v73.us Spyware on Windows 2000

  1. 16-01-2005  #1
    Ron
    Ron is offline Newbie

    v73.us Spyware on Windows 2000

    Ok. This v73.us hijacker in Internet Explorer is driving me insane for some time now. Everytime i start Internet Explorer, i get about 60 Popups, all pointing at v73.us.

    I have tried all spyware scanners ever made Hitman Pro has runned atleast 8 times, AdAware, Spybot S&D.. I Tried to delete the Registry Keys with HijackThis all the time, but not one of them is able to find the executable which regenerates all those Registry Keys. They keep coming back..

    This is my HijackThis Log:

    Logfile of HijackThis v1.99.0
    Scan saved at 1508, on 16-1-2005
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINNT\System32\cisvc.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\MSSQL\Binn\sqlservr.exe
    d:\aegon\amedia\avw\oracle\ora81\bin\ORACLE.EXE
    C:\WINNT\Explorer.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINNT\System32\atiptaxx.exe
    C:\WINNT\System32\pctspk.exe
    C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
    C:\progra~1\scansoft\paperp~1\pptd40nt.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    C:\WINNT\loadqm.exe
    C:\PROGRA~1\GIM\Bin\GIM.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\NewSoft\Presto! PageManager 7\Pmsb.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINNT\System32\cidaemon.exe
    C:\WINNT\regedit.exe
    C:\HJT\MWAV\mwavscan.com
    C:\HJT\MWAV\kavss.exe
    C:\WINNT\System32\taskmgr.exe
    C:\Program Files\The Cleaner\cleaner.exe
    C:\Program Files\The Cleaner\tca.exe
    C:\Program Files\The Cleaner\tcm.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.v73.us
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v73.us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v73.us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.v73.us/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.v73.us/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v73.us
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.v73.us/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.v73.us/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.v73.us
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.v73.us
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.v73.us
    O1 - Hosts: 65.125.226.82 http://yahoo.com
    O1 - Hosts: 65.125.226.82 http://google.com
    O1 - Hosts: 65.125.226.82 http://lycos.com
    O1 - Hosts: 65.125.226.82 http://altavista.com
    O1 - Hosts: 65.125.226.82 http://msn.com
    O1 - Hosts: 65.125.226.82 http://search.msn.com
    O1 - Hosts: 65.125.226.82 http://cnn.com
    O1 - Hosts: 65.125.226.82 http://excite.com
    O1 - Hosts: 65.125.226.82 http://alltheweb.com
    O1 - Hosts: 65.125.226.82 http://looksmart.com
    O1 - Hosts: 65.125.226.82 http://northernlight.com
    O1 - Hosts: 65.125.226.82 http://alexa.com
    O1 - Hosts: 65.125.226.82 http://search.aol.com
    O1 - Hosts: 65.125.226.82 http://epilot.com
    O1 - Hosts: 65.125.226.82 http://hotbot.com
    O1 - Hosts: 65.125.226.82 http://search.netscape.com
    O1 - Hosts: 65.125.226.82 http://infospace.com
    O1 - Hosts: 65.125.226.82 http://www.epilot.com
    O1 - Hosts: 65.125.226.82 http://www.hotbot.com
    O1 - Hosts: 65.125.226.82 http://www.infospace.com
    O1 - Hosts: 65.125.226.82 http://www.cnn.com
    O1 - Hosts: 65.125.226.82 http://www.msn.com
    O1 - Hosts: 65.125.226.82 http://www.altavista.com
    O1 - Hosts: 65.125.226.82 http://www.lycos.com
    O1 - Hosts: 65.125.226.82 http://www.google.com
    O1 - Hosts: 65.125.226.82 http://www.yahoo.com
    O1 - Hosts: 65.125.226.82 http://www.alexa.com
    O1 - Hosts: 65.125.226.82 http://www.excite.com
    O1 - Hosts: 65.125.226.82 http://www.alltheweb.com
    O1 - Hosts: 65.125.226.82 http://www.looksmart.com
    O1 - Hosts: 65.125.226.82 http://www.northernlight.com
    O1 - Hosts: 65.125.226.85 http://thehun.com
    O1 - Hosts: 65.125.226.85 http://thehun.net
    O1 - Hosts: 65.125.226.85 http://worldsex.com
    O1 - Hosts: 65.125.226.85 http://al4a.com
    O1 - Hosts: 65.125.226.85 http://book-mark.net
    O1 - Hosts: 65.125.226.85 http://easypic.com
    O1 - Hosts: 65.125.226.85 http://call-kelly.com
    O1 - Hosts: 65.125.226.85 http://sleazydream.com
    O1 - Hosts: 65.125.226.85 http://amplandmovies.com
    O1 - Hosts: 65.125.226.85 http://mature-post.com
    O1 - Hosts: 65.125.226.85 http://www.thehun.com
    O1 - Hosts: 65.125.226.85 http://www.thehun.net
    O1 - Hosts: 65.125.226.85 http://www.worldsex.com
    O1 - Hosts: 65.125.226.85 http://www.al4a.com
    O1 - Hosts: 65.125.226.85 http://www.book-mark.net
    O1 - Hosts: 65.125.226.85 http://www.easypic.com
    O1 - Hosts: 65.125.226.85 http://www.call-kelly.com
    O1 - Hosts: 65.125.226.85 http://www.sleazydream.com
    O1 - Hosts: 65.125.226.85 http://www.amplandmovies.com
    O1 - Hosts: 65.125.226.85 http://www.mature-post.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
    O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [GIM] C:\PROGRA~1\GIM\Bin\GIM.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Program Files\Bouncer\LiveUpdate.exe 110
    O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
    O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
    O4 - HKLM\..\RunOnce: [PixelInstall] 
    O4 - HKLM\..\RunOnce: [Reboot] 
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Scan Buttons] C:\Program Files\NewSoft\Presto! PageManager 7\Pmsb.exe
    O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
    O21 - SSODL: eplrr9 - {B0CFDE1A-8F26-457B-8D00-8B24D2409652} - C:\WINNT\System32\mspdnx.dll
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exe
    O23 - Service: Bluetooth Service - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Logical Disk Manager Administrative-service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
    O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: OracleServiceAVW - Oracle Corporation - d:\aegon\amedia\avw\oracle\ora81\bin\ORACLE.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12. exe
    Help will be appericiated alot!

