AxFreePorn dialer dissconnecting me and attempting to dial a connection.

Hi,

Please do. You can upload those here:

http://www.bleepingcomputer.com/submit-malware.php?channel=20

Or here:

http://www.thespykiller.co.uk/forum/index.php?board=1.0

If you can throw a few of them in a folder and zip up the folder that would be better for safer handling by those of us analyzing the files.

spykiller link is the preferred one since more researchers have access.

Start yourself a new topic
Put in topic title "Request by Blender "
Put in body of messege the link to our thread here.
then press the browse button and then navigate to & select the zip file you created.
press Post to upload the file

It is normal you will not see the file you just posted cus only approved members can see em to download them.

Let me know here when you have posted.

Once uploaded you can delete both the zip and the folder you created to put these files in.

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • In the Files Created Within group click 30 days
  • In the Files Modified Within group select 30 days
  • In the File String Search group select Non-Microsoft
• Now click the Run Scan button on the toolbar.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

It may take 2 posts to get entire log in.

Thanks

 

Uploaded those files to bleeping computer as the other link wasn't working. Let me know you got them ok. I left in a log file named VM that was recently modified. Not sure if that's anything to do with it since my nickname is VM and I use it on my windows. Could also explain the file names. =/

The WinPFind3U log will follow.

 

WinPFind3 logfile created on: 14/03/2007 23:04:44
WinPFind3U by OldTimer - Version 1.0.23 Folder = C:\Documents and Settings\VM & KING KARL\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

458224 Kb Total Physical Memory | 246464 Kb Available Physical Memory | 53.79% Memory free
1082784 Kb Paging File | 936820 Kb Available in Paging File | 86.52% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 80405292 Kb Total Space | 68548608 Kb Free Space | 85.25% Space Free
Drive D: | 518080 Kb Total Space | 0 Kb Free Space | 0.00% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded


[Processes - Non-Microsoft Only]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 28/09/2006 14:13:20 | Attr = ]
pctspk.exe -> %System32%\pctspk.exe -> [Ver = 1, 0, 0, 1 | Size = 173056 bytes | Modified Date = 04/10/2001 06:48:08 | Attr = ]
sistray.exe -> %System32%\sistray.EXE -> [Ver = | Size = 38412 bytes | Modified Date = 18/01/2007 03:02:54 | Attr = ]
teatimer.exe -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe -> Safer Networking Limited [Ver = 1, 4, 0, 2 | Size = 1415824 bytes | Modified Date = 31/05/2005 01:04:00 | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.23.0 | Size = 313344 bytes | Modified Date = 11/03/2007 10:34:40 | Attr = ]

