AxFreePorn Disconnects me

[mauserme]

I also believe C:\WINDOWS\System32\RACLE~1\regedit.exe may be a worm and C:\Program Files\Common Files\??crosoft.NET\w?nlogon.exe is PurityScan.  I have some manual fixes I can suggest but before doing so I would like you to do the following

EDIT I have just looked at your previous log and I see you have purity as well.  So possibly the initial way to go would be to use combofix

O4 - HKCU\..\Run: [Jthl] "C:\Program Files\Common Files\??crosoft.NET\w?nlogon.exe" 99001122

We do all seem to agree on Purity Scan.

[FreewheelinFrank]

Almost.

There's so many malware entries that look the same. This was the Qoologic one:

O4 - HKCU\..\Run: [Fvokfde] C:\Program Files\M?crosoft.NET\w?nlogon.exe

http://forums.spybot.info/showthread.php?t=5670

It wouldn't hurt to look for PurityScan and Qoologic.

If all the cooks stirring the broth haven't frightened Matty off yet.

[mauserme]

If all the cooks stirring the broth haven't frightened Matty off yet.

Amen. 

[polonus]

PurityScan is adware that may launch advertisements and may redirect you to unwanted websites.
PurityScan may install third-party applications and other malware without your consent and
automatically launch every time you startup Windows.
If you partially remove PurityScan through a manual removal process,
Purity Scan may automatically reinstall its missing components,
making PurityScan difficult to manually remove.

You would like to have a malware blocking host file.
http://chosenones.dyndns.org/redir/hosts.php


system processes:
purityscan.exe
wapisu.exe
ps_uninstaller[1].exe
wnscpsv.exe
ps_install-grokster.exe
winservn.exe
sear1.exe
winservs.exe
winlogon.exe
test117.exe
svchost.exe
shex.exe

dll files that should be unreistered:
backup-20060321-124609-355.dll
41c6d56863.dll
zvb.dll
xulpcs.dll
vzluoxiq.dll
qyemk.dll
rcagolbm.dll
jdn.dll
hakixk443.dl

Delete these registry values:
backup-20060321-124609-355.dll
41c6d56863.dll
zvb.dll
xulpcs.dll
vzluoxiq.dll
qyemk.dll
rcagolbm.dll
jdn.dll
hakixk443.dl

[essexboy]

Hi guys yep the awf has backed up the files it replaced and saved them (how nice) into their own backup directories so it is simply a matter of removing the baddies and placing the originals back where they belong.  I can write a batch for that.

And if after the batch work is done run combofix  that will kill purity and Qlogig ( I can never spell that right   

[essexboy]

Here you go matty your own personal batch files.  These will delete and then replace the bad files, the ones I haven't touched are unimportant

Next you will need to create the batch fix to do that copy and paste ALL of the below in the quote box to a notepad file. 
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat

This will create a batch file which is a small blue box with a yellow cog in it
Then run fix.bat by double clicking you may see a black box appear briefly


FILE DELETION

@Echo off
attrib -s -r -h "C:\Program Files\AIM\aim.exe"
del /q "C:\Program Files\AIM\aim.exe"
attrib -s -r -h "C:\Program Files\iTunes\iTunesHelper.exe"
del /q "C:\Program Files\iTunes\iTunesHelper.exe"
attrib -s -r -h "C:\Program Files\Norton AntiVirus\navapw32.exe"
del /q "C:\Program Files\Norton AntiVirus\navapw32.exe"
attrib -s -r -h "C:\Program Files\Yahoo!\Messenger\ypager.exe"
del /q "C:\Program Files\Yahoo!\Messenger\ypager.exe"

Then  you will need to create another batch fix to do that copy and paste ALL of the below in the quote box to a notepad file. 
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix1.bat

This will create a batch file which is a small blue box with a yellow cog in it
Then run fix1.bat by double clicking you may see a black box appear briefly

@ECHO OFF
move /y "C:\Program Files\\bakAIM\aim.exe" "C:\Program Files\AIM\aim.exe"
move /y "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program files\iTunes\iTunesHelper.exe"
move /y "C:\Program Files\Norton AntiVirus\bak\navapw32.exe" "C:\Program Files\Norton AntiVirus\navapw32.exe"
move /y "C:\Program Files\Yahoo!\bak\Messenger\ypager.exe" "C:\Program Files\Yahoo!\Messenger\ypager.exe"

Then
Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
  
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  

[Note: Do not mouseclick combofix's window while its running. That may cause it to stall]

[Matty]

Ok I did those steps essexboy and I attached the logs. AVG found 1 threat a trojan Downloader.Agent.GVC A0146867.exe  located C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP208\A0146867.exe
and says
Backup copy
Infected

[polonus]

Hi malware fighters,

Seems that Matty survived this bootcamp thread, learned quite a lot during the experience, and will soon be out here to help us and others fight malware. Welcome here, Matty, follow the instructions Essexboy gives you.

polonus

[FreewheelinFrank]

essexboy,

Hi guys yep the awf has backed up the files it replaced and saved them (how nice) into their own backup directories so it is simply a matter of removing the baddies and placing the originals back where they belong.

