Instant Access & AxFreePorn...

For the past week or so this yucky virus thing has been popping up on my computer. I have dial up, and this thing kicks me off my dial up to try and dial it's own ... it's AxFreePorn. When it fails to dial (and the only way I have figured out to not have it try to dial is to reboot) this icon comes up on my desktop called "Instant Access " with this pornographic tease picture for the icon. I have not clicked it, I don't even want to know where it leads me to... I don't go on any of those sites but I have read up on this and the results I got is that you can get this virus without going on **** sites; you can get it without even knowing it.

Other sites have suggested to just go to Remove Programs and remove it myself... which would be just lovely if it was listed there.... but neither Instant Access or AxFreePorn is there.

I delete it from the dial up connections and I keep deleting the desktop icon hoping one day it will go away.

It's not.

I have Norton Virus 2002, but it's updated... we're waiting until May until it's out of date to really update it. (If this virus doesn't kill the computer before then).

Any help or suggestions are appreciated... sorry this is long. I was trying to give as much information as possible. I know the rules say to search the forum before posting but this seems to be an individual thing... with the hijack log thing that I have seen people talk about.

Edit: Here's my Hijack Log... (I hope I did this correctly)

Logfile of HijackThis v1.99.1
Scan saved at 10:17:17 PM, on 3/14/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\PPCRunOnce.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
C:\Program Files\Trillian\trillian.exe
c:\progra~1\intern~1\IEXPLORE.EXE
C:\Program Files\iTunes\iTunes.exe
C:\AntiSpyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C45874F1-AB7E-44CE-9AAE-8F7AA449C1B8}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

 

Welcome to WindowsBBS Shell

I'd like to take a closer look at some registry keys that may be hiding something from HijackThis. Please download getlogXP.exe from the link below, saving it to your desktop. It is a self-extracting zip file that contains a simple batch file to export some registry keys.

http://noahdfear.geekstogo.com/getlogXP.exe

Double click it, then click start to extract the file to it's own folder on the desktop. Open the folder and double click the GetLogXP.bat file. It will open a log file when complete. Please post the contents of that log here.


The 017 entry in your log file links back to the Broomfield, Colorado area. Is your internet service provider anywhere near that vicinity?

 

Hi noahdfear, thanks for checking out my post.

Colorado? Not really... unless Colorado just moved considerably close to NJ.

And I wanted to say I went out and bought Norton Internet Security 2007 today, installed it, and had all the live updates done. So I'm no longer 5 years behind in virus protection.

But anyway, here's the GetLogXP ..


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS REG_SZ "C:\Program Files\Messenger\msmsgs.exe" /background

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bart Station REG_SZ C:\Program Files\ISP50\BIN\PPCOLink -STATION
QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper REG_SZ "C:\Program Files\iTunes\iTunesHelper.exe "
ccApp REG_SZ "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
osCheck REG_SZ "C:\Program Files\Norton Internet Security\osCheck.exe "

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Branding

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectAnimation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EPSON Printer and Utilities

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ICW

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB842773

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893803

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893803v2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveReg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdate

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdate1.6

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft NetShow Player 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30a-KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-Beta

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-RC1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MsJavaVM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetMeeting

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OutlookExpress

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCHealth

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PeoplePC Online

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PeoplePC Toolbar

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sevinst

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShockwaveFlash

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SymSetup.{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00030409-78E1-11D2-B60F-006097C998E7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00040409-78E1-11D2-B60F-006097C998E7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{446DBFFA-4088-48E3-8932-74316BA4CAE4}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{48185814-A224-447A-81DA-71BD20580E1B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4843B611-8FCB-4428-8C23-31D0A5EAE164}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50D8FFDD-90CD-4859-841F-AA1961C7767A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77772678-817F-4401-9301-ED1D01A8DA56}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B3577F5-1D82-4C9B-008B-69D026FD8BCA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{830D8CBD-C668-49e2-A969-C2C2106332E0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8AB8D458-939E-403F-0097-9BA1C1F013D5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A80000000002}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B7C61755-DB48-4003-948F-3D34DB8EAF69}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D353CC51-430D-4C6F-9B7E-52003DA1E05A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E5EE9939-259F-4DE2-8023-5C49E16A4F43}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F4DB525F-A986-4249-B98B-42A8066251CA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7529650-B9DB-481B-0089-A2AC3C2821C1}

 

Thanks! Not seeing what I had hoped, so lets try another angle. Please run the batch again from safe mode, then post the log.