[Win32 Services - Non-Microsoft Only]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 28/09/2006 14:13:20 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 03/08/2004 23:56:50 | Attr = ]
(iPod Service) iPod Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 492608 bytes | Modified Date = 30/10/2006 09:36:32 | Attr = ]
(Macromedia Licensing Service) Macromedia Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Macromedia Shared\Service\Macromedia Licensing.exe -> [Ver = 2.42.000 | Size = 68096 bytes | Modified Date = 08/06/2006 16:41:58 | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
C-Media Mixer -> %ProgramFiles%\PCI Audio Applications\Mixer.exe -> [Ver = | Size = 38412 bytes | Modified Date = 18/01/2007 03:02:54 | Attr = ]
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> [Ver = | Size = 38412 bytes | Modified Date = 18/01/2007 03:02:54 | Attr = ]
NeroFilterCheck -> %System32%\NeroCheck.exe -> [Ver = | Size = 38412 bytes | Modified Date = 18/01/2007 03:02:54 | Attr = ]
PCTVOICE -> %System32%\pctspk.exe -> [Ver = 1, 0, 0, 1 | Size = 173056 bytes | Modified Date = 04/10/2001 06:48:08 | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> [Ver = | Size = 38412 bytes | Modified Date = 18/01/2007 03:02:54 | Attr = ]
SiS KHooker -> %System32%\khooker.exe -> [Ver = | Size = 38412 bytes | Modified Date = 18/01/2007 03:02:54 | Attr = ]
SiS Tray -> %System32%\sistray.EXE -> [Ver = | Size = 38412 bytes | Modified Date = 18/01/2007 03:02:54 | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_06\bin\jusched.exe -> [Ver = | Size = 38412 bytes | Modified Date = 18/01/2007 03:02:54 | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NetTimer 2000 -> %ProgramFiles%\NetTimer 2000\NetTimer.exe -> JoJo Software [Ver = 2.0.0.0 | Size = 788992 bytes | Modified Date = 08/09/2001 19:32:52 | Attr = ]
SpybotSD TeaTimer -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe -> Safer Networking Limited [Ver = 1, 4, 0, 2 | Size = 1415824 bytes | Modified Date = 31/05/2005 01:04:00 | Attr = ]
Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe -> [Ver = | Size = 38412 bytes | Modified Date = 18/01/2007 03:02:54 | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 73728 bytes | Modified Date = 28/09/2006 14:13:28 | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
Control_RunDLL -> -> File not found
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKLM: CustomizeSearch -> http://search.usefulware.com ->
HKLM: SearchAssistant -> http://search.usefulware.com ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://search.usefulware.com ->
HKCU: Search Page -> http://search.usefulware.com ->
HKCU: Start Page -> about:blank ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 31/05/2005 01:04:00 | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_06\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 184423 bytes | Modified Date = 10/11/2005 12:22:12 | Attr = ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_06\bin\npjpi150_06.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 69746 bytes | Modified Date = 10/11/2005 12:22:12 | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.5.0_06\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 184423 bytes | Modified Date = 10/11/2005 12:22:12 | Attr = ]
{B863453A-26C3-4e1f-A54D-A2CD196348E9} -> %ProgramFiles%\ICQLite\ICQLite.exe [ButtonText: ICQ Lite] -> ICQ Ltd. [Ver = 20, 52, 2573, 0 | Size = 3144800 bytes | Modified Date = 11/07/2006 10:06:40 | Attr = ]
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe [ButtonText: Yahoo! Messenger] -> [Ver = | Size = 38412 bytes | Modified Date = 18/01/2007 03:02:54 | Attr = ]
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{EB842C27-4387-4F51-8944-46AB510D8403} -> (SiS 900 PCI Fast Ethernet Adapter) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -> CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab ->


[Files/Folders - Created Within 30 days]
ComboScan -> %SystemDrive%\ComboScan -> [Folder | Created Date = 11/03/2007 23:06:34 | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 08/03/2007 13:20:49 | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 08/03/2007 13:20:49 | Attr = H ]
Cihttp.ocx -> %System32%\Cihttp.ocx -> Crescent Division of Progress Software Corp. [Ver = 4.10.000 | Size = 76288 bytes | Created Date = 07/03/2007 16:17:32 | Attr = ]
Ciras.ocx -> %System32%\Ciras.ocx -> Crescent Division of Progress Software Corp. [Ver = 4.10.000 | Size = 93184 bytes | Created Date = 07/03/2007 16:17:25 | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Created Date = 13/03/2007 15:21:58 | Attr = ]
RASDIAL.OCx -> %System32%\RASDIAL.OCx -> COOL.STF [Ver = 2, 0, 2, 1 | Size = 64000 bytes | Created Date = 07/03/2007 16:22:43 | Attr = ]
Ssa3d30.ocx -> %System32%\Ssa3d30.ocx -> Sheridan Software Systems, Inc. [Ver = 3.01.0010 | Size = 340768 bytes | Created Date = 07/03/2007 16:21:28 | Attr = ]
Ssspls30.ocx -> %System32%\Ssspls30.ocx -> Sheridan Software Systems, Inc. [Ver = 3.01.0010 | Size = 156448 bytes | Created Date = 07/03/2007 16:17:06 | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 10/03/2007 18:52:31 | Attr = ]

