AxFreePorn dialer dissconnecting me and attempting to dial a connection.

Hi.

I've recently picked up a **** dialer called AxFreePorn which is dissconnecting me and trying to dial a connection. I keep deleting it and it comes back, dissconnects my connection and dials it's own number.

I have used Spybot S&D and AVG-Anti-Spyware to no avail.

Any help will be greatly apriciated. =)

 

Hello and welcome to WindowsBBS Forums.

Here is how we like to begin our analysis of your pc:

For starters, if you do not have them yet, please DL and run AdAware & Spybot Search & Destroy. AdAware and Spybot Search & Destroy are 2 of the most trusted apps in the security area. They are both free, compliment each other nicely, and do not use a lot of resources. They can be found here:

Spybot Search & Destroy v.1.4
AdAware SE Free v1.06r

With AdAware and Spybot: DL, follow the install instructions, check for updates, then scan, repair/remove/quarantine anything found. Reboot before next scan with whichever app is next. The reason for running these apps, is to clean up some of the other 'crapware' on your pc, which, in turn, will make deciphering your HJT log, easier.

Then we use HijackThis v1.99.1.

Please download HijackThis! SetUp from here. Save the file to your desktop.

Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.

Then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.

Someone will be along to look at your log soon as possible, we appreciate your patience. Remember, we are ALL VOLUNTEERS, those of us who help. And we do the best we can to answer posts as soon as we can. Logs are generally looked at in the order in which they are posted.

 

Thanks TeMerc! No worries about the wait, I'm glad of the help!

Ok, here's the log file:


Logfile of HijackThis v1.99.1
Scan saved at 13:37:46, on 11/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet\ICC\ICC2000.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.usefulware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.usefulware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{473548E8-82BB-44B3-A445-81062E6D2EE1}: NameServer = 195.218.116.2 194.46.8.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

 

Hi Aerach
I really don't see anything in your log. Lets do a couple things.

Do you use this as your search page? search.usefulware.com

Please rename Hijackthis.exe to Killer.exe

Download ComboFix from Here or [color= "Red"]Here[/color] to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please Post the combofix log and the new renamed HJT log.

Geri

 

Hi Geri!

No I don't use search.usefulware.com as my search page. I generally use google.ie which is usually my home page on firefox.

I renamed the Hijackthis.exe file.

Then downloaded ComboFix.exe to my desktop. However, when I double clicked it, it came up and then dissapeared pretty fast. I tried running again to no avail. Not sure what's going on so I'll wait for further instruction.

Thanks a million for your help. I haven't a clue what's going on and the dialer is definately still comming back.

 

Hi

OK, Hold off on combofix. let me contact a couple people to see what's up.

I will get back to you shortly.

Geri

 

Thanks a million so. I'll be back online again in a few hours. =)

 

Hi
OK, Please delete combofix. We will use this instead.

Then download ComboScan to your desktop.

Close all applications and windows.

• Double-click on comboscan.exe to run it, and follow the prompts.
• When the scan is complete, a text file will open - ComboScan.txt
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread back into this thread for me to view.

A folder, C:ComboScan, will also open. In it will be another text file, Supplementary.txt.
Please attach Supplementary.txt to your post.

Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

At this point reboot the system, and post back another HJT log file along with the other two logs requested.

Thanks
Geri

 

Greetings, I am having the exact same problem. Since I am a 50 + grandma I dont frequent **** sites lol but I think this particular bug came from viewing some pics connected with the recent American Idol controversy. In ths case curiosity didnt kill the cat it killed my pc. Has anyone else picked up this virus in that way?

 

Navymom - I think you will have to post a new thread so someone can help you individually. =)

Thanks Geri.

Here is the ComboScan log:


ComboScan v20070306.20 run by VM & KING KARL on 2007-03-11 at 23:06:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-03-11 23:06:37 UTC - RP1 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as VM & KING KARL.exe) --------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 23:06:50, on 11/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet\ICC\ICC2000.exe
C:\Documents and Settings\VM & KING KARL\Desktop\comboscan.exe
C:\PROGRA~1\HIJACK~1\VM & KING KARL.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.usefulware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.usefulware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{473548E8-82BB-44B3-A445-81062E6D2EE1}: NameServer = 195.218.116.2 194.46.8.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe


-- File Associations -----------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1 "
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1 "
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

