Help
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.
This topic is locked
I've been struggling to identify a trojan/virus for the last two days, and came to this site a bit late, having sort of fixed the problem, so don't have the appropriate logs.
I'm a very careful sort of guy (well, I thought I was!), with anti virus software and windows defender running; never opening unknown attachments; never clicking on ads, checking out web site quality before I visit them; etc, etc.
So, I'd greatly appreciate some help in understanding what I had, where it might have come from, and what it might have been doing - I cannot find a description of it (or even a name for it) on any of the anti-virus provider web sites. All I found here was the description of the problem and symptoms.....
The problem manifested itself as cmd.exe and regedit.exe not working. When they were run they did nothing, but closed Internet Explorer and Windows Explorer if they were open. (From other posts, it seems it modifies google toolbar settings, but I don't have that.)
I made cmd.exe & regedit.exe functional by copying to a different directory and renaming them (leaving them in the same directory and renaming them xcmd.exe and xregedit.exe did not work).
Runing regedit I found a dodgy entry in HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 - "aux2"="D:\WINDOWS\system32\..\eof.fju", so I deleted the entry.
I also found an odd entry in HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run - "stid1690"="c:\windows\stid1690.exe", which I disabled with msconfig.
Rebooted and cmd.exe and regedit.exe worked fine. And no new entries in HKLM\.....\drivers32 or HKLM\.....\run (or since).
However, the odd thing was that I could not find either of these two files to delete (and yes, I have show hidden and show system on the folder, used the cmd.exe and hijackthis as well; and tried in safe mode). I'm not even sure that stid1690.exe is relevant - it may have been old web cam software now defunct.
So, can anyone tell me anything about this trojan? Scans with latest Virgin PCGuard, and Windows Defender showed nothing (and since the changes show nothing).
Does anyone knows how this infection would have arrived, whether it created other files, how the aux2= entry works (does it run on startup, or just with a specific ap), and what exactly was it doing? And is it waiting to reappear?
Thanks!
I'm a very careful sort of guy (well, I thought I was!), with anti virus software and windows defender running; never opening unknown attachments; never clicking on ads, checking out web site quality before I visit them; etc, etc.
So, I'd greatly appreciate some help in understanding what I had, where it might have come from, and what it might have been doing - I cannot find a description of it (or even a name for it) on any of the anti-virus provider web sites. All I found here was the description of the problem and symptoms.....
The problem manifested itself as cmd.exe and regedit.exe not working. When they were run they did nothing, but closed Internet Explorer and Windows Explorer if they were open. (From other posts, it seems it modifies google toolbar settings, but I don't have that.)
I made cmd.exe & regedit.exe functional by copying to a different directory and renaming them (leaving them in the same directory and renaming them xcmd.exe and xregedit.exe did not work).
Runing regedit I found a dodgy entry in HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 - "aux2"="D:\WINDOWS\system32\..\eof.fju", so I deleted the entry.
I also found an odd entry in HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run - "stid1690"="c:\windows\stid1690.exe", which I disabled with msconfig.
Rebooted and cmd.exe and regedit.exe worked fine. And no new entries in HKLM\.....\drivers32 or HKLM\.....\run (or since).
However, the odd thing was that I could not find either of these two files to delete (and yes, I have show hidden and show system on the folder, used the cmd.exe and hijackthis as well; and tried in safe mode). I'm not even sure that stid1690.exe is relevant - it may have been old web cam software now defunct.
So, can anyone tell me anything about this trojan? Scans with latest Virgin PCGuard, and Windows Defender showed nothing (and since the changes show nothing).
Does anyone knows how this infection would have arrived, whether it created other files, how the aux2= entry works (does it run on startup, or just with a specific ap), and what exactly was it doing? And is it waiting to reappear?
Thanks!
Back to top
