Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD 0x0000007f after AVG puts SISPERF.SYS in vault


  • Please log in to reply
17 replies to this topic

#1 minksystems

minksystems

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Penguin Tasmania Australia
  • Local time:06:45 PM

Posted 06 July 2010 - 12:04 AM

Have seen four of these today - hope not many more!!

Computer running Windows XP Pro, AVG Free Edition, SIS chipset mainboard (chip is stamped 964 on all I have seen).

AVG with DB 271.1/2982 detects C:\WINDOWS\SYSTEM32\DRIVERS\SISPERF.SYS as Win32/Patched.ER and moves it to the Virus Vault.

Once the machine is restarted, it loops endlessly (Safe and Normal modes) with a BSOD 0x0000007B because SISPERF.SYS is missing

The fix: get a good copy of SISPERF.SYS (Google for it, also attached to this post) and put it in C:\WINDOWS\SYSTEM32 - restart the machine and update AVG definitions

I replaced the file by putting the HDD in another machine as a slave..... another way woould be to boot from CD and copy it over from a CD or floppy....

Definitions 271.1/2984 (2 versions later) no longer identify this same file as a virus. Looks like a false positive to me.....

Another fix (much messier) is to do a repair install of XP....

Attached Files


Edited by minksystems, 06 July 2010 - 01:27 AM.


BC AdBot (Login to Remove)

 


#2 tekky

tekky

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 06 July 2010 - 12:24 AM

Same problem here, 3 diff computers from 3 customers.

About to try your fix.

How the hell did you figure out AVG had put that file in the vault? I had a strong suspicion it was AVG, because all 3 computers use it.

#3 tekky

tekky

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 06 July 2010 - 12:36 AM

Didn't work. One of the computers definitely has a SIS chipset, so that surprised me. I'm just gonna look at AVG logs now.

Edit: Ok how do you read the AVG logs, or figure out what was quarantined?

Edited by tekky, 06 July 2010 - 12:41 AM.


#4 tekky

tekky

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 06 July 2010 - 01:14 AM

You made an error in your post, you put the file in

C:\WINDOWS\SYSTEM32\DRIVERS\SISPERF.SYS

Also, the error code is 0x0000007B

Edited by tekky, 06 July 2010 - 01:19 AM.


#5 minksystems

minksystems
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Penguin Tasmania Australia
  • Local time:06:45 PM

Posted 06 July 2010 - 01:40 AM

Thanks for comments Tekky. Apologies for the two typos - I have corrected the original post; cannot work out how to edit the original topic however.

The topic should read "BSOD 0x0000007B after AVG puts SISPERF.SYS in vault"
The file is C:\WINDOWS\SYSTEM32\DRIVERS\SISPERF.SYS
The BSOD message is 0X0000007B

How to see what got put in the vault on the crashed PC - copy the $AVG\$VAULT folder from the crashed system to another computer running AVG Free (replacing the $VAULT on the computer you are copying to). Then you can see the files (and presumably recover) in the vault using AVG Control Panel - (menu - History/Virus Vault). This method might be a bit dodgy - I think the Vault copying may be a one way trip; I don't think putting the old vault back works - but it was only on one of the test boxes I use for repairs so no biggie for me.... they get formatted on a regular basis...

;-)

#6 tekky

tekky

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 06 July 2010 - 01:43 AM

I eventually figured out the trick you mentioned.

Btw, thank you so much for posting this thread. You saved me hours of frustration. I had already spent the day trying to fix one computer with this problem, and then two more came in!! :}

The first computer I worked on seems to be trashed after all the things I did to it.. one too many disk checks or something. I'm still working on fixing that :thumbsup:

Thanks again

#7 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:05:45 AM

Posted 06 July 2010 - 03:58 AM

Hello all,

It's possible to recover sisperf.sys (with the same exact version of the current OS) using AVG's rescue CD (use the Virus Vault option and recover the last file put into the vault).

It's possible to Download the Rescue CD (ISO) from here: http://www.avg.com/it-en/download-file-cd-arl-iso
The USB Pendrive version can be downloaded from here: http://www.avg.com/it-en/download-file-cd-arl-rar (install instructions inside).

More information on AVG Rescue CD can be found here: http://www.avg.com/it-en/avg-rescue-cd.tpl-mcr1#tba3

The problem seems to concern only Windows XP SP2.