From what I can see this is not what FindAWF does: it seems to find bakups only and it is up to the user to confirm that the agent.AWF has replaced the original file by looking at the date of creation: I fail to see how either agent.AWF or FindAWF could have created a backup in 2005.

Matty,

These two entries remain in your HijackThis! log:

O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\RACLE~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Jthl] "C:\Program Files\Common Files\??crosoft.NET\w?nlogon.exe" 99001122

Can you please run HijackThis! again and put a tick in the box for these entries, then click fix?

Reboot into safe mode, make sure you have 'view hidden files and folders' enabled, and delete the files if you can find them:

C:\WINDOWS\System32\RACLE~1\regedit.exe

C:\Program Files\Common Files\??crosoft.NET\w?nlogon.exe

[FreewheelinFrank]

Hi guys yep the awf has backed up the files it replaced and saved them (how nice) into their own backup directories so it is simply a matter of removing the baddies and placing the originals back where they belong.

essexboy,

How do you come to the conclusion that agent.AWF has backed up these files?

Backed up files may be legitimate. Here's a scan of my computer after I backed up a file:

  Find AWF report by noahdfear ©2006


  bak folders found
  ~~~~~~~~~~~


 Directory of C:\PROGRA~1\7-ZIP\BAK

15/09/2006  06:07           122,368 7z.exe
               1 File(s)        122,368 bytes


  Duplicate files of bak directory contents
  ~~~~~~~~~~~~~~~~~~~~~~~

    122368 15 Sep 2006 "C:\Program Files\7-Zip\7z.exe"
    122368 15 Sep 2006 "C:\Program Files\7-Zip\bak\7z.exe"


  end of report

I didn't modify the .exe file, so the date and size remain unchanged.

An report of agent.AWF activity would look like this:

    37388 20 Mar 2007 "C:\Program Files\7-Zip\7z.exe"
    122368 15 Sep 2006 "C:\Program Files\7-Zip\bak\7z.exe"

Note how the file has changed size and the modified date is now recent.

In addition, it seems to be usual to submit the newly created file for analysis to confirm it's agent.AWF.

Of course if I'm missing something here and you have knowledge we don't have access to, I'd be grateful if you could share it...

[mauserme]

AVG found 1 threat a trojan Downloader.Agent.GVC A0146867.exe  located C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP208\A0146867.exe

Don't worry - this will be easily removed.  But wait for essexboy.  He's guiding you through a process and you are already halfway through.

[Matty]

Theres a qoobox folder in C: then the next folder is purity then theres either Program Files or Windows folders.  Then Program Files\Common Files\CROSOF~1.NET   and Windows\System32\RACLE~1 

[FreewheelinFrank]

Matty,

To remove malware in System Restore, simply create a clean System Restore point, then delete all older, infected points:

http://www.bleepingcomputer.com/tutorials/tutorial56.html#manual

Disk Cleanup - Launch the Disk Cleanup tool and then select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

http://www.bleepingcomputer.com/tutorials/tutorial56.html#delete

General reference:

The misconception that FindAWF.exe actually detects malware seems to be quite widespread:

Click on http://noahdfear.geekstogo.com/FindAWF.exe to download FindAWF.exe and save it to your desktop.
· Double-click on the FindAWF.exe file to run it.
· It will open a command prompt and ask you to "Press any key to continue".
· Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.

http://forums.techguy.org/security/552401-how-do-i-delete-axfreeporn.html

The same advice is cut and pasted on many support forums, but the program itself only says 'scanning for bak folders' and the example I posted avove proves that not all bak folders and files detected are infected.

I've sent a PM to Noahdfear who visits here occasionally asking him to clear up the confusion. Hopefully he'll pay us a visit and settle the matter...

[FreewheelinFrank]

Matty,

Have you run the removal tools suggested:

http://www.malwarebytes.org/rogueremover.php

http://www.malwarebytes.org/qoofix.php

[mauserme]

Theres a qoobox folder in C: then the next folder is purity theres theres either Program Files or Windows folders.  Then Program Files\Common Files\CROSOF~1.NET   and Windows\System32\RACLE~1 

Matty - look at your ComboFix log.  The quarantine section at the very top ...