[Essexboy]

OK this is starting to annoy me now as it is not showing in any of the usual places. I would like to do two more searches :
One with a rootkit detector (although I see no sign of a rootkit)
One with a registry search

I will also get otmoveit to do another sweep, each scan should take no more than a few minutes

FIRST THE REGISTRY SEARCH

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
aupd.exe
[Options]
Filter=KVDLUI

2. Download Registry Search to your desktop.

• Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
• Open the new folder, and double click on regsearch.exe
• Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
• Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
• Please reply here with the entire contents of the Notepad file from RegSearch.

THEN THE ROOTKIT

Please Download Avast Rootkit Cleaner to your desktop

Close all running programmes

Run the ASWAR file and select Scan Now



On completion of the scan you will then have this screen up



Now close the programme and on the desktop will be a text file called ASWAR please post that. Do not fix anything yet

The programme will take from 3 to 5 minutes to run.

FINALLY FOR NOW

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\aupd.exe /s
  Purity

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Logs required : Aswar, regsearch and otmoveit

[Advertisements]

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 5/5/2008 2:47:58 PM for strings:
; 'aupd.exe'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_CURRENT_USER\Software\Stardock\IconPackager\Recent]
"Filetype0"="C:\\Users\\Drew\\AppData\\Local\\Temp\\aupd.exe,0"

; End Of The Log...


avast! Antirootkit, version 0.9.6
Scan started: Monday, May 05, 2008 3:56:23 PM


Scan finished: Monday, May 05, 2008 3:59:32 PM
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0


----------

< C:\aupd.exe /s >
C:\Users\Drew\AppData\Local\Temp\aupd.exe moved successfully.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05052008_162108

[Drew Harris]

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 5/5/2008 2:47:58 PM for strings:
; 'aupd.exe'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_CURRENT_USER\Software\Stardock\IconPackager\Recent]
"Filetype0"="C:\\Users\\Drew\\AppData\\Local\\Temp\\aupd.exe,0"

; End Of The Log...


avast! Antirootkit, version 0.9.6
Scan started: Monday, May 05, 2008 3:56:23 PM


Scan finished: Monday, May 05, 2008 3:59:32 PM
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0


----------

< C:\aupd.exe /s >
C:\Users\Drew\AppData\Local\Temp\aupd.exe moved successfully.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05052008_162108

[Essexboy]

OK I can see where it is being loaded from - Stardock

I will now remove that entry from the registry and double check that the file has gone

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  HKEY_CURRENT_USER\Software\Stardock\IconPackager\Recent\\Filetype0
  c:\aupd.exe /s
  Purity

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If I could have the OTMoveit and is the file still active ?

[Drew Harris]

< HKEY_CURRENT_USER\Software\Stardock\IconPackager\Recent\\Filetype0 >
Registry value HKEY_CURRENT_USER\Software\Stardock\IconPackager\Recent\\Filetype0 deleted successfully.
< c:\aupd.exe /s >
c:\_OTMoveIt\MovedFiles\05052008_162108\Users\Drew\AppData\Local\Temp\aupd.exe moved successfully.
c:\_OTMoveIt\MovedFiles\05052008_163809\_OTMoveIt\MovedFiles\05052008_162108\Users\Drew\AppData\Local\Temp\aupd.exe moved successfully.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05052008_163809

That is the log

It is too early to say if everything is okay, I will let you know soon. Thank you again for all your help!

[Drew Harris]

Ack, it still appears!! I don't know what could be wrong with this thing.

[Essexboy]

OK it appears to want to run from quarantine so lets kill that idea

Double click OTMoveIt2 once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt2 wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself


Having done that - let me know if it re-appears

[Drew Harris]

A message box pops up after clicking "Clean up!" saying "File Access Denied."

[Essexboy]

Ah the sneaky little blight .. lets go for the big hammer

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to delete:
C:\Users\Drew\AppData\Local\Temp\aupd.exe
Folders to delete:
c:\_OTMoveIt\MovedFiles\05052008_162108\Users\Drew\AppData\Local\Temp\aupd.exe
c:\_OTMoveIt\MovedFiles\05052008_163809\_OTMoveIt\MovedFiles\05052008_162108\Users\Drew\AppData\Local\Temp\aupd.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

[Drew Harris]

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\Users\Drew\AppData\Local\Temp\aupd.exe" not found!
Deletion of file "C:\Users\Drew\AppData\Local\Temp\aupd.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "c:\_OTMoveIt\MovedFiles\05052008_162108\Users\Drew\AppData\Local\Temp\aupd.exe" not found!
Deletion of folder "c:\_OTMoveIt\MovedFiles\05052008_162108\Users\Drew\AppData\Local\Temp\aupd.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "c:\_OTMoveIt\MovedFiles\05052008_163809\_OTMoveIt\MovedFiles\05052008_162108\Users\Drew\AppData\Local\Temp\aupd.exe" not found!
Deletion of folder "c:\_OTMoveIt\MovedFiles\05052008_163809\_OTMoveIt\MovedFiles\05052008_162108\Users\Drew\AppData\Local\Temp\aupd.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

Attached Files

•  hijackthis.txt   7.87KB   85 downloads

[Essexboy]

OK this is becoming a mystery - is it still trying to access the internet ?

[Drew Harris]

It certainly is a mystery. It is too early to tell, I will tell you if it asks again.

[Essexboy]

I will wait with bated breath and formulate plan z

[Drew Harris]

Yep...it's still asking.

[Essexboy]

OK it is really, really deep looking time. This will be a big report that needs to be attached

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the OTScanit folder and double-click on OTScanit.exe to start the program.
• Check the box that says Scan All User Accounts
• Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
• Under Additional Scans check the following:
  • Reg - Reg - MountPoints2
  • Reg - File - Lop Check
  • Reg - BotCheck
  • Reg - ControlSets
  • Reg - Desktop Components
  • Reg - Disabled MS Config Items
  • File - Additional Folder Scans
  • File - Purity Scan
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[Drew Harris]

here it is

Attached Files

•  OTScanIt.Txt   399.33KB   86 downloads