Copy the bolded blue text below (keep the format the same) to a blank notepad.

if exist temp.txt del temp.txt
dir %temp%\*.exe /s /a >>temp.txt
cls
exit

Save it to your desktop as;

Filename: temp.bat
Save As Type: All Files (*.*)

Double click it to run, then post the contents of the temp.txt log it creates on the desktop.

What is the exact name of the dialup connection that is being created?

 

Either add the first two lines below to the top of the temp.bat, or create another named DPF.bat using all 4 line below and post DPF.txt as well, please

if exist DPF.txt del DPF.txt
dir %windir%\Downlo~1 /s /a >DPF.txt
cls
exit

 

The exact name of the dial up connection is AxFreePorn
And you not seeing what you hoped can't be a good sign

The batch again...


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS REG_SZ "C:\Program Files\Messenger\msmsgs.exe" /background

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bart Station REG_SZ C:\Program Files\ISP50\BIN\PPCOLink -STATION
QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper REG_SZ "C:\Program Files\iTunes\iTunesHelper.exe "
ccApp REG_SZ "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
osCheck REG_SZ "C:\Program Files\Norton Internet Security\osCheck.exe "

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Branding

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectAnimation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EPSON Printer and Utilities

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ICW

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB842773

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893803

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893803v2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveReg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdate

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdate1.6

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft NetShow Player 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30a-KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-Beta

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-RC1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MsJavaVM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetMeeting

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OutlookExpress

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCHealth

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PeoplePC Online

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PeoplePC Toolbar

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sevinst

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShockwaveFlash

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SymSetup.{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00030409-78E1-11D2-B60F-006097C998E7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00040409-78E1-11D2-B60F-006097C998E7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{446DBFFA-4088-48E3-8932-74316BA4CAE4}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{48185814-A224-447A-81DA-71BD20580E1B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4843B611-8FCB-4428-8C23-31D0A5EAE164}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50D8FFDD-90CD-4859-841F-AA1961C7767A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77772678-817F-4401-9301-ED1D01A8DA56}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B3577F5-1D82-4C9B-008B-69D026FD8BCA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{830D8CBD-C668-49e2-A969-C2C2106332E0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8AB8D458-939E-403F-0097-9BA1C1F013D5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A80000000002}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B7C61755-DB48-4003-948F-3D34DB8EAF69}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D353CC51-430D-4C6F-9B7E-52003DA1E05A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E5EE9939-259F-4DE2-8023-5C49E16A4F43}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F4DB525F-A986-4249-B98B-42A8066251CA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7529650-B9DB-481B-0089-A2AC3C2821C1}


Now you kind of lost me... I did the first one (temp.bat) and ran it and this came up:

Volume in drive C has no label.
Volume Serial Number is 481B-FBD2

Directory of C:\DOCUME~1\OWNER~1.PET\LOCALS~1\Temp

03/03/2007 10:35 AM 17,865 1172936093Nhn2a.exe
03/11/2007 10:03 PM 18,088 1173617257ZCLna.exe
03/12/2007 12:39 PM 18,088 1173721056br9Ea.exe
03/12/2007 12:44 PM 18,088 1173721422GMxya.exe
03/12/2007 08:29 PM 18,088 1173721422LdkXa.exe
03/13/2007 01:24 PM 18,088 1173810182BS04a.exe
03/13/2007 09:17 PM 18,088 1173810406TlEpa.exe
03/14/2007 06:58 PM 18,088 1173892642i8MFa.exe
02/06/2006 08:58 PM 700,416 AutoRun.exe
08/17/2004 09:14 PM 1,453,843 First15.exe
03/15/2007 07:07 PM 1,174,664 SymLCSVC.EXE
08/17/2004 09:14 PM 23,040 VP6Install.exe
12/28/2006 08:53 AM 2,585,872 WindowsInstaller-KB893803-v2-x86.exe
13 File(s) 6,082,316 bytes

Total Files Listed:
13 File(s) 6,082,316 bytes
0 Dir(s) 19,494,891,520 bytes free


And then tried the second thing...

if exist DPF.txt del DPF.txt
dir %windir%\Downlo~1 /s /a >DPF.txt
cls
exit

(It didn't become anything like the first one did)

So then you said I could combine them... so let's try that...

