Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

specific911


  • This topic is locked This topic is locked
10 replies to this topic

#1 monika

monika

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 09 April 2005 - 04:36 PM

Hello guys,
have had specific911 virus in my computer for few weeks now, first thought i got rid of it, but it came back few days later. i always get rid of all the hosts in the computer and all links containing specific911 and it work until i turn the comp off and start it again, then it's back...starts with opening IE itself when starting the comp, than i get these windows telling me thereis an error in scipt and then I get these little windows that do not open in my screen corners saying intranet, i cannot then get any othet website than www.specific911.com on the IE...as well it is impossible to delete IE history, do not know if it has anything to do with that, comp really slow and i started to use mozilla internet browser because it works a bit faster than IE...i do not know what to do...please help, it is driving me crazy...
This is my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:33:01, on 09/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\mshta.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\windows\system32\gkespy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\windows\system32\calc.exe
C:\totalcmd\TOTALCMD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Monique a Milanocek\Data aplikací\hohs.exe
C:\WINDOWS\System32\menlp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Program Files\mozilla\mozilla.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
c:\Documents and Settings\Monique a Milanocek\Dokumenty\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {38FF652E-9514-04C1-D307-64550DA87342} - C:\WINDOWS\System32\ixz.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D5
3-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {9E1A52A6-F60B-B6D0-6AE4-C617D1733AF2} - C:\WINDOWS\system32\kzupyz.dll (file missing)
O2 - BHO: (no name) - {C49E1F2F-F0E0-FF30-9809-DEC81E8D29C7} - C:\WINDOWS\system32\bywvqxfm.dll
O2 - BHO: (no name) - {F1B32F2F-DDD3-CA04-B539-EEE52EBD04F7} - C:\WINDOWS\system32\bywvqxfm.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Zone Alarm] vsmon.exe
O4 - HKLM\..\Run: [regsrv] scvhost.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [SystemBoot] mshta file:///C:/WINDOWS/winsys.hta
O4 - HKLM\..\Run: [RunOnce] C:\y.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [gkespy] c:\windows\system32\gkespy.exe
O4 - HKLM\..\RunServices: [Zone Alarm] vsmon.exe
O4 - HKLM\..\RunServices: [regsrv] scvhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zone Alarm] vsmon.exe
O4 - HKCU\..\Run: [Rodu] C:\Documents and Settings\Monique a Milanocek\Data aplikací\hohs.exe
O4 - HKCU\..\Run: [Gdoyml] C:\WINDOWS\System32\menlp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: BSC Applet Security - https://ibs.internetbanka.cz/ibs31/bin/apls...99.99.99.99.cab
O16 - DPF: BSC Applet Utilities - https://ibs.internetbanka.cz/ibs31/bin/aplu...99.99.99.99.cab
O16 - DPF: BSC Business Objects - https://ibs.internetbanka.cz/ibs31/bin/busi...99.99.99.99.cab
O16 - DPF: BSC Java Components Library - https://ibs.internetbanka.cz/ibs31/bin/jcl-99.99.99.99.cab
O16 - DPF: BSC Text Utilities - https://ibs.internetbanka.cz/ibs31/bin/text-99.99.99.99.cab
O16 - DPF: BSC Utilities - https://ibs.internetbanka.cz/ibs31/bin/util-99.99.99.99.cab
O16 - DPF: GEMINI IBS 31 GECB Applet Security - https://ibs.internetbanka.cz/ibs31/bin/IBS3...sec-3.2.0.1.cab
O16 - DPF: GEMINI IBS 31 GECB Applet Utilities - https://ra.internetbanka.cz/ra31/bin/IBS31-...til-1.0.1.0.cab
O16 - DPF: IAIK Java Cryptography Extension - https://ibs.internetbanka.cz/ibs31/bin/IAIK-99.99.99.99.cab
O16 - DPF: KB KTpro Pack - https://www.mojebanka.cz/jars/kt_pro_v1101.cab
O16 - DPF: KB SH Pack - https://www.mojebanka.cz/jars/sh_pack.cab
O16 - DPF: MIB Pack - https://www.mojebanka.cz/jars/mib_pack_v1400.cab
O16 - DPF: {00000000-0000-0000-0000-000020000000} - http://www.68737075.com/connect/wla/x/ukgolwla5x.exe
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://movie-browser.com/tl7000.dll
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download..._MEDIAWHIZ9.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/AgeVerif.../bridge-c24.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dbaccess.exe
O16 - DPF: {37B7C7C6-BCD8-11D7-BD5C-00C026104E7F} (AXL Control) - http://jav.webreport.cz/sdp4/ax/86648/AXL.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gamc6-gb/gbc6/games33.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=3844
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://gamingclub.microgaming.com/gamingclub/FlashAX.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025976.exe
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelper.com/updates/DealHelperNew.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1380.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gba891.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C628BAB8-AD3E-47B0-9B52-6D3F03B24C85}: NameServer = 80.225.252.58 80.225.252.50
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


