Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: AVG Anti-virus False Positive???


21 Apr 2013   #1

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
AVG Anti-virus False Positive???

I am currently running a windows 7 machine (desktop). Fully updated via windows update. I have AVG Free Antivirus 2013 build 3272. I also have malewarebytes, both are fully updated as well.

So one day while running the antivirus scan I had two things pop up saying infected. pci.sys hooked import ntoskrnl.exe, both were the same exact thing. I hit remove and it said my computer needed to be restarted so I restarted the computer and ran the scan a second time to make sure the infection was cleared, But the same 2 infections keep coming up over and over.

I ran malewarebytes which didn't find anything. I also ran disk cleanup, disk defrag, and avg pc tuneup.

I contacted AVG and they said they were going to send me an email with a program to run and send them information about the specific infection. It's avg_autoruns_en.exe Which I ran but it keeps crashing and never gets to the point where I can send information. I've posted on the AVG forums and no one is helping me at all.

I've searched the internet and some say it's a false positive and some say it's an actual infection that needs to be removed manually. I'm not sure what to do and don't wanna go another day with this thing on my computer especially if it is a virus.

Thanks for reading. Hope I can get some help. Let me know if you need anymore information or files from me.
Summer

My System SpecsSystem Spec
.

21 Apr 2013   #2

Windows 7 Home Premium
 
 

Summerbear5,

Let's see what this hort scan shows...

Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:
Select the version for your system: 64-bit
(The dark-blue button with x64)
Save to the Desktop.


Close all windows and browsers.

Right-click and select: Run as Administrator


At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)


Now, press: SCAN


When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.

(Please do not remove anything yet.)


Also, is AVG your only AntiVirus?

Is this what you are getting:
Detection name: pci.sys, hooked import ntoskrl.exe IoAttachdeveiceToDeviceStack -> spqw.sys +0xXXXXX

Are you running Daemon Tools (Disk And Execution MONitor)?
My System SpecsSystem Spec
21 Apr 2013   #3

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

AVG and Malewarebytes and that is all...

I don't have Daemon Tools but I have alcohol 120%. Even with that though I never had this in AVG before, but with AVG always updating their definitions maybe that's why it's showing now.

Going to run the scan now I'll be back with the results.
My System SpecsSystem Spec
.


21 Apr 2013   #4

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Christina [Admin rights]
Mode : Scan -- Date : 04/21/2013 13:38:17
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[TASK][SUSP PATH] ROC_REG_JAN_DELETE.job : C:\ProgramData\AVG January 2013 Campaign\ROC.exe /DELETE_FROM_SYSTEM=1 [7] -> FOUND
[TASK][SUSP PATH] ROC_REG_JAN_DELETE : C:\ProgramData\AVG January 2013 Campaign\ROC.exe /DELETE_FROM_SYSTEM=1 [7] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 adobe.activate.com
127.0.0.1 adobeereg.com
127.0.0.1 Registration
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 125.252.224.90
127.0.0.1 125.252.224.91
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10EALS-00Z8A0 +++++
--- User ---
[MBR] 1a39d33d5ddfba14cc031a3021ae299a
[BSP] 3a19b8357cc298dbf173cd8b623cfd13 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 943654 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1932603435 | Size: 10213 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_04212013_02d1338.txt >>
RKreport[1]_S_04212013_02d1338.txt
My System SpecsSystem Spec
21 Apr 2013   #5

Windows 7 Home Premium
 
 

Alcohol is also software for mounting image files. This might not be a Rootkit, but, let's press on with the doubt...

Can you post a Screenshot of what AVG reports?
Screenshots and Files - Upload and Post in Seven Forums


Also, please run aswMBR:
http://public.avast.com/~gmerek/aswMBR.exe
Save it to the Desktop.

>>Make sure your AntiVirus is temporarily disabled!!<<
For information on how to disable protective programs, refer to this Info:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides

Right-click aswMBR and select: Run as Administrator

When the program opens, you are promped with: This Application can use the Avast! Free AntiVirus for scanning...etc.
Select: Yes
The last line of the run in progress will provide the status of the Avast! scan.
It will say: Downloading Avast! virus definitiond database, etc.

When the Avast! scan is done, the last line changes to: Avast Engine definitions #####
At this point, click the Scan button on the lower left of the aswMBR screen.
The last line will now say Scanning while it is in progress.

Upon completion of the scan, click >Save log< and save it to the Desktop.
Note: Please do NOT attempt to fix anything!!
Exit the program.

Please post the aswMBR log in your reply.
My System SpecsSystem Spec
21 Apr 2013   #6

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Here is a screenshot of AVG,

Going to run the other scan next.


Attached Thumbnails
AVG Anti-virus False Positive???-avgscanresults.png  
My System SpecsSystem Spec
21 Apr 2013   #7

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Here is aswMBR log


Attached Files
File Type: txt aswMBR.txt (1.7 KB, 7 views)
My System SpecsSystem Spec
21 Apr 2013   #8

Windows 7 Home Premium
 
 

Duplicate post, please follow post below.
My System SpecsSystem Spec
22 Apr 2013   #9

Windows 7 Home Premium
 
 

AVG reports the rootkit at C:\Windows\System32\Drivers\span.sys
aswMBR is OK.

Alcohol, and other CD Emulation programs use a hidden driver detected as a Rootkit, and it interferes with diagnostic work, as well as removing infections. It falsifies the results of work tools by suggesting an infection when it actually does not exist.

To get around this, please do the following:

Start with the Defogger Download
It is a utility that allows you to temporarily disable CD or DVD emulation programs.

Save the program to your Desktop.
◾Double-click on the DeFogger icon to start the tool.
◾At Deffoger's console, click: Disable
◾When it prompts to continue, please click on: Yes
◾When the program is done, a Finished! message appears.
◾Click: OK (to exit the program)
◾If CD Emulation programs are present and disabled, DeFogger asks for a reboot.
◾Please do so by clicking: OK

Next, please run Malwarebytes Anti-Rootkit Download
Save to the Desktop (easy to find)
Right-click the file and select: Extract here...

In the MBAR folder that appears on the Desktop, open it, and double-click the MBAR application.

At the program console, follow the prompts to update and allow the program to SCAN the computer for threats.

If any threats are reported, DO NOT click on the Cleanup button to remove them!!!

At this point go back to the MBAR folder on the Desktop, and look for two reports:
1. system-log.txt
2. mbar-log-2013-04-22 (20-13-32).txt (corresponds to mbar-log-year-month-day (hour-minute-second).txt)

Please provide the mbar-log and the system-log in your reply.

Exit: MBAR
My System SpecsSystem Spec
22 Apr 2013   #10

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

If I'm not mistaken the driver that Alcohol and Daemon Tools is sptd.sys

Cottonball you could have the user uninstall Alcohol and remove the SPTD.sys driver then rescan with avg

TO REMOVE THE SPTD.sys DRIVER

NAME
OPERATING SYSTEM
DOWNLOAD
SPTDWindows 2000/XP/2003/Vista/Windows 7 (32 bit)download

NAME
OPERATING SYSTEM
DOWNLOAD
SPTDWindows XP/2003/Vista/Windows 7 (64 bit)download
My System SpecsSystem Spec
Reply

 AVG Anti-virus False Positive???




Thread Tools



Similar help and support threads for2: AVG Anti-virus False Positive???
Thread Forum
A nice little False Positive..... System Security
Solved Malwarebytes False Positive System Security
Potential virus, but scans show up nothing. False positive? System Security
Is this a false positive? System Security
False positive System Security
McAfee false positive? System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 01:29 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33