AxFreePorn Disconnects me

[Matty]

After a couple hours I get disconnected by AxFreePorn and it shows up on my network conncections and dials it.  I have located most of it is contained in windows/temp folder but it seems to keep coming back.  Ive tried Avast and adaware scans in the folder and nothing came up with them in.  After I delete them its better for a while but it keeps coming back.  What can I do to completely get rid of it?

[mauserme]

Hi Matty - Welcome to the forum.

There's little information about AxFreePorn.  It appears to have rootkit ability making it hard to remove. 

Open an explorer window and click Tools>Folder Options>View.  Under Hidden Files and Folders make sure Show Hidden Files and Folders is checked.  Also make sure Hide Extensions For Known File Types and Hide Protected Operating System Files are not checked.

Now scan with the free version of A-Squared, putting in quarantine anything found

http://www.emsisoft.com/en/software/download/

If that does not locate the problem scan with F-Secure Blacklight too

http://www.f-secure.com/blacklight/

When you post the results of those scans please also let us know what operating system and what firewall you have.  More detail about the symptoms would also be helpful.  How do you know its AxFreePorn?

[polonus]

Hi Matty,

Her is the specific Spy Axe removal instructions: http://www.spywareremove.com/removeSpy_Axe.html


polonus

[Matty]

I have Windows Xp home and AxFreePorn picture comes up on my desktop, AxFreePorn written as one of my dialup connections and has a number to call, and has pictures come up in Windows/Temp that have a different name like abc123 and this is a file that runs it I think abc123.pid, and I have the protect my internet connection firewall checked.  I have internet options under tools but not folder options. 

[mauserme]

... I have the protect my internet connection firewall checked. 

Is that the Windows Firewall?  If so please install Comodo or Zone Alarm (both are free)

http://www.personalfirewall.comodo.com/

http://www.zonealarm.com/store/content/company/products/znalm/freeDownload.jsp

After installing carefully review anything wanting an internet connection.

Also, clean your temp files with CleanUp

http://www.stevengould.org/software/cleanup/

I have internet options under tools but not folder options. 

Sorry - I should have explained better.

Click Start>My Computer.  Use the Tool button at the top of that window.

[Matty]

I downloaded Comodo and it seems to stop it from loading and disconnecting me.  Ive noticed this Perflib_Perfdata_67c  dat file keeps making new ones with a different number after a while in the windows/temp folder.  I can delete all of them except for 1 every time because it says its being used by another program.  The date on that one is the day Im on the computer.  I downloaded a couple different clean up programs but it gives me a error about the size is different when I try to open it.  I scanned with A-Squared and the scan found these

C:\WINDOWS\system32\rlls.dll    detected: Trace.File.RelevantKnowledge
C:\WINDOWS\system32\rlvknlg.exe    detected: Trace.File.RevelantKnowledge
KEY_LOCAL_MACHINE\SOFTWARE\Policies --> {645FF040-5081-101B-9F08-00AA002F954E}    detected: Trace.Registry.Command Service
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Policies --> {6BF52A52-394A-11D3-B153-00C04F79FAA6}    detected: Trace.Registry.Command Service
C:\Documents and Settings\Matt\Cookies\matt@2o7[1].txt    detected: Trace.TrackingCookie
C:\Documents and Settings\Matt\Cookies\matt@advertising[1].txt    detected: Trace.TrackingCookie
C:\Documents and Settings\Matt\Cookies\matt@atdmt[2].txt    detected: Trace.TrackingCookie
C:\Documents and Settings\Matt\Cookies\matt@mediaplex[1].txt    detected: Trace.TrackingCookie
C:\Program Files\America Online 7.0\WanMPSvc.exe    detected: Heuristic.Dialer

[mauserme]

Relavant Knowledge and Command Service both seem like adware, so possibly not the source of your problem.

And C:\Program Files\America Online 7.0\WanMPSvc.exe is a valid part of AOL, so if you use this service you may need to restore this.

Have you scanned with BlackLight yet?  Please do so and post the results.

EDIT:

Upload Perflib_Perfdata_67c  (or any variations you find in the same directory) to Virus Total and Jotti for analysis and post the results

http://www.virustotal.com/en/indexf.html

http://virusscan.jotti.org/


EDIT #2
I'm finding nothing definitive on Perflib_Perfdata_xxx other than the fact that it is very common.  In fact, one of two computers I just checked has a version of this.  Various explanations include orphaned temp files from improper shut downs and files left from Performance Monitor or ATI Video Controllers.

Go ahead and scan the file at the links I posted above, but don't be surprised if nothing is found.

Then for sure run the BlackLight scan.

[polonus]

Hi Matty,

Because of RelevantKnowledge and other tracking cookies stealth methods, tracking cookies, even when installed without malicious reasons, may put your personal and financial information at risk. It is always a good idea to remove RelevantKnowledge and other tracking cookies.
Remove the following processes: relevantknowledge.exe & rk.exe
The removal instructions for command service can be found here:
http://www.spywareremove.com/removeCommand_Service.html

polonus

[uumylove]

del it in safe mode ?

[mauserme]

del it in safe mode ?

Polonus and I think differently about this.  I favor automatic removal methods, when they work,  because I see less chance to cause additional problems.  Have you tried A-Squared or AVG Antispyware?

I don't know the details of your situation but in Matty's case I think there is a downloader we have yet to identify causing this adware to appear on his computer.  I'm trying to focus on confirming the presence or absence of a downloader with a view toward its ultimate removal.  The junk resulting from the downloader can be dealt with along the way with a general cleanup at the end of the process (unless something terribly malicious shows up).

[polonus]

Actually I am not differing in opinion with Mauserme, no way. The information above givenin this thread  is only additional information to check after the automatic removal routines have been performed, so purely for verificational purposes. Automatic removal through an adequate scanner or a specific removal tool for a specific type of malware is almost always to be preferred over manual cleansing practices. But how often the victims of malware ask: "are we secure now, has the malware really been removed?" . For that reason I give the manual cleansing routine also whenever I can find this. Sometimes these manual cleaning routines ask for additional force like killbox, special settings like safe mode, etc. For these reasons and others I share Mauserme's opinion.

polonus

[mauserme]

Gosh, is that snearing Grumpy meant for me?   

Well, yes, it does make sense to verify. 

[Matty]

I scanned with blacklight and found nothing.  At Virusscan.jotti and virus total they found no virus but when I used the recent created Perflib_Perfdata_640 it went to a screen that said: The file you uploaded is 0 bytes, and at the jotti one it also said It is very likely a firewall or a piece of malware is prohibiting you from uploading this file. 

[mauserme]

What is the status of the popups and the file named abc123.pid?  Still a problem or gone now?

Is your internet connection still unstable?

[Matty]

After I delete abc123.pid and go on the computer again for a while it comes back. It doesn't disconnect me anymore since I got the comodo firewall.   My internet connection is slow at times and the fan kicks in and cpu is 100.  Just looking at it now its jumping from in the 20s to 70's cpu usage.