AxFreePorn dialer - it's going around! Help me too please. Log inside.

I have the Axfreeporn Dialer also, argh. Any help would be appreciated. I know it's new and I imagine a week or so from now there will be an easy (easier) fix.

Like everyone else, it kicks me off my DSL connect and tries (I dont have a modem) to dial in I guess. An "Instant Access" icon (picture of a breast) appears on my desktop, it's a shortcut to some file in my Local Settings/Temp directory. I can delete these but it comes back. It seems to appear at the same time every day around 9 AM. Like others it makes a Network Connection too.

I also noticed in my IE history that I have a web address: "88.80.5.21" that seems to be related because if I hover the mouse over it to see what it is, it points to my temp directory and that file (not 100% positive but it looks like it does).

If it is related, can I just tell IE to ban that IP?

Anyhow, here's my HiJack This log.. I believe it is clean because I just had other malware removed and it was verified as clean. Any help would be appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 11:53:58 PM, on 3/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Doug Radcliffe\Desktop\Hotline\Hotline Client 1.8.5.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Documents and Settings\Doug Radcliffe\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bluesnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe "
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5968C159-7F94-4201-BE42-A88A8F5DF472}: NameServer = 205.152.144.23 205.152.37.23
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

 

Okay, a little update.

I updated AVG Anti-Spyware 7.5, which was a bit out of date, and a Quick Scan found "Downloader.Agent.awf" in the following locations:

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Windows\System32\DSentry.exe
C:\Windows\System32\NeroCheck.exe
C:\Windows\System32\dxdllreg.exe
C:\Windows\UpdReg.exe

Now I'm a little nervous to hit "Delete" because with this delete those files? They're in my startup routine, though I believe none of them are vital. Or does AVG just delete the malware out of those files?

Sorry, a little newbish and nervous. Please help me.

Anyone who has Axfreeporn should get the latest AVG definition (3/15) and see what happens.

UPDATE:

Looking at these files on my hard drive, it looks like they've been altered sometime in January 2007, they're all 38.0K and have no icon. ARGH.

UPDATE AGAIN:

Okay, searching for Downloader.Agent.AWF on the 'Net reveals this might be something else and the replaced files are in "bak" directories on my hard drive. So I put them back.

So this may have nothing to do with axfreeporn.

Also I HATE MALWARE.

 

Any help for me also?

Thx

 

As you can see, you're not the only one with this problem on these boards. Our volunteers are working diligently to get to all logs.

Not all volunteers have all day to sit in front of a PC, thusly, some users seeking help may wait longer than others. We do our best and try to get to logs in th order they are posted.

Your patience is greatly appreciated.

 

No problem!

 

Hi MBison & welcome,

Sorry for delay. I thought you were already being helped because the thread was a few posts long. (I usually only look for 0 reply posts)

Not sure how it is connected yet but it does seem AWF & axfreeporn are being bundled together.

If you still want help....

Please post:

New hijackthis log

Log from this program:

http://noahdfear.geekstogo.com/FindAWF.exe

Save the above file to desktop, run it, post the log it creates.

Careful where you are surfing to because your IE security also is comprimised and any site can do whatever it wants to your computer as a result.

It will take a few tools to clean it all up.

Thanks

 

Hey!

That's okay.. and yeah, based on other posts I looked for AWF and I had it and got rid of it and Axfreeporn disappeared with it.

I would also suggest people put the IP 88.80.5.21 in their restricted sites section of IE. It's the site that the AWF and Axfreeporn dialer used. If you have Axfreeporn going, that site is visited daily by your browser and you don't even know it.

I'll probably need help again in the future so I thank you in advance for checking out my case

 

Hi,

Glad to hear you got it resolved.

You also used "resetprotocols.reg" and "DelDomains.inf" to reset trusted zones & Protocol settings for IE?
Any custom added trusted/restricted sites you added before the attack will need to be re-added.
Also if you have IE-Spyads and/or SpywareBlaster installed, IE-Spyad will need re-installing and SpywareBlaster will need to have its protection re-enabled.

I notice too you dont have a firewall installed.
XP does have its own but does not have near the outgoing traffic control a 3rd party firewall does.
Besides with a firewall you can totally block IP addresses both ways if desired.
88.80.5.21 you are trying to restrict comes to mind

Few free ones available.
Should you decide to install one, make sure only to get one and the XP firewall is disabled:

Zone Alarm:
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

Comodo:
http://www.personalfirewall.comodo.com/

Sunbelt kerio:
http://www.sunbelt-software.com/Kerio.cfm

Understanding and using firewalls:

http://www.bleepingcomputer.com/tutorials/tutorial60.html

If you don't know what I was talking about regarding IE-Spyad or SpywareBlaster...

IE-Spyad <--this puts several thousand sites in restricted zone for IE. If you happen on a site within its list they can't hijack you or install anything.
Program is free and updated about once a month.

Tutorial:

http://www.bleepingcomputer.com/tutorials/tutorial53.html

Spywareblaster <--this prog blocks known bad active x controls, many tracking cookies and puts more sites in restricted zone.
Install> update> enable all protection.
Updates are about once a month and is free.

An alternative to IE browser is good too for day to day surfing.
These 2 are free and have alot less security issues than IE:

Opera Browser

FireFox Browser

Your Java is also out of date.
This presents more security issues.

Download the latest Java from here:

Latest Sun Java Update for Version 1.5.0 is Update 11
http://java.sun.com/javase/downloads/index_jdk5.jsp

5th one down if you are not developing programs.

Java Runtime Environment (JRE) 5.0 Update 11

Hit the download button...
Next page that comes up you need to accept the agreement to download it.
First in list is the offline installation
This is the one to download. Save it to your desktop or your normal download folder.

1. Close any open programs you may have running, especially your web browser
2. Click Start > Control Panel
* Depending on your OS or configuration, you may have to click Start > Settings > Control Panel
3. Open Add or Remove Programs
* If you have Windows 98 or Windows 2000, open Add/Remove Programs
4. Click once on any item listing Java Runtime Environment in the name
* Not every version of Java will begin with "Java" so be sure to read each entry in the list
5. Click the Remove or Change/Remove button
6. Follow steps 4 and 5 as many times as necessary to remove all versions of Java
7. Reboot your PC once all Java components have been removed
8. Proceed with reinstalling Java using the file you just saved.


Any time you update your java the old version will need to be uninstalled manually since the updater does not uninstall the old.
With old versions still kicking around; malware can call up the old exploitable versions to run.



More tips/tricks for staying clean:

http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I
http://boards.cexx.org/index.php?topic=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Take care

Tammy