I will be grateful for any help...THANX.....XXX

BC AdBot (Login to Remove)

 


#2 monika

monika
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 09 April 2005 - 05:23 PM

Hello guys,
have had specific911 virus in my computer for few weeks now, first thought i got rid of it, but it came back few days later. i always get rid of all the hosts in the computer and all links containing specific911 and it work until i turn the comp off and start it again, then it's back...starts with opening IE itself when starting the comp, than i get these windows telling me thereis an error in scipt and then I get these little windows that do not open in my screen corners saying intranet, i cannot then get any othet website than www.specific911.com on the IE...as well it is impossible to delete IE history, do not know if it has anything to do with that, comp really slow and i started to use mozilla internet browser because it works a bit faster than IE...i do not know what to do...please help, it is driving me crazy...
This is my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:33:01, on 09/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\mshta.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\windows\system32\gkespy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\windows\system32\calc.exe
C:\totalcmd\TOTALCMD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Monique a Milanocek\Data aplikací\hohs.exe
C:\WINDOWS\System32\menlp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Program Files\mozilla\mozilla.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
c:\Documents and Settings\Monique a Milanocek\Dokumenty\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {38FF652E-9514-04C1-D307-64550DA87342} - C:\WINDOWS\System32\ixz.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D5
3-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {9E1A52A6-F60B-B6D0-6AE4-C617D1733AF2} - C:\WINDOWS\system32\kzupyz.dll (file missing)
O2 - BHO: (no name) - {C49E1F2F-F0E0-FF30-9809-DEC81E8D29C7} - C:\WINDOWS\system32\bywvqxfm.dll
O2 - BHO: (no name) - {F1B32F2F-DDD3-CA04-B539-EEE52EBD04F7} - C:\WINDOWS\system32\bywvqxfm.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Zone Alarm] vsmon.exe
O4 - HKLM\..\Run: [regsrv] scvhost.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [SystemBoot] mshta file:///C:/WINDOWS/winsys.hta
O4 - HKLM\..\Run: [RunOnce] C:\y.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [gkespy] c:\windows\system32\gkespy.exe
O4 - HKLM\..\RunServices: [Zone Alarm] vsmon.exe
O4 - HKLM\..\RunServices: [regsrv] scvhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zone Alarm] vsmon.exe
O4 - HKCU\..\Run: [Rodu] C:\Documents and Settings\Monique a Milanocek\Data aplikací\hohs.exe
O4 - HKCU\..\Run: [Gdoyml] C:\WINDOWS\System32\menlp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: BSC Applet Security - https://ibs.internetbanka.cz/ibs31/bin/apls...99.99.99.99.cab
O16 - DPF: BSC Applet Utilities - https://ibs.internetbanka.cz/ibs31/bin/aplu...99.99.99.99.cab
O16 - DPF: BSC Business Objects - https://ibs.internetbanka.cz/ibs31/bin/busi...99.99.99.99.cab
O16 - DPF: BSC Java Components Library - https://ibs.internetbanka.cz/ibs31/bin/jcl-99.99.99.99.cab
O16 - DPF: BSC Text Utilities - https://ibs.internetbanka.cz/ibs31/bin/text-99.99.99.99.cab
O16 - DPF: BSC Utilities - https://ibs.internetbanka.cz/ibs31/bin/util-99.99.99.99.cab
O16 - DPF: GEMINI IBS 31 GECB Applet Security - https://ibs.internetbanka.cz/ibs31/bin/IBS3...sec-3.2.0.1.cab
O16 - DPF: GEMINI IBS 31 GECB Applet Utilities - https://ra.internetbanka.cz/ra31/bin/IBS31-...til-1.0.1.0.cab
O16 - DPF: IAIK Java Cryptography Extension - https://ibs.internetbanka.cz/ibs31/bin/IAIK-99.99.99.99.cab
O16 - DPF: KB KTpro Pack - https://www.mojebanka.cz/jars/kt_pro_v1101.cab
O16 - DPF: KB SH Pack - https://www.mojebanka.cz/jars/sh_pack.cab
O16 - DPF: MIB Pack - https://www.mojebanka.cz/jars/mib_pack_v1400.cab
O16 - DPF: {00000000-0000-0000-0000-000020000000} - http://www.68737075.com/connect/wla/x/ukgolwla5x.exe
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://movie-browser.com/tl7000.dll
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download..._MEDIAWHIZ9.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/AgeVerif.../bridge-c24.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dbaccess.exe
O16 - DPF: {37B7C7C6-BCD8-11D7-BD5C-00C026104E7F} (AXL Control) - http://jav.webreport.cz/sdp4/ax/86648/AXL.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gamc6-gb/gbc6/games33.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=3844
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://gamingclub.microgaming.com/gamingclub/FlashAX.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025976.exe
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelper.com/updates/DealHelperNew.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1380.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gba891.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C628BAB8-AD3E-47B0-9B52-6D3F03B24C85}: NameServer = 80.225.252.58 80.225.252.50
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