1R AmdK7 (AMD K7 Processor Driver) - C:\WINDOWS\system32\drivers\amdk7.sys
1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS\system32\drivers\AvgAsCln.sys
3R GEARAspiWDM - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
3R MODEMCSA (Unimodem Streaming Filter Device) - C:\WINDOWS\system32\drivers\MODEMCSA.sys
3R ms_mpu401 (Microsoft MPU-401 MIDI UART Driver) - C:\WINDOWS\system32\drivers\msmpu401.sys
3R Ptserial (W2K Pctel Serial Device Driver) - C:\WINDOWS\system32\drivers\ptserial.sys
3S SiS300i - C:\WINDOWS\system32\drivers\sis300ip.sys
3R SiS630 - C:\WINDOWS\system32\drivers\sis630p.sys
3R SiS7018 (Service for SiS7018 Driver (WDM)) - C:\WINDOWS\system32\drivers\sis7018.sys
0R sisagp (SiS AGP Filter) - C:\WINDOWS\system32\drivers\SISAGP.SYS
3R SISNIC (SiS PCI Fast Ethernet Adapter Driver) - C:\WINDOWS\system32\drivers\sisnic.sys
3R usbohci (Microsoft USB Open Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbohci.sys
3S usbscan (USB Scanner Driver) - C:\WINDOWS\system32\drivers\usbscan.sys
3R USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
0R Vmodem (W2k Vmodem) - C:\WINDOWS\system32\drivers\vmodem.sys
0R Vpctcom (W2k Vpctcom) - C:\WINDOWS\system32\drivers\vpctcom.sys
0R Vvoice (W2k Vvoice) - C:\WINDOWS\system32\drivers\vvoice.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2R AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
3S iPod Service - "C:\Program Files\iPod\bin\iPodService.exe "
3S Macromedia Licensing Service - "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe "


-- Files created between 2007-02-11 and 2007-03-11 -----------------------------

2007-03-11 12:49:38 0 d-------- C:\Documents and Settings\VM & KING KARL\Application Data\Lavasoft
2007-03-11 12:49:32 0 d-------- C:\Program Files\Lavasoft
2007-03-11 12:45:05 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-10 18:52:31 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-10 18:52:28 0 d-------- C:\Program Files\Grisoft
2007-03-10 18:24:17 0 d---s---- C:\Documents and Settings\VM & KING KARL\UserData
2007-03-10 01:01:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-03-07 16:20:13 570128 --a------ C:\WINDOWS\system32\DAO350.DLl
2007-03-07 16:20:06 77824 --a------ C:\WINDOWS\system32\ODBCTL32.DLl
2007-03-07 16:18:09 1050384 --a------ C:\WINDOWS\system32\MSJET35.DLl
2007-03-07 16:18:04 121104 --a------ C:\WINDOWS\system32\MSJINT35.DLl
2007-03-07 16:18:01 24336 --a------ C:\WINDOWS\system32\MSJTER35.DLl
2007-03-07 16:17:38 251664 --a------ C:\WINDOWS\system32\MSRD2X35.DLl
2007-03-07 16:17:22 29696 --a------ C:\WINDOWS\system32\Vb5stkit.dll
2007-03-07 16:16:36 368912 --a------ C:\WINDOWS\system32\Vbar332.dll
2007-03-07 16:16:36 0 d-------- C:\Program Files\Internet
2007-02-23 15:28:19 0 d-------- C:\Documents and Settings\VM & KING KARL\Application Data\Help


-- Find3M Report ---------------------------------------------------------------

2007-03-09 13:08:53 2068 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-03-08 13:32:28 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-23 15:28:19 0 d-------- C:\Program Files\NoteWorthy Composer<NOTEWO~1>
2007-02-17 20:24:52 0 d-------- C:\Program Files\Macromedia<MACROM~1>
2007-02-17 20:23:27 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-03 22:11:21 0 d-------- C:\Program Files\Common Files\SWF Studio<SWFSTU~1>
2007-02-03 22:11:01 0 d-------- C:\Program Files\Riva
2007-01-23 03:27:26 45056 --a------ C:\WINDOWS\system32\HSSICore.dll
2007-01-19 01:10:46 0 d-------- C:\Program Files\WinBudget<WINBUD~1>
2007-01-18 03:04:53 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-01-18 03:04:53 0 d-------- C:\Program Files\PCI Audio Applications<PCIAUD~1>
2007-01-18 03:04:53 0 d-------- C:\Program Files\iTunes
2007-01-18 03:02:53 38412 --a------ C:\WINDOWS\system32\sistray.EXE
2007-01-18 03:02:53 38412 --a------ C:\WINDOWS\system32\NeroCheck.exe<NEROCH~1.EXE>
2007-01-18 03:02:53 38412 --a------ C:\WINDOWS\system32\khooker.exe
2007-01-18 02:32:40 0 d-------- C:\Program Files\Messenger<MESSEN~1>