(I think it worked this time...)
DPF one:

Volume in drive C has no label.
Volume Serial Number is 481B-FBD2

Directory of C:\WINDOWS\Downlo~1

03/06/2007 03:29 PM <DIR> .
03/06/2007 03:29 PM <DIR> ..
12/17/2006 05:46 AM 65 desktop.ini
01/20/2000 03:25 PM 1,162 Microsoft XML Parser for Java.osd
11/09/2006 02:36 PM 5,019 swflash.inf
01/24/2007 05:39 PM 149,544 ZIntro.ocx
4 File(s) 155,790 bytes

Total Files Listed:
4 File(s) 155,790 bytes
2 Dir(s) 19,494,891,520 bytes free

temp one:

Volume in drive C has no label.
Volume Serial Number is 481B-FBD2

Directory of C:\DOCUME~1\OWNER~1.PET\LOCALS~1\Temp

03/03/2007 10:35 AM 17,865 1172936093Nhn2a.exe
03/11/2007 10:03 PM 18,088 1173617257ZCLna.exe
03/12/2007 12:39 PM 18,088 1173721056br9Ea.exe
03/12/2007 12:44 PM 18,088 1173721422GMxya.exe
03/12/2007 08:29 PM 18,088 1173721422LdkXa.exe
03/13/2007 01:24 PM 18,088 1173810182BS04a.exe
03/13/2007 09:17 PM 18,088 1173810406TlEpa.exe
03/14/2007 06:58 PM 18,088 1173892642i8MFa.exe
02/06/2006 08:58 PM 700,416 AutoRun.exe
08/17/2004 09:14 PM 1,453,843 First15.exe
03/15/2007 07:07 PM 1,174,664 SymLCSVC.EXE
08/17/2004 09:14 PM 23,040 VP6Install.exe
12/28/2006 08:53 AM 2,585,872 WindowsInstaller-KB893803-v2-x86.exe
13 File(s) 6,082,316 bytes

Total Files Listed:
13 File(s) 6,082,316 bytes
0 Dir(s) 19,494,887,424 bytes free

 

Hi Shell,

Please download the Suspicious File Packer from the link below.

http://www.safer-networking.org/en/tools/index.html

Extract and run the sfp.exe file. Copy the bolded text below and paste it into the SPF window then click continue.

C:\DOCUME~1\OWNER~1.PET\LOCALS~1\Temp\1172936093Nhn2a.exe
C:\DOCUME~1\OWNER~1.PET\LOCALS~1\Temp\1173617257ZCLna.exe
C:\DOCUME~1\OWNER~1.PET\LOCALS~1\Temp\1173721056br9Ea.exe
C:\DOCUME~1\OWNER~1.PET\LOCALS~1\Temp\1173721422GMxya.exe
C:\DOCUME~1\OWNER~1.PET\LOCALS~1\Temp\1173721422LdkXa.exe
C:\DOCUME~1\OWNER~1.PET\LOCALS~1\Temp\1173810182BS04a.exe
C:\DOCUME~1\OWNER~1.PET\LOCALS~1\Temp\1173810406TlEpa.exe
C:\DOCUME~1\OWNER~1.PET\LOCALS~1\Temp\1173892642i8MFa.exe

It will create a 'requested-files[date&time].cab' file on your desktop. Please upload that file at the following link.

http://www.bleepingcomputer.com/submit-malware.php?channel=20

Leave a link to this topic and comment that I requested the files, please.

Download RegSearch.zip and extract the contents of the zip file to it's own folder.
Open and double-click the icon for RegSearch.exe to launch the program.
Enter AxFreePorn on the first line of the top window, 1173892642i8MFa.exe on the second line of top window and click OK. After completion Notepad will be opened with all the found instances, if any. Please post that log.


