AxFreePorn Disconnects me

[mauserme]

Can you post a hijackthis log.  It can be downloaded here

http://www.bleepingcomputer.com/files/hijackthis.php

Extract the program to its own folder (eg C:\hijackthis) making sure you don't run it from a temporary folder or from the desktop.  After extracting it, rename hijackthis.exe to hijackthat.exe and run it.  Click to scan a save a log, then post the contents of the log using more than one post if the log is very long.  Don't "fix" anything - just post the log.

[Matty]

Logfile of HijackThis v1.99.1
Scan saved at 9:55:33 AM, on 3/17/2007
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\rlvknlg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = means.net
N2 - Netscape 6: user_pref("browser.startup.homepage", "www.yahoo.com/"); (C:\Documents and Settings\Matt\Application Data\Mozilla\Profiles\default\se66gzsi.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Matt\Application Data\Mozilla\Profiles\default\se66gzsi.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

[Matty]

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\RACLE~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Jthl] "C:\Program Files\Common Files\??crosoft.NET\w?nlogon.exe" 99001122
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: PamelaPoker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\PAMELA~1\client.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Advisor - {76026873-0935-499C-B66A-9FF5EEF45BEA} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworld.com/java/ezmed/ezmed.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak04.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.en-US.9.1.6.18.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{195AB0B4-F0E8-496E-8FDE-99F60E942800}: NameServer = 206.9.64.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: RelevantKnowledge - C:\WINDOWS\System32\rlls.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)

[DavidR]

One of the first things I would suggest is getting windows XP up to date, there are many vulnerabilities in the original XP, SP1, SP2 plus further security updates have patched those vulnerabilities, so many of the exploits won't be able to enter your system.

This also means there will be no more security updates for XP, SP1 as SP2 is the minimum supported for future security updates. It also means IE6 is also out of date and vulnerable, I would suggest using either firefox or opera which are more secure than IE, especially one that is out of date.

You also have remnants of Norton Antivirus that you should remove these can impact on other security software. A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT
You can also download SymNRT, a Norton uninstall tool that uninstalls all Norton 2004/2005/2006 products.
Also see, Manual uninstallation documents for Symantec Client Security products (including Corporate Editions) http://service1.symantec.com/SUPPORT/ent-security.nsf/529c2f9adcf33a1088256e22005026f1/a4d3327506ae7c5f88256b81007b7487?OpenDocument&src=bar_sch_nam

An on-line analysis of your log, http://hijackthis.de/logfiles/047baaa42da06934c5eb27de0341905d.html, check any unknown/nasty entries, google the file names, etc.

Nasty fix:
C:\windows\system32\rlvknlg.exe
See this for more information http://www.bleepingcomputer.com/startups/rlvknlg.exe-12985.html


Unknown - suspect
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\RACLE~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Jthl] "C:\Program Files\Common Files\??crosoft.NET\w?nlogon.exe" 99001122
O20 - AppInit_DLLs:
O20 - Winlogon Notify: RelevantKnowledge - C:\WINDOWS\System32\rlls.dll (see http://www.castlecops.com/lsp-175.html, malware related to rlvknlg.exe above)

[FreewheelinFrank]

This one is also bad:

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

Looks like FunWebProducts.

Have you tried the usual anti-adware scanners?

AVG Anti-spyware:

http://www.ewido.net/en/product/

Ad-Aware:

http://www.download.com/3000-2144-10045910.html

Spybot Search & Destroy:

http://www.safer-networking.org/en/download/index.html

[mauserme]

When you ran A-Squared earlier did you quarantine the detected items or did that fail?  I'm surprised to see C:\windows\system32\rlvknlg.exe in your log.

Seconding what David said, you do need to update to Service Pack 2 and install all the patches.

Regarding Norton Antivirus, it looks like a running process rather than just remnants.  You will need to choose one resident antivirus and remove the other.

And I concur with FwFrank regarding O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

I also believe C:\WINDOWS\System32\RACLE~1\regedit.exe may be a worm and C:\Program Files\Common Files\??crosoft.NET\w?nlogon.exe is PurityScan.  I have some manual fixes I can suggest but before doing so I would like you to do the following

>  Upload a sample of C:\WINDOWS\System32\RACLE~1\regedit.exe to Virus Total and Jotti and post the results

>  Check in C:\Windows\ to see if there is a file named regedit.exe located there as well

>  Download, install, and run CleanUp  Edit:  After reading the thread essexboy linked to below I am changing this step to download but DO NOT YET RUN CleanUp.  If abc123.pid turns out to be Agent.AWF as in that thread I do not want to risk deleting any backsups it may have created. 

http://www.stevengould.org/software/cleanup/download.html

>  Turn off System Restore and boot into safemode

>  As FwFrank suggested, scan with A-Squared and AVG AntiSpyware (in safemode) being sure to quarantine anything found.  Post the results of these scans.

