37 replies to this topic

[Borka]

Show scanning results please.

---
С уважением,
Borka.

[Borka]

Locate file sphh.sys (probably in c:windowssystemdrivers) and check it here: http://www.virustotal.com/
And this: C:WINDOWSSystem32Driversezplay.sys

---
С уважением,
Borka.

[rangersmith]

Hi borka which scanning results do you want to see.

[rangersmith]

I have scanned ezplay and nothing was found and I cannot locate sphh on my computer.

[Borka]

I want to see scanning results of:
C:WINDOWSsystem32audiodev.dll
C:WINDOWSsystem32driversSjyPkt.sys
C:WINDOWSSystem32Driversezplay.sys
from here: http://www.virustotal.com/

As for sphh.sys - sure that after reboot this is not changed in the RootkitUnhooker log:
>SSDT State
NtCreateKey
Actual Address 0xBA6A80E0
Hooked by: sphh.sys
NtEnumerateKey
Actual Address 0xBA6C6CA2
Hooked by: sphh.sys
...

If so, do the follow:
1. place file attached in the Dr.Web's folder
2. run scanner:
drweb32w.exe /copy:zzzz /rpc:drweb32.log
3. look to the DrWebinfected.!!! folder - is there file sphh.sys ? If so - check it here: http://www.virustotal.com/ and provide results.
4. show here c:drweb32.log without your licence information.

---
С уважением,
Borka.

[rangersmith]

Attached are the results for

C:WINDOWSsystem32audiodev.dll
C:WINDOWSsystem32driversSjyPkt.sys
C:WINDOWSSystem32Driversezplay.sys

As for the rest of your instructions I cannot do as I have the free version with no licence. I wanted to evaluate Dr. Web before buying but as you know I cannot get it to run only in safe mode.

Thank you for your help

Andrew

[Borka]

I cannot do as I have the free version with no licence

Indeed you CAN do it. Just run scanner in safe mode as I've said. It would be nice to run "Quick scan" and give us results here.


---
С уважением,
Borka.

[rangersmith]

Hi I placed the file in the dr web folder and ran dr web in safe mode but cannot locate dr web/infected file. I am not sure if |I fully understand all your instructions

"1. place file attached in the Dr.Web's folder
2. run scanner:
drweb32w.exe /copy:zzzz /rpc:drweb32.log
3. look to the DrWebinfected.!!! folder - is there file sphh.sys ? If so - check it here: http://www.virustotal.com/ and provide results."

Attached is the log file

[rangersmith]

sphh.sys has changed to sppf.sys but i still cannot locate this file.

[Borka]

but cannot locate dr web/infected file

1. It's not file but folder. Full path is C:Program FilesDrWebinfected.!!!
2. drweb32w.log is wrong. Right log for this operation is c:drweb32.log

---
С уважением,
Borka.

[rangersmith]

Borka, I very much appriciate your help but am getting a bit tired now and am working away for the next day, so if it is alright with you will pick this back up on thursday night.

many thanks

Andrew

[Borka]

OK.

---
С уважением,
Borka.

[rangersmith]

Last thing before I go to bed, ran scan in safe mode as asked, nothing was in the infected file and there was no log. Alos attached is the error report I get when I try to start Dr web in normal mode.

Speak thursday.

[userr]

As for sphh.sys

rangersmith: sphh.sys has changed to sppf.sys
These are sptd.sys "dirty tricks". Dont care about it.

[userr]

Last thing before I go to bed, ran scan in safe mode as asked, nothing was in the infected file

From log:
[Scan path] c:program filesstardockobject desktopwindowblindswbsrv.dll
c:program filesstardockobject desktopwindowblindswbsrv.dll - OK

Bad news - drweb is not compatible with WindowBlinds. You have to uninstall the program.
Good news - your comp seems to be virus free. :)

[rangersmith]

Many thanks for your help, bit of a problem, because I really like windows blinds but also really want to use Dr.Web.

Again Many thanks will have to think, great news clean computer.


Andrew

[SergM]

bit of a problem, because I really like windows blinds but also really want to use Dr.Web.

It is possible to use windows blinds together with DrWeb, it is necessary to specify in customisations of Windows Blinds the DrWeb application as an exception

[rangersmith]

Excellent all sorted now, many thanks again.

Andrew