I will be grateful for any help...THANX.....XXX

#3 monika

monika
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 09 April 2005 - 05:30 PM

Hello guys,
have had specific911 virus in my computer for few weeks now, first thought i got rid of it, but it came back few days later. i always get rid of all the hosts in the computer and all links containing specific911 and it work until i turn the comp off and start it again, then it's back...starts with opening IE itself when starting the comp, than i get these windows telling me thereis an error in scipt and then I get these little windows that do not open in my screen corners saying intranet, i cannot then get any othet website than www.specific911.com on the IE...as well it is impossible to delete IE history, do not know if it has anything to do with that, comp really slow and i started to use mozilla internet browser because it works a bit faster than IE...i do not know what to do...please help, it is driving me crazy...
This is my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:33:01, on 09/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\mshta.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\windows\system32\gkespy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\windows\system32\calc.exe
C:\totalcmd\TOTALCMD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Monique a Milanocek\Data aplikací\hohs.exe
C:\WINDOWS\System32\menlp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Program Files\mozilla\mozilla.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
c:\Documents and Settings\Monique a Milanocek\Dokumenty\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {38FF652E-9514-04C1-D307-64550DA87342} - C:\WINDOWS\System32\ixz.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D5
3-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {9E1A52A6-F60B-B6D0-6AE4-C617D1733AF2} - C:\WINDOWS\system32\kzupyz.dll (file missing)
O2 - BHO: (no name) - {C49E1F2F-F0E0-FF30-9809-DEC81E8D29C7} - C:\WINDOWS\system32\bywvqxfm.dll
O2 - BHO: (no name) - {F1B32F2F-DDD3-CA04-B539-EEE52EBD04F7} - C:\WINDOWS\system32\bywvqxfm.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Zone Alarm] vsmon.exe
O4 - HKLM\..\Run: [regsrv] scvhost.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [SystemBoot] mshta file:///C:/WINDOWS/winsys.hta
O4 - HKLM\..\Run: [RunOnce] C:\y.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [gkespy] c:\windows\system32\gkespy.exe
O4 - HKLM\..\RunServices: [Zone Alarm] vsmon.exe
O4 - HKLM\..\RunServices: [regsrv] scvhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zone Alarm] vsmon.exe
O4 - HKCU\..\Run: [Rodu] C:\Documents and Settings\Monique a Milanocek\Data aplikací\hohs.exe
O4 - HKCU\..\Run: [Gdoyml] C:\WINDOWS\System32\menlp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: BSC Applet Security - https://ibs.internetbanka.cz/ibs31/bin/apls...99.99.99.99.cab
O16 - DPF: BSC Applet Utilities - https://ibs.internetbanka.cz/ibs31/bin/aplu...99.99.99.99.cab
O16 - DPF: BSC Business Objects - https://ibs.internetbanka.cz/ibs31/bin/busi...99.99.99.99.cab
O16 - DPF: BSC Java Components Library - https://ibs.internetbanka.cz/ibs31/bin/jcl-99.99.99.99.cab
O16 - DPF: BSC Text Utilities - https://ibs.internetbanka.cz/ibs31/bin/text-99.99.99.99.cab
O16 - DPF: BSC Utilities - https://ibs.internetbanka.cz/ibs31/bin/util-99.99.99.99.cab
O16 - DPF: GEMINI IBS 31 GECB Applet Security - https://ibs.internetbanka.cz/ibs31/bin/IBS3...sec-3.2.0.1.cab
O16 - DPF: GEMINI IBS 31 GECB Applet Utilities - https://ra.internetbanka.cz/ra31/bin/IBS31-...til-1.0.1.0.cab
O16 - DPF: IAIK Java Cryptography Extension - https://ibs.internetbanka.cz/ibs31/bin/IAIK-99.99.99.99.cab
O16 - DPF: KB KTpro Pack - https://www.mojebanka.cz/jars/kt_pro_v1101.cab
O16 - DPF: KB SH Pack - https://www.mojebanka.cz/jars/sh_pack.cab
O16 - DPF: MIB Pack - https://www.mojebanka.cz/jars/mib_pack_v1400.cab
O16 - DPF: {00000000-0000-0000-0000-000020000000} - http://www.68737075.com/connect/wla/x/ukgolwla5x.exe
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://movie-browser.com/tl7000.dll
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download..._MEDIAWHIZ9.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/AgeVerif.../bridge-c24.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dbaccess.exe
O16 - DPF: {37B7C7C6-BCD8-11D7-BD5C-00C026104E7F} (AXL Control) - http://jav.webreport.cz/sdp4/ax/86648/AXL.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gamc6-gb/gbc6/games33.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=3844
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://gamingclub.microgaming.com/gamingclub/FlashAX.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025976.exe
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelper.com/updates/DealHelperNew.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1380.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gba891.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C628BAB8-AD3E-47B0-9B52-6D3F03B24C85}: NameServer = 80.225.252.58 80.225.252.50
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


I will be grateful for any help...THANX.....XXX

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:15 PM

Posted 09 April 2005 - 07:14 PM

Please do not post multiple times for the same issue. It creates alot of extra work for the volunteers who are trying to help out.