Download FindAWF from the link below, saving to the desktop.

http://noahdfear.geekstogo.com/FindAWF.exe

Double click it to run and follow the prompts. Please post the contents of the AWF.txt log it creates.

 

Hi noahdfear, I really appreciate you taking the time out to help me with this. Now since I posted this the first time, it kind of stopped happening. Perhaps it did go away on its own? ... unless you find something. I don't know how it just "goes away"

Norton Internet Security 2k7 did spot a yesbron.com virus and fixed that... but I think that's something different (but what do I know.) Okay, on to your instructions!

1. A message stated at bleepingcomputer wanted me to tell you, noahdfear, that I submitted the file (how nice of them!) I didn't create an account, I am assuming it went through because it said it did...

2. RegSearch log:

REGEDIT4

; Registry Search by Bobbi Flekman © 2005
; Version: 1.0.2.4

; Results at 3/16/2007 10:41:34 PM for strings:
; 'axfreeporn'
; '1173892642i8mfa.exe'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...


3. FindAWF log:


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ISP50\BAK

12/17/2006 08:32 AM 1,581 E-mail Change Notification.lnk
12/17/2006 08:32 AM 1,563 PeoplePC Online.lnk
2 File(s) 3,144 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ISP50\BIN\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1836 Jul 6 2005 "C:\Documents and Settings\All Users\Desktop\E-mail Change Notification.LNK "
1633 Dec 17 2006 "C:\Documents and Settings\All Users.WINDOWS\Desktop\E-mail Change Notification.lnk "
1581 Dec 17 2006 "C:\Program Files\ISP50\BAK\E-mail Change Notification.lnk "
1854 Jul 6 2005 "C:\Documents and Settings\All Users\Start Menu\Programs\PeoplePC Online\Accessories\E-mail Change Notification.LNK "
1808 Jul 6 2005 "C:\Documents and Settings\All Users\Desktop\PeoplePC Online.LNK "
1808 Jul 6 2005 "C:\Documents and Settings\All Users\Start Menu\PeoplePC Online.LNK "
1627 Dec 17 2006 "C:\Documents and Settings\All Users.WINDOWS\Desktop\PeoplePC Online.lnk "
1627 Dec 17 2006 "C:\Documents and Settings\All Users.WINDOWS\Start Menu\PeoplePC Online.lnk "
1563 Dec 17 2006 "C:\Program Files\ISP50\BAK\PeoplePC Online.lnk "
1814 Jul 6 2005 "C:\Documents and Settings\All Users\Start Menu\Programs\PeoplePC Online.LNK "
1633 Dec 17 2006 "C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\PeoplePC Online.lnk "
1820 Jul 6 2005 "C:\Documents and Settings\All Users\Start Menu\Programs\PeoplePC Online\PeoplePC Online.LNK "
1645 May 26 2005 "C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\Quick Launch\PeoplePC Online.lnk "
1645 Dec 17 2006 "C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Internet Explorer\Quick Launch\PeoplePC Online.lnk "
1794 Jul 6 2005 "C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\PeoplePC Online.LNK "
1645 Dec 17 2006 "C:\Documents and Settings\Owner.PET-8IHFRBP\Application Data\Microsoft\Internet Explorer\Quick Launch\PeoplePC Online.lnk "


end of report

 

Thanks for the upload.

Interesting ............ the AWF log shows signs of the infection, but no files present in most of the bak folders. Did you previously move some files from those folders?

Please create and post a new HijackThis log.

 

The Suspicious File Packer failed to get any of those temp files. Please click Start then Run and type %temp%, hit enter. Verify that any one of those files exists, or one similarly named, right click one and select Send To> Compressed (zipped) Folder. A same named zip file will be created within the same folder. Now drag and drop any of the other like-named files onto the zip file. Then right click>Copy the zip, close the temp folder and right click>Paste on your desktop. Please upload that file at the following link.

http://www.bleepingcomputer.com/mrc/index.php?a=submission&channel=22

 

The only thing I tried to delete is a PPCRunOnce virus with a help of a website to removal, but I really don't even think I accomplished that. I don't usually play around in those areas. And even after I tried doing that, the AxFreePorn dialer still tried to connect. Still hasn't now though...

Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 10:47:26 AM, on 3/17/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\intern~1\IEXPLORE.EXE
C:\AntiSpyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C45874F1-AB7E-44CE-9AAE-8F7AA449C1B8}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

But when I went into temps, I surely did see all those pornographic tease icons that were popping up at my desktop. I put them all into a compressed zip and sent them your way on bleepingcomputer.com - the link you gave me: http://www.bleepingcomputer.com/mrc/...ion&channel=22 wouldn't allow me to do the same thing I did before... so I sent it through this link: http://www.bleepingcomputer.com/subm...php?channel=20 that you gave me in another post. I hope that's okay...?

 

Please note that these instructions are tailored to this user's machine. It is not intended to be used on anyone else's.

Scan again with HijackThis and place a check next to the following entries, then click Fix Checked.

O17 - HKLM\System\CCS\Services\Tcpip\..\{C45874F1-AB7E-44CE-9AAE-8F7AA449C1B8}: NameServer = 209.244.0.3 209.244.0.4

Close HijackThis

Copy the bolded blue text below to a blank notepad. Make sure the formatting stays the same. Save it to the desktop as;

Filename: FixAWF.bat
Save As Type: All Files (*.*)

@echo off
if exist "%userprofile%\Desktop\InstantAccess.lnk" del "%userprofile%\Desktop\InstantAccess.lnk "
copy "C:\Program Files\ISP50\BAK\E-mail Change Notification.lnk" "C:\Program Files\ISP50 "
copy "C:\Program Files\ISP50\BAK\PeoplePC Online.lnk" "C:\Program Files\ISP50 "
cls
exit

Now double click the FixAWF.bat file to run it.

Download ATF Cleaner by Atribune and save it to your Desktop.

http://www.atribune.org/ccount/click.php?id=1

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin


The rest are optional - if you want it to remove everything it can, check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program to clean out their temporary files as well.

When you have finished, click on the Exit button in the Main menu.

If there is an AxFreePorn dialup connection present, delete it.


If you have not already done a scan with AVG Antispyware (or don't have it), please do the following.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesful message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
• When done, click the Save Scan Report button. (4)
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot.

Run FindAWF again. Post the contents of it's log.

Scan with HijackThis again, save the log and post it as well.

Let us know if you're still experiencing any problems.

 

1. Is anything supposed to happen when I double click on the FixAWF.bat file? A black screen popped up and nothing more.

2. There is no AxFreePorn dialup connection present - I was quick to delete that each time it popped up.

3. FindAWF Log:

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ISP50\BAK

12/17/2006 08:32 AM 1,581 E-mail Change Notification.lnk
12/17/2006 08:32 AM 1,563 PeoplePC Online.lnk
2 File(s) 3,144 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ISP50\BIN\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1581 Dec 17 2006 "C:\Program Files\ISP50\E-mail Change Notification.lnk "
1836 Jul 6 2005 "C:\Documents and Settings\All Users\Desktop\E-mail Change Notification.LNK "
1633 Dec 17 2006 "C:\Documents and Settings\All Users.WINDOWS\Desktop\E-mail Change Notification.lnk "
1581 Dec 17 2006 "C:\Program Files\ISP50\BAK\E-mail Change Notification.lnk "
1854 Jul 6 2005 "C:\Documents and Settings\All Users\Start Menu\Programs\PeoplePC Online\Accessories\E-mail Change Notification.LNK "
1563 Dec 17 2006 "C:\Program Files\ISP50\PeoplePC Online.lnk "
1808 Jul 6 2005 "C:\Documents and Settings\All Users\Desktop\PeoplePC Online.LNK "
1808 Jul 6 2005 "C:\Documents and Settings\All Users\Start Menu\PeoplePC Online.LNK "
1627 Dec 17 2006 "C:\Documents and Settings\All Users.WINDOWS\Desktop\PeoplePC Online.lnk "
1627 Dec 17 2006 "C:\Documents and Settings\All Users.WINDOWS\Start Menu\PeoplePC Online.lnk "
1563 Dec 17 2006 "C:\Program Files\ISP50\BAK\PeoplePC Online.lnk "
1814 Jul 6 2005 "C:\Documents and Settings\All Users\Start Menu\Programs\PeoplePC Online.LNK "
1633 Dec 17 2006 "C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\PeoplePC Online.lnk "
1820 Jul 6 2005 "C:\Documents and Settings\All Users\Start Menu\Programs\PeoplePC Online\PeoplePC Online.LNK "
1645 May 26 2005 "C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\Quick Launch\PeoplePC Online.lnk "
1645 Dec 17 2006 "C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Internet Explorer\Quick Launch\PeoplePC Online.lnk "
1794 Jul 6 2005 "C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\PeoplePC Online.LNK "
1645 Dec 17 2006 "C:\Documents and Settings\Owner.PET-8IHFRBP\Application Data\Microsoft\Internet Explorer\Quick Launch\PeoplePC Online.lnk "