[Files/Folders - Modified Within 30 days]
ComboScan -> %SystemDrive%\ComboScan -> [Folder | Modified Date = 11/03/2007 23:07:26 | Attr = ]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 14/03/2007 22:42:38 | Attr = ]
DOWNLOADS -> %SystemDrive%\DOWNLOADS -> [Folder | Modified Date = 14/03/2007 16:20:04 | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 469291008 bytes | Modified Date = 14/03/2007 23:02:34 | Attr = HS]
PHOTOS -> %SystemDrive%\PHOTOS -> [Folder | Modified Date = 09/03/2007 13:49:54 | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 13/03/2007 20:59:34 | Attr = R ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 11/03/2007 23:06:38 | Attr = HS]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 14/03/2007 21:23:46 | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 14/03/2007 23:02:36 | Attr = S]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 13/03/2007 15:22:00 | Attr = S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 03/03/2007 16:07:10 | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 13/03/2007 15:21:58 | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 11/03/2007 12:49:34 | Attr = HS]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 116 bytes | Modified Date = 05/03/2007 15:12:36 | Attr = ]
NWRGSTRY.INI -> %SystemRoot%\NWRGSTRY.INI -> [Ver = | Size = 82 bytes | Modified Date = 23/02/2007 15:12:46 | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 14/03/2007 22:54:46 | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 08/03/2007 13:20:50 | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 12/03/2007 16:21:04 | Attr = H ]
system32 -> %System32% -> [Folder | Modified Date = 14/03/2007 22:32:40 | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 14/03/2007 23:02:58 | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 14/03/2007 23:02:38 | Attr = H ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 13/03/2007 15:21:56 | Attr = ]
d3d9caps.dat -> %System32%\d3d9caps.dat -> [Ver = | Size = 2068 bytes | Modified Date = 12/03/2007 16:21:10 | Attr = ]
drivers -> %System32%\drivers -> [Folder | Modified Date = 10/03/2007 18:52:32 | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Modified Date = 13/03/2007 15:22:00 | Attr = ]
ras -> %System32%\ras -> [Folder | Modified Date = 07/03/2007 16:31:16 | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 11/03/2007 23:06:38 | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 07/03/2007 14:40:04 | Attr = ]

[File String Scan - Non-Microsoft Only]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 23/08/2001 12:00:00 | Attr = ]
UPX! , UPX0 , -> %System32%\khooker.exe -> [Ver = | Size = 38412 bytes | Modified Date = 18/01/2007 03:02:54 | Attr = ]
UPX! , UPX0 , -> %System32%\NeroCheck.exe -> [Ver = | Size = 38412 bytes | Modified Date = 18/01/2007 03:02:54 | Attr = ]
UPX! , UPX0 , -> %System32%\sistray.EXE -> [Ver = | Size = 38412 bytes | Modified Date = 18/01/2007 03:02:54 | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 23/08/2001 12:00:00 | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 23/08/2001 12:00:00 | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 03/08/2004 21:41:38 | Attr = ]

< End of report >

 

hey

well im having the same problem n im going to keep checking this thread please say when u guys figure out how to fix this n then maybe u can help me after ^_^ (if i dun get this fixed dad will murder me literally)

 

Welcome to WindowsBBS drakonic

While your machine may have the same infection, it's generally advised to have a separate analysis. If you'd like to get one-on-one help with your machine, please start a new topic of your own. Instructions for posting a HijackThis log in the link below. Please include details of what you have done to aid in cleanup.

http://www.windowsbbs.com/showpost.php?p=197787&postcount=4


Of course, feel free to keep checking in on this and other related topics if you choose not to go one-on-one.

 

kk

alrite ill dl hijackthis n ect follow yo rules n post the log thx for help ^_^

 

Hi Aerach,

Thanks for the files.

Can you grab me an uninstall list please from hijackthis?

Open Hijackthis
click "open misc tools options "
Click "open uninstall manager "
Click "save list.. "
Save the list & post it here please.

Thanks

 