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Yahoo! Pager "= "\ "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet "
"MsnMsgr "= "\ "C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background "
"SpybotSD TeaTimer "= "C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiS Tray "= "C:\\WINDOWS\\system32\\sistray.EXE "
"SiS KHooker "= "C:\\WINDOWS\\system32\\khooker.exe "
"PCTVOICE "= "pctspk.exe "
"C-Media Mixer "= "C:\\Program Files\\PCI Audio Applications\\Mixer.exe /startup "
"NeroFilterCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of ComboScan: finished at 2007-03-11 at 23:07:25 ------------------------




Here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:13:47, on 11/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\Killer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.usefulware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.usefulware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe



I cannot add an attachment as my account is the wrong type. So to save time I uploaded the Supplementary.txt to my storage place on the web. Here is the url: http://vm.homestead.com/files/Supplementary.txt

 

Hi

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page:
  
  • C:\WINDOWS\system32\d3d9caps.dat
• Click on the submit button
  
• Please post the results in your next reply.

Thanks
Geri

 

Here are those results:

Service load:
0% 100%
File: d3d9caps.dat
Status:
OK
MD5 43e9ca5fd87aa085e3e1d8ad9ea3600d
Packers detected:
-
Scanner results
Scan taken on 12 Mar 2007 16:00:57 (GMT)
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Powered by
images/antivir.png images/arcabit.png images/avast.png images/avg.gif images/bitdefender.png images/clamav-logo1.png images/drweb.gif images/f-prot.png images/f-secure_logo.gif images/fortinet.gif images/kaspersky.png images/nod32.gif images/norman.png images/panda.png images/virusbuster.gif images/vba32.png
Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
Statistics
Last file scanned at least one scanner reported something about: 复件_finish.EXE (MD5: f9b398f357d622771ff1432f664e8f2f, size: 587684 bytes), detected by:

Scanner Malware name
AntiVir HEUR/Crypted
ArcaVir X
Avast Win32:Hupigon-ACA
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.

 

Hi

Download Dr.Webs CureIt to your desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Double-click the drweb-cureit.exe file and allow it to run the express scan.

This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select the drives that you want to scan.

Select all drives. A red dot shows which drives have been chosen.

Click the green arrow > to the right and the scan will begin.

At the first infection, select 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, click the "Select all" toggle button (if available) next to the files found

Then click the green cup icon right below and select Move incurable

This will move any infected files to the %userprofile%\DoctorWeb\quarantaine-folder that can't be cured (in case if we need samples).

Then, from the main Dr.Web CureIt menu (top left), click File and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit and Restart your computer to completely remove any stubborn files in reboot.
Please post the report here.

Also after you run that please go here and get a on-line scan.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Please post the two reports.

Thanks
Geri

 

The first scan found nothing.

Then the Kaspersky WebScanner found something I think I know what it is, but sees it as a virus. Here are the results:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 13, 2007 5:07:04 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/03/2007
Kaspersky Anti-Virus database records: 281183
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
B:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 58043
Number of viruses found: 1
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:59:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Application Data\Mozilla\Firefox\Profiles\w4pik67l.default\cert8.db Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Application Data\Mozilla\Firefox\Profiles\w4pik67l.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Application Data\Mozilla\Firefox\Profiles\w4pik67l.default\history.dat Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Application Data\Mozilla\Firefox\Profiles\w4pik67l.default\key3.db Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Application Data\Mozilla\Firefox\Profiles\w4pik67l.default\parent.lock Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Application Data\Mozilla\Firefox\Profiles\w4pik67l.default\search.sqlite Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Application Data\Mozilla\Firefox\Profiles\w4pik67l.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Local Settings\Application Data\Mozilla\Firefox\Profiles\w4pik67l.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Local Settings\Application Data\Mozilla\Firefox\Profiles\w4pik67l.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Local Settings\Application Data\Mozilla\Firefox\Profiles\w4pik67l.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Local Settings\Application Data\Mozilla\Firefox\Profiles\w4pik67l.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Local Settings\Temp\JET3.tmp Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Local Settings\Temp\~DFCBE4.tmp Object is locked skipped
C:\Documents and Settings\VM & KING KARL\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\VM & KING KARL\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\VM & KING KARL\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP1\change.log Object is locked skipped
C:\the brain\brainshite\My Documents\ICQTOOLZ\icqhacker.zip/ICQHacker.exe Infected: not-a-virusSWTool.Win32.ICQ.e skipped
C:\the brain\brainshite\My Documents\ICQTOOLZ\icqhacker.zip ZIP: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

Hi Aerach

Just to let you know, I have asked someone smarter then I am to look at this AxFreeP0rn dialer virus.

As you can see it is hitting a lot of people and it is new.

Please try to hang in there so they can get a handel and fix for this.

If any one asks for your help please give them any info you can.