end of report


4. HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:15:46 AM, on 3/18/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
c:\progra~1\intern~1\IEXPLORE.EXE
C:\AntiSpyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_S9A.tmp" /EF "HKLM "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C45874F1-AB7E-44CE-9AAE-8F7AA449C1B8}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


5. Still no more problems concerning AxFreePorn, have been free from that for the last few days. Thank you so much for helping me through this!

 

Yes, those batches will open and close very quickly because they're so small.

Fix the following entry again with HijackThis.
O17 - HKLM\System\CCS\Services\Tcpip\..\{C45874F1-AB7E-44CE-9AAE-8F7AA449C1B8}: NameServer = 209.244.0.3 209.244.0.4

Copy the bolded blue text below. Right click FixAWF.bat and select edit to open in notepad. Click Edit on the menu>Select all, then paste, replacing all of the previous text. Close and save the changes.

@echo off
del /q "C:\PROGRA~1\ISP50\BAK\*.* "
rmdir /q "C:\PROGRA~1\ISP50\BAK "
rmdir /q "C:\PROGRA~1\MESSEN~1\BAK "
rmdir /q "C:\WINDOWS\SYSTEM32\BAK "
rmdir /q "C:\PROGRA~1\ISP50\BIN\BAK "
cls
exit

Double click FixAWF.bat to run it.

Reboot and post fresh HijackThis and FindAWF logs.

How is your computer running?

 

Computer is running well! Usually I get a message asking me if I want to connect to ... PeoplePC or AxFreePorn, but AxFreePorn is not an option and hasn't been showing lately (in the past 2-3 days.)

Were you able to find anything or did it just go away "on its own" ?

I definitely appreciate getting fast replies to this, you guys seem really willingly to help others and I think that's great.

Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:49:36 AM, on 3/18/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\AntiSpyware\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_S9A.tmp" /EF "HKLM "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

(is this supposed to be empty??) FindAWF log:


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

 

Glad to hear things are well. Happy to help.

Logs look great as well. You can delete the logs and tools we used (FindAWF, FixAWF.bat, temp.bat, temp2.bat, getlogXP, etc).

You are extremely behind on Windows Updates. I recommend you take whatever time necessary (and as many visits) to get your computer fully updated.

Happy surfing!

 

OH wow, 19 updates.. That is a lot. I shall update those so I'm not so far behind. Should I keep the AVG Anti-Spyware?

 

Ummm, unless I'm mistaken, you don't even have Service Pack 1 installed, let alone Service Pack 2, and the 60+ since SP2. You'll be updating for quite some time Any chance you know someone that got the SP2 cd from Microsoft? It would save you loads of time.

Keeping AVG Antispyware is completely at your option, and frankly I don't have an opinion on it at all.

 

You're talking about the things that pop up and say "Updates are ready for your computer. Click here to install these updates" - right? It only says 19. Don't know about the SP2 cd, I will have to ask around. The reason for that I am guessing is because this computer loves to randomly crash, I guess it's getting old (5+ years )

 

Your best bet for right now, would be to open Automatic Updates via the Control Panel and turn them off. Then go directly to the Windows Update website and check for High Priority Updates and Service Packs (Express Install). If a restart is required after any installations, do so, then go back to check for more. Do this until there are no more updates available. Note that at some point Automatic Updates may get turned back on (the tray icon that pops up), and should be turned back off while doing the manual updates. Be sure to turn them back on when completely updated.

http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us