I will review your log and respond back to you when I am finished.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:15 PM

Posted 09 April 2005 - 07:32 PM

Hi monika. Let's start off with some adware/spyware scans.

Step #1

On-line virus scans

Please run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
Make sure that you choose "fix" or "clean".

Step #2

On-line trojan scan.

Click on the link below and follow the directions on the webpage to run an online trojan scan:

WindowSecurity online trojan scan

Step #3

Adware Scans

1) Download, install, update and run a scan with Spybot S&D:
  • Download and Install Spybot Search & Destroy, accepting the Default Settings.
  • In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
  • Close ALL windows except Spybot S&D
  • Click the button to ‘Search for Updates’ and then download and install all available Updates.
  • Next click the button ‘Check for Problems’
  • When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window.
  • Make certain there is a check mark beside all of the RED entries ONLY.
  • Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
  • REBOOT to complete the scan and clear memory.
2) Download, install, update, configure and run a scan with Ad-aware SE:
  • Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Save the log file when it asks and then click ‘Finish’
  • REBOOT to complete the removal of what Ad-Aware SE found.
Step #4

Next, let's clean up the temporary folders:
  • Download CleanUp! and install.
  • Start CleanUp! and click the CleanUp! button. Let it run to completion.
Step #5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here as a relpy to this topic and I will review it.

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGITIMATE AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 monika

monika
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 10 April 2005 - 01:38 PM

Hello OT,

I have done everything on your list, step by step...the spyware scans found loads of spyware and i am not sure it has been removed all...here is my first log, which is the one I have done before the scanning:

Logfile of HijackThis v1.99.1
Scan saved at 11:59:39, on 10/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\mshta.exe
C:\windows\system32\gkespy.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system32\packager.exe
C:\Documents and Settings\Monique a Milanocek\Data aplikací\hohs.exe
C:\WINDOWS\System32\menlp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\totalcmd\TOTALCMD.EXE
c:\Documents and Settings\Monique a Milanocek\Dokumenty\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://specific911.com/_start/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://specific911.com/_start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://specific911.com/_start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://specific911.com/_start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://specific911.com/_start/
O1 - Hosts: 64.246.26.137 xml.umaxfeed.com
O1 - Hosts: 64.246.26.137 searchmiracle.com
O1 - Hosts: 64.246.26.137 www.searchmiracle.com
O1 - Hosts: 64.246.26.137 search.yahoo.com
O1 - Hosts: 64.246.26.137 www.search-and-more.com
O1 - Hosts: 64.246.26.137 x.full-tgp.net
O1 - Hosts: 64.246.26.137 home.peoplepc.com
O1 - Hosts: 64.246.26.137 peoplepc.com
O1 - Hosts: 64.246.26.137 all-find.net
O1 - Hosts: 64.246.26.137 www.start-page.info
O1 - Hosts: 64.246.26.137 start-page.info
O1 - Hosts: 64.246.26.137 www.young-devils.com
O1 - Hosts: 64.246.26.137 young-devils.com
O1 - Hosts: 64.246.26.137 toolbarpartner.com
O1 - Hosts: 64.246.26.137 www.toolbarpartner.com
O1 - Hosts: 64.246.26.137 beauty.find-on-the-net.com
O1 - Hosts: 64.246.26.137 automotive.find-on-the-net.com
O1 - Hosts: 64.246.26.137 www.teocash.com
O1 - Hosts: 64.246.26.137 medicine.find-on-the-net.com
O1 - Hosts: 64.246.26.137 cgi.gammae.com
O1 - Hosts: 64.246.26.137 teens-dream.com
O1 - Hosts: 64.246.26.137 the.sextracker.com
O1 - Hosts: 64.246.26.137 lobby.sexlist.com
O1 - Hosts: 64.246.26.137 in.paycounter.com
O1 - Hosts: 64.246.26.137 adv.sexcounter.com
O1 - Hosts: 64.246.26.137 rd1.hitbox.com
O1 - Hosts: 64.246.26.137 refer.ccbill.com
O1 - Hosts: 64.246.26.137 www.ccbill.com
O1 - Hosts: 64.246.26.137 secure.ibill.com
O1 - Hosts: 64.246.26.137 select.2000charge.com
O1 - Hosts: 64.246.26.137 secure.2000charge.com
O1 - Hosts: 64.246.26.137 www.signup.globill-systems.com
O1 - Hosts: 64.246.26.137 secure.visionbill.net
O1 - Hosts: 64.246.26.137 www.dibill.com
O1 - Hosts: 64.246.26.137 secure.dpbill.com
O1 - Hosts: 64.246.26.137 secure.dutchbilling.com
O1 - Hosts: 64.246.26.137 secure.pswbilling.com
O1 - Hosts: 64.246.26.137 www.maximumcash.com
O1 - Hosts: 64.246.26.137 www.adultrevenueservice.com
O1 - Hosts: 64.246.26.137 www.eroticacash.com
O1 - Hosts: 64.246.26.137 www.oxcash.com
O1 - Hosts: 64.246.26.137 track.oxcash.com
O1 - Hosts: 64.246.26.137 potd.oxcash.com
O1 - Hosts: 64.246.26.137 clicks2.oxcash.com
O1 - Hosts: 64.246.26.137 www.webmastersmakemoney.com
O1 - Hosts: 64.246.26.137 clicks.nastydollars.com
O1 - Hosts: 64.246.26.137 www.lightspeedcash.com
O1 - Hosts: 64.246.26.137 db.fetishcash.com
O1 - Hosts: 64.246.26.137 ctc.amateurpages.com
O1 - Hosts: 64.246.26.137 www2.karupspc.com
O1 - Hosts: 64.246.26.137 www.iteens.com
O1 - Hosts: 64.246.26.137 click.payserve.com
O1 - Hosts: 64.246.26.137 vip.mtree.com
O1 - Hosts: 64.246.26.137 c.fsx.com
O1 - Hosts: 64.246.26.137 adultfriendfinder.com
O1 - Hosts: 64.246.26.137 www.danni.com
O1 - Hosts: 64.246.26.137 network.nocreditcard.com
O1 - Hosts: 64.246.26.137 php.offshoreclicks.com
O1 - Hosts: 64.246.26.137 links.lifetimebucks.com
O1 - Hosts: 64.246.26.137 cgi.gammae.com
O1 - Hosts: 64.246.26.137 click.passiondollars.com
O1 - Hosts: 64.246.26.137 www.fatpockets.com
O1 - Hosts: 64.246.26.137 link.siccash.com
O1 - Hosts: 64.246.26.137 www.clickcash.com
O1 - Hosts: 64.246.26.137 www.scoreland.com
O1 - Hosts: 64.246.26.137 www.makingitpay.com
O1 - Hosts: 64.246.26.137 www.hpic.com
O1 - Hosts: 64.246.26.137 referral.topbucks.com
O1 - Hosts: 64.246.26.137 www.platinumbucks.com
O1 - Hosts: 64.246.26.137 partner.globill-systems.com
O1 - Hosts: 64.246.26.137 www.pornstardollars.com
O1 - Hosts: 64.246.26.137 traffic.acpay.com
O1 - Hosts: 64.246.26.137 www.cashforlink.com
O1 - Hosts: 64.246.26.137 click.silvercash.com
O1 - Hosts: 64.246.26.137 clickcash.webpower.com
O1 - Hosts: 64.246.26.137 www.dollars4babes.com
O1 - Hosts: 64.246.26.137 www.sexfantasyzone.com
O1 - Hosts: 64.246.26.137 www.twistyscash.com
O1 - Hosts: 64.246.26.137 www.freeticketcash.com
