www.alexa.com
O1 - Hosts: 65.125.226.82 http://www.excite.com
O1 - Hosts: 65.125.226.82 http://www.alltheweb.com
O1 - Hosts: 65.125.226.82 http://www.looksmart.com
O1 - Hosts: 65.125.226.82 http://www.northernlight.com
O1 - Hosts: 65.125.226.85 http://thehun.com
O1 - Hosts: 65.125.226.85 http://thehun.net
O1 - Hosts: 65.125.226.85 http://worldsex.com
O1 - Hosts: 65.125.226.85 http://al4a.com
O1 - Hosts: 65.125.226.85 http://book-mark.net
O1 - Hosts: 65.125.226.85 http://easypic.com
O1 - Hosts: 65.125.226.85 http://call-kelly.com
O1 - Hosts: 65.125.226.85 http://sleazydream.com
O1 - Hosts: 65.125.226.85 http://amplandmovies.com
O1 - Hosts: 65.125.226.85 http://mature-post.com
O1 - Hosts: 65.125.226.85 http://www.thehun.com
O1 - Hosts: 65.125.226.85 http://www.thehun.net
O1 - Hosts: 65.125.226.85 http://www.worldsex.com
O1 - Hosts: 65.125.226.85 http://www.al4a.com
O1 - Hosts: 65.125.226.85 http://www.book-mark.net
O1 - Hosts: 65.125.226.85 http://www.easypic.com
O1 - Hosts: 65.125.226.85 http://www.call-kelly.com
O1 - Hosts: 65.125.226.85 http://www.sleazydream.com
O1 - Hosts: 65.125.226.85 http://www.amplandmovies.com
O1 - Hosts: 65.125.226.85 http://www.mature-post.com
O4 - HKLM\..\Run: [GIM] C:\PROGRA~1\GIM\Bin\GIM.exe
O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Program Files\Bouncer\LiveUpdate.exe 110
O4 - HKLM\..\RunOnce: [PixelInstall] 
O4 - HKLM\..\RunOnce: [Reboot] 
O21 - SSODL: eplrr9 - {B0CFDE1A-8F26-457B-8D00-8B24D2409652} - C:\WINNT\System32\mspdnx.dll

Click Fix Checked

Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

Delete the following files and folders:
C:\Program Files\GIM (ONLY DELETE THIS IF YOU DON'T KNOW WHAT IT IS)
C:\Program Files\Bouncer
C:\WINNT\System32\mspdnx.dll

Reboot and post a fresh log
__________________
Owen,
My Website - I Security.org.uk

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.4 _|_ Ad-Aware SE 1.06_|_ HijackThis Log __V1.99.1 _|

[*]Be patient and wait for a response, we'll do our best to help resolve your issue.
[*]When posting for help, start your own thread and stick to it. Don't start multiple threads or post in other peoples threads!

If we have helped you, please consider making a donation to help support the forum. All donations are greatly appreciated. You can also support the forum by placing a link to us on your personal website.

Useful Links:
Posting a Hijack This Log
Preposting and Prevention Info
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Delete Windows 98 from computer with Windows 2000 Pro. TDC Windows 2000 Help 2 22-09-2007 06:59 PM
Windows 2000 newfdtb Windows 2000 Help 1 22-03-2006 07:57 AM
windows 2000 wajaale Windows 2000 Help 1 17-06-2005 03:40 AM
Windows 2000 brain_damage Windows 2000 Help 1 02-02-2005 01:51 PM
Windows 2000 Pro HELP idcg_mel Windows 2000 Help 1 28-12-2004 08:37 PM


All times are GMT +1. The time now is 09:19 AM.
Member Login
Remember me ?
Forgot password?
Ads

Want to Advertise? Click Here
Help Categories
Desktop / Server Apps
Drivers
Firewalls and Networks
Games
General Internet Issues
Hardware
Linux
MAC OS
Modding / Overclocking
Search Engines
Spyware and Security
Web Development
Windows 2000
Windows 7
Windows 98
Windows ME
Windows Vista
Windows XP

Computer Repair Companies
Bottom Corner Bottom Nav