>  Boot back into normal mode

>  Rename hijackthis.exe to hijackthat.exe, generate and post a new log

[essexboy]

Unfortunately unless you update to SP1 you will continue to get infected, and to upgrade to SP2 you need to be malware free

SP1 available here http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx

This is becoming rather nasty now see this thread http://www.windowsbbs.com/showthread.php?t=63047

[polonus]

As essexboy says, you have landed between a rock and a sharp stone, so first try to stop the process from running with this tool (it does not cure the malware, it just stops it, remember): http://download.comodo.com/cpf/download/setups/release/CFP_Setup_English_2.4.18.184.exe
If you haven't already done this, reconsider this as given here:
Full Ad-Aware Scan
Please download Ad-Aware SE from here:
http://www.majorgeeks.com/download506.html
Install Ad-Aware and run it. In the bottom-right hand corner, click "Check for updates now". Click "Connect" to download the newest reference file.

Now we will configure Ad-Aware to perform a full scan. In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom right side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects. Then please restart your computer.

------------------------

When the scan has completed, click "Show Logfile". Copy/paste the complete log file in a thread of your own. Do not quarantine or remove anything at this time, just post a complete logfile. This sometimes takes 2-3 posts to get it all posted. You will know you are at the end when you see the "Summary of this scan" information has been posted.

------------------------

Spybot Full Scan
Next, please download Spybot-S&D from here:
http://www.majorgeeks.com/download.php?det=2471
Install Spybot-S&D and run it. Select "Search for updates" and then select all available updates. Click on the drop-down box in the top center to choose a download location nearest to you. Then click "Download updates". When all updates have downloaded, close Spybot-S&D, and then run it again. Click on "Check for problems". When the scan has finished, select any entries listed in red and click "Fix selected problems". Then please restart your computer again.

------------------------
If you are free of the malware, upgrade to SP2....

polonus

[mauserme]

Thanks for the link to the windowsbbs thread essexboy.  Its very informative.

Based on that thread I've ammended my post above to NOT run CleanUp at this time.

[polonus]

Hi Natty and Mauserme,

There is more to it, the Spybot S&D protection abilities can restore this malware after it has been cleansed so, please disable Spybot S&D’s protection, or it will interfere.
You can enable it again after you're clean, and the system is free from malware.
The same goes for Spyware Blaster, in these case of infections these programs are two-sided swords, and are turned against us. Re-enable this program only after your OS is completely clean of any malware, and has been given a clean bill of health, and fully updated and patched.

Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.

*****************************

Download\install CleanUp from http://www.stevengould.org/downloads/cleanup/CleanUp451.exe
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

******************************
Download ComboFix© by sUBs from:
http://download.bleepingcomputer.com/sUBs/combofix.exe
Save the file to your Desktop.
Double click combofix.exe & follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, and after reboot, it should open a log, combofix.txt.
Post that log in your next reply.

So and now we wait and see for the results,

polonus aka Damian

[polonus]

What is so specific about these new series of worms (called Downloader.Agent.awf by some AV vendors) that it reads infected computer's HKLM (or HKCU)\Run keys to find previously installed programs. Then the worm copies the original executable to a new location, and replaces the original with a copy of the worm. When the computer executes the Run\Keys\ it runs the worm instead, which then launches the original program. Read here:
http://weblog.infoworld.com/securityadviser/archives/2006/10/companion_worms.html

This complicates detection and removal process, because the worm will appear as a "known and trusted", previously installed executable. While this behavior is not new, it's apparently becoming popular again. So, when looking for malicious code, you cannot simply trust file names and locations. You must verify each file's integrity hash against a known good copy.

There are many free hash programs available for Windows and Linux. The book 'PGP and GPG' turned me onto one for Windows called DigestIT 2004. It like it because it does MD5 and SHA-1 hashs and integrates into Windows as a right-click context menu. So we have to establish which one is the evil-doer and used by the companion_worm to get executed to re-install itself.

polonus

[essexboy]

Find AWF is a good tool to use as it will identify the infected files.  However the trojan backs up the originals in a backup folder which is good, but don't clean your backup files yet or you will lose the originals.  Use this analysis programme
 http://noahdfear.geekstogo.com/FindAWF.exe
Send contents of awf.txt here, please

[mauserme]

@ Matty

I've asked essexboy to continue contributing to this thread as I think his expertise will be very helpful.

[polonus]

Hi Matty,

I second that, as we have established it as a twinner (companion worm) thanks to mauserme (he identified the b*st*rd actually), we like to have essexboy have his way with it, and if you follow up his instructions all's well that ends well,

polonus

[FreewheelinFrank]

Here's the info. on Agent.awf replacing legitimate files:

http://www.spywarefix.org/blog/index.php?entryid=9

http://www.infoworld.com/article/06/10/20/43OPsecadvise_1.html

EDIT: Trojan.Zonebac also does the same thing:

http://www.symantec.com/security_response/writeup.jsp?docid=2006-091612-5500-99&tabid=1

Here's a thread with FindAWF.exe in use for future reference:

http://www.lavasoftsupport.com/index.php?showtopic=6128&st=0

The utility finds where the Trojan has hidden the original files so they can be restored after the 'Cuckoo' files have been deleted.

Here's an alternative method from the Symantec write-up:

5. To restore the backup file

Using the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

find all files referenced in entries that have the folder bak in the path e.g. "1" = "%System%\bak\notepad.exe". For these files, move/copy them up to the same level in the directory tree as the bak folder and then delete the bak folder. For instance, the file %System%\bak\notepad.exe should be moved to: %System%\notepad.exe.