O1 - Hosts: 64.246.26.137 www.hawgscash.com
O1 - Hosts: 64.246.26.137 www.freeezinebucks.com
O1 - Hosts: 64.246.26.137 www.nastydollars.com
O1 - Hosts: 64.246.26.137 ads.sexplanets.com
O1 - Hosts: 64.246.26.137 www.deluxepass.com
O1 - Hosts: 64.246.26.137 clicks.oxcash.com
O1 - Hosts: 64.246.26.137 ww2.amateur-pages.com
O1 - Hosts: 64.246.26.137 stats.allliquid.com
O1 - Hosts: 64.246.26.137 secure1.websitebilling.com
O1 - Hosts: 64.246.26.137 www.adultmovienetwork.com
O1 - Hosts: 64.246.26.137 www.totally4freecash.com
O1 - Hosts: 64.246.26.137 network.nocreditcard.com
O1 - Hosts: 64.246.26.137 php.offshoreclicks.com
O1 - Hosts: 64.246.26.137 www.nocreditcard.com
O1 - Hosts: 64.246.26.137 media.fastclick.net
O1 - Hosts: 64.246.26.137 clicks.uni-cash.com
O1 - Hosts: 64.246.26.137 www.clubpix.com
O1 - Hosts: 64.246.26.137 programs.wegcash.com
O1 - Hosts: 64.246.26.137 in.cybererotica.com
O1 - Hosts: 64.246.26.137 www.cybererotica.com
O1 - Hosts: 64.246.26.137 cybererotica.com
O1 - Hosts: 64.246.26.137 dollartraffic.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {38FF652E-9514-04C1-D307-64550DA87342} - C:\WINDOWS\System32\ixz.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {9E1A52A6-F60B-B6D0-6AE4-C617D1733AF2} - C:\WINDOWS\system32\kzupyz.dll (file missing)
O2 - BHO: (no name) - {C49E1F2F-F0E0-FF30-9809-DEC81E8D29C7} - C:\WINDOWS\system32\bywvqxfm.dll
O2 - BHO: (no name) - {F1B32F2F-DDD3-CA04-B539-EEE52EBD04F7} - C:\WINDOWS\system32\bywvqxfm.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Zone Alarm] vsmon.exe
O4 - HKLM\..\Run: [regsrv] scvhost.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [SystemBoot] mshta file:///C:/WINDOWS/winsys.hta
O4 - HKLM\..\Run: [RunOnce] C:\y.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [gkespy] c:\windows\system32\gkespy.exe
O4 - HKLM\..\RunServices: [Zone Alarm] vsmon.exe
O4 - HKLM\..\RunServices: [regsrv] scvhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zone Alarm] vsmon.exe
O4 - HKCU\..\Run: [Rodu] C:\Documents and Settings\Monique a Milanocek\Data aplikací\hohs.exe
O4 - HKCU\..\Run: [Gdoyml] C:\WINDOWS\System32\menlp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix: http://specific911.com/se.cgi?query=
O13 - WWW Prefix: http://specific911.net/se.cgi?query=
O16 - DPF: BSC Applet Security - https://ibs.internetbanka.cz/ibs31/bin/apls...99.99.99.99.cab
O16 - DPF: BSC Applet Utilities - https://ibs.internetbanka.cz/ibs31/bin/aplu...99.99.99.99.cab
O16 - DPF: BSC Business Objects - https://ibs.internetbanka.cz/ibs31/bin/busi...99.99.99.99.cab
O16 - DPF: BSC Java Components Library - https://ibs.internetbanka.cz/ibs31/bin/jcl-99.99.99.99.cab
O16 - DPF: BSC Text Utilities - https://ibs.internetbanka.cz/ibs31/bin/text-99.99.99.99.cab
O16 - DPF: BSC Utilities - https://ibs.internetbanka.cz/ibs31/bin/util-99.99.99.99.cab
O16 - DPF: GEMINI IBS 31 GECB Applet Security - https://ibs.internetbanka.cz/ibs31/bin/IBS3...sec-3.2.0.1.cab
O16 - DPF: GEMINI IBS 31 GECB Applet Utilities - https://ra.internetbanka.cz/ra31/bin/IBS31-...til-1.0.1.0.cab
O16 - DPF: IAIK Java Cryptography Extension - https://ibs.internetbanka.cz/ibs31/bin/IAIK-99.99.99.99.cab
O16 - DPF: KB KTpro Pack - https://www.mojebanka.cz/jars/kt_pro_v1101.cab
O16 - DPF: KB SH Pack - https://www.mojebanka.cz/jars/sh_pack.cab
O16 - DPF: MIB Pack - https://www.mojebanka.cz/jars/mib_pack_v1400.cab
O16 - DPF: {00000000-0000-0000-0000-000020000000} - http://www.68737075.com/connect/wla/x/ukgolwla5x.exe
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://movie-browser.com/tl7000.dll
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download..._MEDIAWHIZ9.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/AgeVerif.../bridge-c24.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dbaccess.exe
O16 - DPF: {37B7C7C6-BCD8-11D7-BD5C-00C026104E7F} (AXL Control) - http://jav.webreport.cz/sdp4/ax/86648/AXL.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gamc6-gb/gbc6/games33.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=3844
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://gamingclub.microgaming.com/gamingclub/FlashAX.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025976.exe
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelper.com/updates/DealHelperNew.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1380.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gba891.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE



and this is the last one i have done after the scanning:

Logfile of HijackThis v1.99.1
Scan saved at 20:30:19, on 10/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\mshta.exe
C:\windows\system32\gkespy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Monique a Milanocek\Data aplikací\hohs.exe
C:\WINDOWS\System32\menlp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\windows\system32\packager.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\totalcmd\TOTALCMD.EXE
c:\Documents and Settings\Monique a Milanocek\Dokumenty\HijackThis.exe

O1 - Hosts: 66.159.18.75 www.astalavista.com
O1 - Hosts: 66.159.18.75 astalavista.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {38FF652E-9514-04C1-D307-64550DA87342} - C:\WINDOWS\System32\ixz.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {9E1A52A6-F60B-B6D0-6AE4-C617D1733AF2} - C:\WINDOWS\system32\kzupyz.dll (file missing)
O2 - BHO: (no name) - {C49E1F2F-F0E0-FF30-9809-DEC81E8D29C7} - C:\WINDOWS\system32\bywvqxfm.dll
O2 - BHO: (no name) - {F1B32F2F-DDD3-CA04-B539-EEE52EBD04F7} - C:\WINDOWS\system32\bywvqxfm.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Zone Alarm] vsmon.exe
O4 - HKLM\..\Run: [regsrv] scvhost.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [SystemBoot] mshta file:///C:/WINDOWS/winsys.hta
O4 - HKLM\..\Run: [RunOnce] C:\y.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [gkespy] c:\windows\system32\gkespy.exe
O4 - HKLM\..\RunServices: [Zone Alarm] vsmon.exe
O4 - HKLM\..\RunServices: [regsrv] scvhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zone Alarm] vsmon.exe
O4 - HKCU\..\Run: [Rodu] C:\Documents and Settings\Monique a Milanocek\Data aplikací\hohs.exe
O4 - HKCU\..\Run: [Gdoyml] C:\WINDOWS\System32\menlp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - WWW Prefix:
O16 - DPF: BSC Applet Security - https://ibs.internetbanka.cz/ibs31/bin/apls...99.99.99.99.cab
O16 - DPF: BSC Applet Utilities - https://ibs.internetbanka.cz/ibs31/bin/aplu...99.99.99.99.cab
O16 - DPF: BSC Business Objects - https://ibs.internetbanka.cz/ibs31/bin/busi...99.99.99.99.cab
O16 - DPF: BSC Java Components Library - https://ibs.internetbanka.cz/ibs31/bin/jcl-99.99.99.99.cab
O16 - DPF: BSC Text Utilities - https://ibs.internetbanka.cz/ibs31/bin/text-99.99.99.99.cab
O16 - DPF: BSC Utilities - https://ibs.internetbanka.cz/ibs31/bin/util-99.99.99.99.cab
O16 - DPF: GEMINI IBS 31 GECB Applet Security - https://ibs.internetbanka.cz/ibs31/bin/IBS3...sec-3.2.0.1.cab
O16 - DPF: GEMINI IBS 31 GECB Applet Utilities - https://ra.internetbanka.cz/ra31/bin/IBS31-...til-1.0.1.0.cab
O16 - DPF: IAIK Java Cryptography Extension - https://ibs.internetbanka.cz/ibs31/bin/IAIK-99.99.99.99.cab
O16 - DPF: KB KTpro Pack - https://www.mojebanka.cz/jars/kt_pro_v1101.cab
O16 - DPF: KB SH Pack - https://www.mojebanka.cz/jars/sh_pack.cab
O16 - DPF: MIB Pack - https://www.mojebanka.cz/jars/mib_pack_v1400.cab
O16 - DPF: {00000000-0000-0000-0000-000020000000} - http://www.68737075.com/connect/wla/x/ukgolwla5x.exe
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://movie-browser.com/tl7000.dll
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download..._MEDIAWHIZ9.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/AgeVerif.../bridge-c24.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dbaccess.exe
O16 - DPF: {37B7C7C6-BCD8-11D7-BD5C-00C026104E7F} (AXL Control) - http://jav.webreport.cz/sdp4/ax/86648/AXL.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gamc6-gb/gbc6/games33.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=3844
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://gamingclub.microgaming.com/gamingclub/FlashAX.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025976.exe
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelper.com/updates/DealHelperNew.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1380.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gba891.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE



still having difficulties with specific911...took me whole day to get all the scans done, especially after rebooting the comp...please help...

thanx a lot, will be waiting for your anwer...
monika

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:15 PM

Posted 10 April 2005 - 03:46 PM

Hi again monika. Things look a little better now. Let's see if we can clean up the rest of these infections. Please proceed with the following steps in order.

Step #1

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O1 - Hosts: 66.159.18.75 www.astalavista.com
O1 - Hosts: 66.159.18.75 astalavista.com
O2 - BHO: (no name) - {38FF652E-9514-04C1-D307-64550DA87342} - C:\WINDOWS\System32\ixz.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {9E1A52A6-F60B-B6D0-6AE4-C617D1733AF2} - C:\WINDOWS\system32\kzupyz.dll (file missing)
O2 - BHO: (no name) - {C49E1F2F-F0E0-FF30-9809-DEC81E8D29C7} - C:\WINDOWS\system32\bywvqxfm.dll
O2 - BHO: (no name) - {F1B32F2F-DDD3-CA04-B539-EEE52EBD04F7} - C:\WINDOWS\system32\bywvqxfm.dll
O4 - HKLM\..\Run: [Zone Alarm] vsmon.exe
O4 - HKLM\..\Run: [regsrv] scvhost.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [SystemBoot] mshta file:///C:/WINDOWS/winsys.hta
O4 - HKLM\..\Run: [RunOnce] C:\y.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [gkespy] c:\windows\system32\gkespy.exe
O4 - HKLM\..\RunServices: [Zone Alarm] vsmon.exe
O4 - HKLM\..\RunServices: [regsrv] scvhost.exe
O4 - HKCU\..\Run: [Zone Alarm] vsmon.exe
O4 - HKCU\..\Run: [Rodu] C:\Documents and Settings\Monique a Milanocek\Data aplikací\hohs.exe
O4 - HKCU\..\Run: [Gdoyml] C:\WINDOWS\System32\menlp.exe
O16 - DPF: {00000000-0000-0000-0000-000020000000} - http://www.68737075.com/connect/wla/x/ukgolwla5x.exe
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://movie-browser.com/tl7000.dll
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download..._MEDIAWHIZ9.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/AgeVerif.../bridge-c24.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dbaccess.exe
O16 - DPF: {37B7C7C6-BCD8-11D7-BD5C-00C026104E7F} (AXL Control) - http://jav.webreport.cz/sdp4/ax/86648/AXL.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gamc6-gb/gbc6/games33.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=3844
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://gamingclub.microgaming.com/gamingclub/FlashAX.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025976.exe
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelper.com/updates/DealHelperNew.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1380.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gba891.exe