Uninstal list

Ad-Aware SE Personal
AVG Anti-Spyware 7.5
Brightvale Screen Saver
CD/Spectrum Pro
FLV Player 1.3.3
Ghost Korbat Screen Saver
GIF Movie Gear 4.1.1
Halloween 2006 Screen Saver
Hijackthis 1.99.1
HijackThis 1.99.1
HSP56 MR Drivers
ICQ 5.1
iTunes
J2SE Runtime Environment 5.0 Update 6
Jasc Animation Shop 3
Jasc Paint Shop Pro 9
Kaspersky Online Scanner
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash 5
Macromedia Flash Player 8
Macromedia Generator 2
Microsoft Office XP Professional with FrontPage
Mozilla Firefox (2.0.0.1)
Mozilla Firefox (2.0.0.2)
MSN Messenger 7.5
Nero 6 Ultra Edition
NetTimer 2000 version 2.0
NoteWorthy Composer
PCI Audio Applications
QuickTime
Riva FLV Player
ScummVM 0.9.1
Simon the Sorcerer II
SiS 900 PCI Fast Ethernet Adapter Driver
SiS Audio Driver
SiS630_730 V2.03
Spybot - Search & Destroy 1.4
The Hypnogenic Screen Saver
Trillian
UTVip XL
Windows XP Service Pack 2
WinRAR archiver
Yahoo! Messenger

 

Hi

Post a fresh hijackthis log please.

Thanks

 

Sure =)

Logfile of HijackThis v1.99.1
Scan saved at 01:06:44, on 17/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NetTimer 2000\NetTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet\ICC\ICC2000.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\Killer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.usefulware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.usefulware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NetTimer 2000] "C:\Program Files\NetTimer 2000\NetTimer.exe "
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{473548E8-82BB-44B3-A445-81062E6D2EE1}: NameServer = 195.218.116.2 194.46.8.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

 

Hi & thanks for the logs.

1.) Ensure your AVG antispyware is up to date.

2.) Download this file and save it to your desktop:

http://downloads.subratam.org/ResetTeaTimer.bat

Do nothing with it yet.

3.) Download ATF Cleaner by Atribune and save it to your Desktop.

http://www.atribune.org/ccount/click.php?id=1

Do nothing with it yet.

4.) Disable your TeaTimer so it does not interfere with fix. We can turn it back on when you are clean.
Please keep it off till we "reset it ".

1.) Open Spybot and click on Mode and check Advanced Mode
2.) Check yes to next window.
3.) Click on Tools in bottom left hand corner.
4.) Click on System Startup icon.
5.) Uncheck Teatimer box.
6.) Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

5.) Go ahead and delete those files that look like "breasts" from your C:\Documents and settings\VM & KING KARL folder along with the VM.dat file.
Also off your desktop.

6.) Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

7.) Open Hijackthis
Run system scan and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.usefulware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.usefulware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com


8.) Start your AVG Antispyware and run a full system scan.
Let it quarentine what it wants.
Save the log please from the scan.

9.) Reboot

10.) Please post:

New Hijackthis log
Log from AVG

Log from this program:

http://noahdfear.geekstogo.com/FindAWF.exe

Save the file and run it to get the log.

Let me know how computer is behaving.

Thanks

 

The findAWF.exe wouldn't work. The wee dos box pops us and immediately dissapears.

But here are the logs for AVG anti-spyware and HijackThis.



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:58:46 17/03/2007

+ Scan result:



C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003238.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003239.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003240.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003241.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003242.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003244.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003245.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003246.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003247.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003248.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003249.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003250.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003251.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003252.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003254.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003255.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003256.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003257.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003258.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003259.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003260.exe -> Heuristic.Win32.Dialer : Ignored.
C:\System Volume Information\_restore{8392FC22-5027-4FE6-90FE-4ED4C16EDFA1}\RP3\A0003261.exe -> Heuristic.Win32.Dialer : Ignored.
C:\the brain\brainshite\My Documents\ICQTOOLZ\icqhacker.zip/ICQHacker.exe -> Not-A-Virus.PSWTool.Win32.ICQ.e : Ignored.


::Report end


Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 23:08:38, on 17/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\Killer.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NetTimer 2000] "C:\Program Files\NetTimer 2000\NetTimer.exe "
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe



I did nothing after the AVG scan. I just followed it's advice to "ignore ".

 

Hi,

Click start> run> type cmd and hit enter.

What happens?

Now try cmd.exe from the run box. What happens?

Thanks

 

I Found My Solution To The Axfreeporn Problem. It Has Attached Its Self To My Audio Driver. My System Uses Soundmax Drivers..
I Went To Task Manager And Killed SMAX4PNP.EXE And SMAgent.exe.

Then Uninstalled The Soundmax Drivers And Reinstalled The Drivers From The Original Disk.....

