Svchost.exe?

[Redmo0n]

Quote:

wasn't bad as I thought

I'm still waiting for you to find a really infected log for me

Please message me if you do, i would love to read it

[Osiris]

Find one for you?

[Redmo0n]

Ages ago i asked what was the most infected log you have seen and could you find it for me.

I still expect you to find me one

[Osiris]

Oh, well I will let you know when I come across one

[StriderZ]

Hi,

i tried the delete file on reboot, but it doesn't work..
i downloaded filemon and put in SVCHOST.EXE..

and i enter the D:\ drive and it shows up like D:\WINDOWS\MDM.exe
C:\RavMon.exe D:\RavMon.exe D:\AutoRun.inf C:\AutoRun.inf and D:\WINDOWS\SVCHOST.ini.

and i think i know how i got this..yesterday my friend came over with his usb..and i took something out of the usb, my friend has this also.

[Osiris]

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion
\ Run\SVCHOST: “C:\WINDOWS\MDM.EXE”

Do you have that? If so, delete it, and then reboot.

[StriderZ]

Hi,

sorry for the late reply..anyway, i did that but it still comes up..every time i go to any drives.

i then did some more searching with filemon to see what happens, and theres a file called "RavMon.exe" that is in both of my drives(C: D, everytime i open C: or D:, it will execute RavMon.exe..i used HiJackThis to change the SVCHOST.EXE to NOT read-only so i can delete it with AUTOIT(www.autoitscript.com), but RavMon.exe makes a new SVCHOST.EXE everytime i open up C: or D:, so then i used AVG to delete RavMon.exe in the D: drive, but then i can't open my D: drive? it will say, "What program would you like to open D: with", but when i restore RavMon.exe to the D: drive it can open again..same thing happens with C:...

[Redmo0n]

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Run combo fix and post a new log

[StriderZ]

Hi,

thank you! that got rid of it ..thanks all who helped.