Fix the following if you, a system administrator or a program like Spybot Search & Destroy did not set restrictions on your Control Panel:O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\System32\ixz.dll
C:\WINDOWS\system32\kzupyz.dll
C:\WINDOWS\system32\bywvqxfm.dll
c:\windows\system32\gkespy.exe
C:\WINDOWS\System32\menlp.exe
C:\WINDOWS\winsys.hta
C:\WINDOWS\farmmext.exe
C:\y.exe
C:\Program Files\Windows AdStatus\ <--folder
C:\Documents and Settings\Monique a Milanocek\Data aplikací\hohs.exe
vsmon.exe (search for this file and delete all instances - see the note below regarding searching in XP)
scvhost.exe (search for this file and delete all instances - see the note below regarding searching in XP)

Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Step #3

Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

Step #4

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 monika

monika
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 12 April 2005 - 04:48 PM

Hello OT,

thanks for getting back to me...

Again I have done everything following the instructions...computer seems to be working bit faster already...

Here is my last log:

Logfile of HijackThis v1.99.1
Scan saved at 23:39:49, on 12/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\Monique a Milanocek\Dokumenty\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - WWW Prefix:
O16 - DPF: BSC Applet Security - https://ibs.internetbanka.cz/ibs31/bin/apls...99.99.99.99.cab
O16 - DPF: BSC Applet Utilities - https://ibs.internetbanka.cz/ibs31/bin/aplu...99.99.99.99.cab
O16 - DPF: BSC Business Objects - https://ibs.internetbanka.cz/ibs31/bin/busi...99.99.99.99.cab
O16 - DPF: BSC Java Components Library - https://ibs.internetbanka.cz/ibs31/bin/jcl-99.99.99.99.cab
O16 - DPF: BSC Text Utilities - https://ibs.internetbanka.cz/ibs31/bin/text-99.99.99.99.cab
O16 - DPF: BSC Utilities - https://ibs.internetbanka.cz/ibs31/bin/util-99.99.99.99.cab
O16 - DPF: GEMINI IBS 31 GECB Applet Security - https://ibs.internetbanka.cz/ibs31/bin/IBS3...sec-3.2.0.1.cab
O16 - DPF: GEMINI IBS 31 GECB Applet Utilities - https://ra.internetbanka.cz/ra31/bin/IBS31-...til-1.0.1.0.cab
O16 - DPF: IAIK Java Cryptography Extension - https://ibs.internetbanka.cz/ibs31/bin/IAIK-99.99.99.99.cab
O16 - DPF: KB KTpro Pack - https://www.mojebanka.cz/jars/kt_pro_v1101.cab
O16 - DPF: KB SH Pack - https://www.mojebanka.cz/jars/sh_pack.cab
O16 - DPF: MIB Pack - https://www.mojebanka.cz/jars/mib_pack_v1400.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


Hope to hear from you soon

Kind regards,
Monika

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:15 PM

Posted 12 April 2005 - 05:30 PM

Hi Monika. Now that's a good looking log. Great job! How are things running? Any problems?

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster, SpywareGuard and IESpy-Ad. They will add 1000's of sites to your resticted zone and block some hijacks from happening.

You should also have a good firewall like ZoneAlarm or Kerio Personal Firewall (both are free) and a good anti-virus application like the one you are currently using. It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your system up to date and clean visit Windows Update monthly, run AdAware SE and Spybot Search & Destroy weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT

Edited by OldTimer, 12 April 2005 - 05:30 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 monika

monika
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 13 April 2005 - 03:27 PM

Hello OT,

thank you ever so much, you are an angel...saved my computer...saved me...

will send you small donation shortly...

cheers mate....

monika

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:15 PM

Posted 13 April 2005 - 06:08 PM

You are very welcome monika. I am glad that we could help.

Now that your issues have been resolved I will close this topic. If you encounter any new issues in the future please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users