Hope This Works For You And Others..

 

Hi dlg425,

This particular infection usually involves more work than that.
Several exes are normally overwritten and the origional good files are placed elsewhere.
Even after the infection itself is cleaned up several programs won't work untill the origional files are found & placed back where they belong.
These programs normally include those that start with windows. (ie: AV software, firewall software, AS software & other useful necessary programs)

Trojan also lowers system security by adjusting IE protocol zones and adds bad domains to trusted zones for IE. This can result in ANY site acting as trusted and can therefore do whatever they like to your computer often resulting in several more infections.

I suggest you start a thread of your own to have your system checked to be sure you are really clean & safe.

Regards,

Tammy

 

Typing cmd and cmd.exe into the run command brings up a doss prompt inside the documents and settings file.


Just to let you know.
My computer was recently not starting and then reseting when it finally did come on. I'm not sure if this was to do with the axfreeporn trojan or whether it was my fault. As my CD rom decided to snap a CD rom into bits the other day and I had to dissconnect my HD whilst I figured out what had happened tothe CD and DVD rom (the DVD rom started clunking as a result of the shock). I could have not connected the HD properly, although I'm not sure that would have the same effect. Just thought I might aswell mention it. I've reconnected the HD now and it's been running fine for about 10 minuites.

 

Ouch!!

Hope you are still running ok.

You did disconnect the CD Rom & left it disconnected till you either get a new one or know it's alright?
I have to say that is the first I heard of CD breaking up in CDRom.

I find it odd you can open cmd.exe or just cmd and it works yet cannot run other programs that oen a cmd window.
Sounds like your environment variables are messed up. We won't make much progress till that issue is resolved.

Try this please:

Download FixPath2 from here:

http://internet.cybermesa.com/~bstewart/files/fixpath2.zip

Unzip it to C:\ so you have C:\FixPath2

Close other programs because you will need to reboot shortly.

Click start> run> type cmd.exe and hit enter.

Type:

cd c:\fixpath2 (note the space between the d and the c)

Type:

Fixpath.exe and hit enter.

It will display some info and ask if you want to fix errors.
Answer yes!
It should tell you success.

Exit the cmd window and reboot <-- Important

Next:

See if you can get FindAWF to run.
Post log if it does.

Thanks

 

Did that and still no luck with findAWF.exe.

Yeah I took the CDrom out and opened it, removed the bits of CD and checked it was Ok. I'm fine with mechanical/electrical things, it's just software problems I'm completely incapable of understanding. =D
I think the problem was that the CD got caught up somehow inside and the motor must have been pushing it further into the drive until it snapped. I might have had the telly on too loud and didn't notice a problem til it was too late. It's a shame because I'll have to buy my game again now! Still, at least the computer's working fine. I think the restarting was me not plugging a cable in properly because it apears to be fine now. I hope so too because I share this computer with my partner.

Going to England later and will be there til tuesday so won't be at this computer until then. Just so you know there's no rush replying. Thanks for all your help anyway, hopefully I can get this findAWF to work when I get back. =)

 

Hi,

Good to hear the reboot cycle quit.

Hope you have a good time in england

When you get back...

Download Gmer from here:

http://www.gmer.net/gmer.zip

Unzip it.
Disconnect from internet & shut down Antivirus to prevent conflicts.
Shut down also any other unneeded apps including any open browser windows.
The less stuff we got running the less chance of false positives in log.
Double click gmer.exe to run it.
Allow driver to install if asked (gmer.sys)
You may warning at program start that there is possible rootkit activity and do you want to run scan.

Say OK to run scan.
If no warning, just click "scan "
Let the scan finish.
Once done press "copy"
Open notepad> press "ctrl+v" to paste log.
Save log.

Re-enable your antivirus, re-connect to internet & post that log here.

REcommend not keeping the computer online while you or your partner are not actually on it.

Thanks

 

Hi again,

Before we go hog-wild on rootkit scanners can you try this please:

Put FindAWF.exe right in C:\

Try the scan again please.
Post log if results.

I think it is because of the & character in your profile folder that is giving the embedded batch a rough time.

If it works...no need for Gmer scan.

Thanks