AVG Anti-virus False Positive???

Summerbear5 · 21 Apr 2013

I am currently running a windows 7 machine (desktop). Fully updated via windows update. I have AVG Free Antivirus 2013 build 3272. I also have malewarebytes, both are fully updated as well.

So one day while running the antivirus scan I had two things pop up saying infected. pci.sys hooked import ntoskrnl.exe, both were the same exact thing. I hit remove and it said my computer needed to be restarted so I restarted the computer and ran the scan a second time to make sure the infection was cleared, But the same 2 infections keep coming up over and over.

I ran malewarebytes which didn't find anything. I also ran disk cleanup, disk defrag, and avg pc tuneup.

I contacted AVG and they said they were going to send me an email with a program to run and send them information about the specific infection. It's avg_autoruns_en.exe Which I ran but it keeps crashing and never gets to the point where I can send information. I've posted on the AVG forums and no one is helping me at all.

I've searched the internet and some say it's a false positive and some say it's an actual infection that needs to be removed manually. I'm not sure what to do and don't wanna go another day with this thing on my computer especially if it is a virus.

Thanks for reading. Hope I can get some help. Let me know if you need anymore information or files from me.
Summer

cottonball · 21 Apr 2013

Summerbear5,

Let's see what this hort scan shows...

Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

Select the version for your system: 64-bit
(The dark-blue button with x64)
Save to the Desktop.

Close all windows and browsers.

Right-click and select: Run as Administrator

At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)

Now, press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.

(Please do not remove anything yet.)

Also, is AVG your only AntiVirus?

Is this what you are getting:
Detection name: pci.sys, hooked import ntoskrl.exe IoAttachdeveiceToDeviceStack -> spqw.sys +0xXXXXX

Are you running Daemon Tools (Disk And Execution MONitor)?

Summerbear5 · 21 Apr 2013

AVG and Malewarebytes and that is all...

I don't have Daemon Tools but I have alcohol 120%. Even with that though I never had this in AVG before, but with AVG always updating their definitions maybe that's why it's showing now.

Going to run the scan now I'll be back with the results.

Summerbear5 · 21 Apr 2013

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Christina [Admin rights]
Mode : Scan -- Date : 04/21/2013 13:38:17
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[TASK][SUSP PATH] ROC_REG_JAN_DELETE.job : C:\ProgramData\AVG January 2013 Campaign\ROC.exe /DELETE_FROM_SYSTEM=1 [7] -> FOUND
[TASK][SUSP PATH] ROC_REG_JAN_DELETE : C:\ProgramData\AVG January 2013 Campaign\ROC.exe /DELETE_FROM_SYSTEM=1 [7] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 adobe.activate.com
127.0.0.1 adobeereg.com
127.0.0.1 Registration
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 125.252.224.90
127.0.0.1 125.252.224.91
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10EALS-00Z8A0 +++++
--- User ---
[MBR] 1a39d33d5ddfba14cc031a3021ae299a
[BSP] 3a19b8357cc298dbf173cd8b623cfd13 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 943654 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1932603435 | Size: 10213 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_04212013_02d1338.txt >>
RKreport[1]_S_04212013_02d1338.txt

cottonball · 21 Apr 2013

Alcohol is also software for mounting image files. This might not be a Rootkit, but, let's press on with the doubt...

Can you post a Screenshot of what AVG reports?
Screenshots and Files - Upload and Post in Seven Forums

Also, please run aswMBR:
http://public.avast.com/~gmerek/aswMBR.exe
Save it to the Desktop.

>>Make sure your AntiVirus is temporarily disabled!!<<
For information on how to disable protective programs, refer to this Info:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides

Right-click aswMBR and select: Run as Administrator

When the program opens, you are promped with: This Application can use the Avast! Free AntiVirus for scanning...etc.
Select: Yes
The last line of the run in progress will provide the status of the Avast! scan.
It will say: Downloading Avast! virus definitiond database, etc.

When the Avast! scan is done, the last line changes to: Avast Engine definitions #####
At this point, click the Scan button on the lower left of the aswMBR screen.
The last line will now say Scanning while it is in progress.

Upon completion of the scan, click >Save log< and save it to the Desktop.
Note: Please do NOT attempt to fix anything!!
Exit the program.

Please post the aswMBR log in your reply.

Summerbear5 · 21 Apr 2013

Here is a screenshot of AVG,

Going to run the other scan next.

Summerbear5 · 21 Apr 2013

Here is aswMBR log

cottonball · 21 Apr 2013

Duplicate post, please follow post below.

cottonball · 22 Apr 2013

AVG reports the rootkit at C:\Windows\System32\Drivers\span.sys
aswMBR is OK.

Alcohol, and other CD Emulation programs use a hidden driver detected as a Rootkit, and it interferes with diagnostic work, as well as removing infections. It falsifies the results of work tools by suggesting an infection when it actually does not exist.

To get around this, please do the following:

Start with the Defogger Download
It is a utility that allows you to temporarily disable CD or DVD emulation programs.

Save the program to your Desktop.
◾Double-click on the DeFogger icon to start the tool.
◾At Deffoger's console, click: Disable
◾When it prompts to continue, please click on: Yes
◾When the program is done, a Finished! message appears.
◾Click: OK (to exit the program)
◾If CD Emulation programs are present and disabled, DeFogger asks for a reboot.
◾Please do so by clicking: OK

Next, please run Malwarebytes Anti-Rootkit Download
Save to the Desktop (easy to find)
Right-click the file and select: Extract here...

In the MBAR folder that appears on the Desktop, open it, and double-click the MBAR application.

At the program console, follow the prompts to update and allow the program to SCAN the computer for threats.

If any threats are reported, DO NOT click on the Cleanup button to remove them!!!

At this point go back to the MBAR folder on the Desktop, and look for two reports:
1. system-log.txt
2. mbar-log-2013-04-22 (20-13-32).txt (corresponds to mbar-log-year-month-day (hour-minute-second).txt)

Please provide the mbar-log and the system-log in your reply.

Exit: MBAR

VistaKing · 22 Apr 2013

If I'm not mistaken the driver that Alcohol and Daemon Tools is sptd.sys

Cottonball you could have the user uninstall Alcohol and remove the SPTD.sys driver then rescan with avg

TO REMOVE THE SPTD.sys DRIVER

No code has to be inserted here.

No code has to be inserted here.