[Essexboy]

Ok to recap we killed it twice and then tried the hammer of Avenger which failed to find it. Then it reappeared, and now it is showing back in your temp file again

However I have now found some possible trigger files so lets kill them and see what happens. For the duration of this fix you may lose the desktop

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Files/Folders - Created Within 90 days]
NY -> 1 C:\Windows\*.tmp files -> C:\Windows\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersProfile%\TEMP:DFC5A2B2
NY -> DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
NY -> Installer5332 -> %UserProfile%\AppData\Local\Installer5332
NY -> Installer5864 -> %UserProfile%\AppData\Local\Installer5864
[Files/Folders - Modified Within 90 days]
NY -> 7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 -> %SystemRoot%\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
NY -> 7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 -> %SystemRoot%\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
NY -> 1 C:\Windows\*.tmp files -> C:\Windows\*.tmp
NY -> C:\Users\Drew\AppData\Local\Temp\ -> C:\Users\Drew\AppData\Local\Temp
NY -> aupd.exe -> C:\Users\Drew\AppData\Local\Temp\aupd.exe
NY -> 4 C:\Users\Drew\AppData\Local\Temp\*.tmp files -> C:\Users\Drew\AppData\Local\Temp\*.tmp
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersProfile%\TEMP:DFC5A2B2
NY -> DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
NY -> Installer5332 -> %UserProfile%\AppData\Local\Installer5332
NY -> Installer5864 -> %UserProfile%\AppData\Local\Installer5864
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[Advertisements]

Ok, done:

Attached Files

•  05082008_220835.txt   12.41KB   568 downloads

[Drew Harris]

Ok, done:

Attached Files

•  05082008_220835.txt   12.41KB   568 downloads

[Essexboy]

Dare I ask if it has gone

[Drew Harris]

No, it's still there.

[Essexboy]

OK going to get re-inforcements and ask the other experts - I hate being sideswiped

[Drew Harris]

It is okay, I appreciate the effort. You are doing a great job, this thing just seems incredibly illusive

[Essexboy]

Aye up one of the boys has a few questions

1. Which version of Stardock IconPackager do you have ?
2. Is a trial version that has expired ?
3. Is it a cracked version ?
4. Can we have a copy of the file ?

[Drew Harris]

It is the newest version. It is a trial version, it did expire. But, I haven't used it for much. When you say you want a copy of the file, you mean you want a copy of the exe file that runs the program on my computer or you mean you want a link to the one that I downloaded.

[Essexboy]

The aupd.exe file, as it might be a part of the online registratiion process for Stardock IconPackager. However, it uses the same location and name as this malware Begin2Search. In which case it is a legitimate file and will disappear if the Iconpackager is removed

[Essexboy]

Please go to UploadMalware to upload a suspicious file for analysis.

• Enter your username from this forum
• Copy and paste the link to this thread ( http://www.geekstogo...d....html&st=30 )
• Browse for this filename: C:\Users\Drew\AppData\Local\Temp\aupd.exe
• In the comments, please mention that I asked you to upload this file
• Click on Send File

[Drew Harris]

Ok, submitted.

[Essexboy]

Thank you I will need to wait for the analysis now - not too long I hope

[Essexboy]

It is a fairly innocuous file - the recommendation is to uninstall the trial icon packager and it should go away..

[Drew Harris]

Ok, thank you

[Essexboy]

Could you let me know if it has gone now, and what is the current state of your computer ?