    Thanks in advance,
    Ron.

  3. 17-01-2005  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.v73.us
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v73.us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v73.us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.v73.us/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.v73.us/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v73.us
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.v73.us/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.v73.us/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.v73.us
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.v73.us
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.v73.us
    O1 - Hosts: 65.125.226.82 http://yahoo.com
    O1 - Hosts: 65.125.226.82 http://google.com
    O1 - Hosts: 65.125.226.82 http://lycos.com
    O1 - Hosts: 65.125.226.82 http://altavista.com
    O1 - Hosts: 65.125.226.82 http://msn.com
    O1 - Hosts: 65.125.226.82 http://search.msn.com
    O1 - Hosts: 65.125.226.82 http://cnn.com
    O1 - Hosts: 65.125.226.82 http://excite.com
    O1 - Hosts: 65.125.226.82 http://alltheweb.com
    O1 - Hosts: 65.125.226.82 http://looksmart.com
    O1 - Hosts: 65.125.226.82 http://northernlight.com
    O1 - Hosts: 65.125.226.82 http://alexa.com
    O1 - Hosts: 65.125.226.82 http://search.aol.com
    O1 - Hosts: 65.125.226.82 http://epilot.com
    O1 - Hosts: 65.125.226.82 http://hotbot.com
    O1 - Hosts: 65.125.226.82 http://search.netscape.com
    O1 - Hosts: 65.125.226.82 http://infospace.com
    O1 - Hosts: 65.125.226.82 http://www.epilot.com
    O1 - Hosts: 65.125.226.82 http://www.hotbot.com
    O1 - Hosts: 65.125.226.82 http://www.infospace.com
    O1 - Hosts: 65.125.226.82 http://www.cnn.com
    O1 - Hosts: 65.125.226.82 http://www.msn.com
    O1 - Hosts: 65.125.226.82 http://www.altavista.com
    O1 - Hosts: 65.125.226.82 http://www.lycos.com
    O1 - Hosts: 65.125.226.82 http://www.google.com
    O1 - Hosts: 65.125.226.82 http://www.yahoo.com
    O1 - Hosts: 65.125.226.82 http://www.alexa.com
    O1 - Hosts: 65.125.226.82 http://www.excite.com
    O1 - Hosts: 65.125.226.82 http://www.alltheweb.com
    O1 - Hosts: 65.125.226.82 http://www.looksmart.com
    O1 - Hosts: 65.125.226.82 http://www.northernlight.com
    O1 - Hosts: 65.125.226.85 http://thehun.com
    O1 - Hosts: 65.125.226.85 http://thehun.net
    O1 - Hosts: 65.125.226.85 http://worldsex.com
    O1 - Hosts: 65.125.226.85 http://al4a.com
    O1 - Hosts: 65.125.226.85 http://book-mark.net
    O1 - Hosts: 65.125.226.85 http://easypic.com
    O1 - Hosts: 65.125.226.85 http://call-kelly.com
    O1 - Hosts: 65.125.226.85 http://sleazydream.com
    O1 - Hosts: 65.125.226.85 http://amplandmovies.com
    O1 - Hosts: 65.125.226.85 http://mature-post.com
    O1 - Hosts: 65.125.226.85 http://www.thehun.com
    O1 - Hosts: 65.125.226.85 http://www.thehun.net
    O1 - Hosts: 65.125.226.85 http://www.worldsex.com
    O1 - Hosts: 65.125.226.85 http://www.al4a.com
    O1 - Hosts: 65.125.226.85 http://www.book-mark.net
    O1 - Hosts: 65.125.226.85 http://www.easypic.com
    O1 - Hosts: 65.125.226.85 http://www.call-kelly.com
    O1 - Hosts: 65.125.226.85 http://www.sleazydream.com
    O1 - Hosts: 65.125.226.85 http://www.amplandmovies.com
    O1 - Hosts: 65.125.226.85 http://www.mature-post.com
    O4 - HKLM\..\Run: [GIM] C:\PROGRA~1\GIM\Bin\GIM.exe
    O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Program Files\Bouncer\LiveUpdate.exe 110
    O4 - HKLM\..\RunOnce: [PixelInstall] 
    O4 - HKLM\..\RunOnce: [Reboot] 
    O21 - SSODL: eplrr9 - {B0CFDE1A-8F26-457B-8D00-8B24D2409652} - C:\WINNT\System32\mspdnx.dll

    Click Fix Checked

    Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

    Delete the following files and folders:
    C:\Program Files\GIM (ONLY DELETE THIS IF YOU DON'T KNOW WHAT IT IS)
    C:\Program Files\Bouncer
    C:\WINNT\System32\mspdnx.dll

    Reboot and post a fresh log
+ Reply to Thread
« Search Extender and so on..! | Damm Spyware »