I will be watching and will let you know of a fix as soon as they get one.

Thanks
Geri

 

Hi Aerach,

Geri pointed me to your thread.
The fact that combofix exited on you right away suggests there is possibly something hidden running that was blocking the program from running.

Lets check with a couple scanners to find out.

Download blacklight beta from here:

http://www.f-secure.com/blacklight/try_blacklight.html
Accept agreement which takes you to download page.
Download blbeta.exe to desktop.
Disconnect from internet
Shut down running apps by the clock.
Shut down any open browser windows and explorer windows.
Double click blbeta.exe
Wait for program to load. If you get any warnings about a driver loading and wants to run thru explorer; let it. It is blbeta.
click "scan "
Wait for scan to finish.
Please don't run anything else or open windows while scan is running.
Once it is done it will tell you if items are found. If so...click "next" then "close ".
Do NOT use this tool to rename anything! Sometimes legit items are hidden by malware as well as legit apps.
Log file called fsbl +time+date.txt is created on desktop.

Please post contents of log.


Next:

Download catchme.exe form here:

http://www.gmer.net/catchme.exe

Save file to your desktop.
Double click it and let it run.
A "dos" window will pop up while the program scans system for hidden files/processes.
It will tell you when done and lets you know if anything is found.
You can close the "dos" window.
A log file called catchme.txt will be placed on the desktop.

Please post the contents of that file.

No we won't be using combofix.

Thanks

ps. Oh yeah...

I looked at that ICQhacker thing..

C:\the brain\brainshite\My Documents\ICQTOOLZ\icqhacker.zip

Looks to be a program that can read ICQ messege history.

Not truely a virus but it is a privacy issue.
If you didn't download it you can delete it. (I would)

 

Hello. =)

Here is the fsbl-20070314162541.log

03/14/07 16:25:41 [Info]: BlackLight Engine 1.0.55 initialized
03/14/07 16:25:41 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/14/07 16:25:41 [Note]: 7019 4
03/14/07 16:25:41 [Note]: 7005 0
03/14/07 16:25:49 [Note]: 7006 0
03/14/07 16:25:49 [Note]: 7011 1660
03/14/07 16:25:49 [Note]: 7026 0
03/14/07 16:25:49 [Note]: 7026 0
03/14/07 16:25:54 [Note]: FSRAW library version 1.7.1021
03/14/07 16:29:39 [Note]: 7007 0


And the catchme.log

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0



Yeah that ICQ thing was on my old HD from years ago which I copied. I might aswell delete it, as I only copied the old HD to save family stuff really. Just not got round to sorting any of it. I did download it myself along with other ICQ tools from a friend years back! =)

Thanks anyway so!

 

Turn off the rogue dialer, if possible.

Here is what I would do:
Open Internet Options, if you can. Click on Connections, then look in the list of connections and remove any that don't belong. If there was nothing extra listed there, I would go into the Control Panel and then the Users list and delete any Users that don't belong. (I understand that you can't get to some of these places.)

If you can turn off system restore, you will be deleting a place that the virus can hide from the scans. It is in Control Panel, Performance and Maintenance System, System Restore Tab. This is one trick I have learned. Don't forget to turn it back on when it is clean.

If there is nothing to save, or you have backed up what you need, then the best solution is to format the drive and reload from CD's. Don't reload from the restore partition. The source virus may be hiding there. Most of these porno viruses/spyware/adware programs never go away, no matter how many times you scan.

My sister's pc had been infected with a dialer and it called Central America and ran up a $200 phone bill. Don't let this happen to you!

Ruth

 

Thanks for providing your opinion Ruth.

A reformat will be a last ditch, no-other-way-to-fix-the-system kind of thing.

Aerach, please do not take any actions, especially regarding system restore unless told to do so by Blender.

For those who don't know, by removing all your system restore points before you get cleaned out you run the risk of having no way of reverting back to a previously running machine, even if it an infected machine, which we can still deal with. This is more of a precautionary step than anything else.

When dealing with regular users it can occasionally happen that a file gets deleted or some other action happens and we can use sys restore to get us up and running again.

 

No worries TeMerc. I'll not be doing any of that. I want to crack the bloody thing! =)

I've been doing some digging for you guys!

More information about AxFreePorn:

Dialer dissconnects me every 2 hours.
Icon on desktop is called "InstantAccess" with icon image of some boobs.
Target: "C:\Documents and Settings\VM61DRa.exe "
Connection name created in connections folder "AxFreePorn "

I have found a number of exe files starting with VM then some numbers and ending in a (see above target path). These are all in my documents and settings file.

Will I upload you any of these files for you guys to investigate?

If there's any other info you want me to give, just ask. Thanks!