Edit Note: The file sisperf.sys is an IDE driver for SIS Chipsets. You can download a copy of the file from here: http://www.avg.it/Download/sisperf.zip or download the IDE driver from SIS website. In case the user deleted the file or emptied the quarantine, it's possible to copy the extracted file to the AVG Rescue CD pendrive and copy it to the folder C:\Windows\system32\drivers\ using Midnight Commander (the file manager present inside the rescue cd).

Edited by Judicandus, 06 July 2010 - 08:41 AM.


#8 leozilla

leozilla

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 06 July 2010 - 12:48 PM

Same here 4 pc so far !!
It started yesterday around 9 am (italy time)
Youi can also use tools such as ERD commander (now MS Dart ) to get back to an older restore point.
ATTENTION : Also PC who don't use the SIS chipset are affected. If a PC is ghosted from an older pc which used the SIS chipset, the sisperf driver still is in the registry and the PC will be crashed exactly like the old one.

BTW I believe that AVG is definately out for me. It's the 3rd time in 2 years that he gets this kind of false positive leading to PC crash.
I'll not use it anymore nor suggest it to anyone.

#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:45 AM

Posted 06 July 2010 - 12:59 PM

I would do the following:

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

#10 BSteingraber

BSteingraber

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 06 July 2010 - 01:58 PM

I also have 12 machines "infected".
All are running Win XP SP3 with Foxconn motherboards (SIS Chipsets).

Is this a confirmed False Positive??
I havent seen anything from AVG about this at all...

Edited by BSteingraber, 06 July 2010 - 03:24 PM.


#11 BSteingraber

BSteingraber

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 06 July 2010 - 03:17 PM

Just replaced the "infected" sispref.sys" file with a good copy. Computers work like normal.
I am going to perform a update and scan and see if it still shows up as a virus.

#12 BSteingraber

BSteingraber

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 06 July 2010 - 03:26 PM

UPDATE:
I submitted the file to AVG and they ruled it a False Positive. see message below.

///BEGIN ORIGINAL MESSAGE///
This e-mail is an auto-response message. Please do not reply.

AVG Research Lab has analyzed the file(s) you have sent from your AVG Virus Vault. Below you can find the results for each file. The final verdict on the file is either a correct detection or a false positive detection.

Further information about the verdicts are available at our website:
http://www.avg.com/faq-1184

"c:\WINDOWS\system32\drivers\sisperf.sys" - false alarm


Best regards,

AVG Customer Services
AVG Technologies
website: http://www.avg.com

///END MESSAGE///

#13 minksystems

minksystems
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Penguin Tasmania Australia
  • Local time:06:45 PM

Posted 06 July 2010 - 05:22 PM

Thanks to BSteingraber for submitting it to AVG - I did not have a chance to do it when I posted the thread....... nice to see the confirmation of false positive from AVG.

Thanks also to Judicandus for the AVG rescue CD link - good stuff......

We have been seeing occasional false positives for files in the DRIVERS folder - I saw a few similar issues with an ATAPI.SYS detection a month or two back that had the same 0x0000007b outcome.

The main problem with these (false) detections that relate to disk drivers is that the problem does not show until the computer is restarted, then it falls over during boot with a BSOD. Losing access to safe mode just compounds the problem.

Despite the false positives, I would still recommend AVG as an excellent security product if anyone asks - the product is simple but functional, it works well without loading the machine down too much, the updates are regular and their response in times of trouble is always prompt. Both the free and paid versions are excellent IMHO (no this is not an advertisement!)

#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:45 AM

Posted 06 July 2010 - 05:29 PM

I would do the following:

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.



Please adhere to the following advice. Not many anti-virus makers have the right set of detection or analysis tools required to detect new and advanced root kits.

#15 dr1310

dr1310

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Coastal NC, USA
  • Local time:03:45 AM

Posted 07 July 2010 - 04:09 PM

The false positive on sisperf.sys also affects the paid versions of AVG.

I contacted AVG support last night, Jul 6, and had a response from them requesting the contents of the Virus Vault bu 7 Jul, 0730Z. With 2 out of 2-1/2 machines down, getting to the point I could read their reply and check the vault was a long drawn out process. As soon as I saw the name I used the 1/2 computer to search for sysperf.sys and found your post first up! Thanks for the info.

The reason I contacted AVG might be odd, I don't know whether related or not, but when I tried to reboot into safe mode, the computer always kicked out the BSOD when the installation listing got to ADV files. That reminded me that I had a virus message and put something into Virus Vault the previous day.

by the way, why can't the file in virus vault just be put back where it belongs? Do they modify it insome manner?

Thanks,

Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users