Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


AVG Rootkit detection

  • Please log in to reply
1 reply to this topic

#1 jestay


  • Members
  • 1 posts
  • Local time:03:58 AM

Posted 16 October 2012 - 02:13 AM


AVG has identified 8 rootkit infections on my PC as follows:

"Detection name";"Inline hook ataport.SYS DllUnload -> spwm.sys +0x61E2C"
"Detection name";"Inline hook PCIIDEX.SYS DllUnload -> spwm.sys +0x61E2C"
"Detection name";"atapi.sys, hooked import ataport.SYS AtaPortReadPortUchar -> spwm.sys +0x2EADC"
"Detection name";"atapi.sys, hooked import ataport.SYS AtaPortWritePortUchar -> spwm.sys +0x2F4E0"
"Detection name";"atapi.sys, hooked import ataport.SYS AtaPortWritePortUlong -> spwm.sys +0x2E28C"
"Detection name";"atapi.sys, hooked import ataport.SYS AtaPortWritePortBufferUshort -> spwm.sys +0x2F734"
"Detection name";"pci.sys, hooked import ntoskrnl.exe IoAttachDeviceToDeviceStack -> spwm.sys +0x65C58"
"Detection name";"pci.sys, hooked import ntoskrnl.exe IoDetachDevice -> spwm.sys +0x65BE4"

I tried using the AVG "Remove selected" feature, but the infections are still there when I rescanned. The files, according to AVG, are all called:

"Object name";"C:\Windows\System32\Drivers\spwm.sys"

Some system info:
- I am running Win7 64
- I use AVG for antivirus, but also have Malwarebytes and SbyBot Search & Destroy installed. I also have the MagicDisc virtual CD/DVD program installed.

I have not noticed any problematic behaviour of my PC, other than this AVG report.

Based on additional info requested in a very similar thread lower down this forum, I have already run TDSSKiller and aswMBR (just the scan, did not try and fix anything). Before finding this forum, I also ran ran GMER (default settings, "show all" not selected). The TDSSKiller log was too long to fit on a forum post, but the report from aswMBR and the output from the Rootkit/Malware tab of GMER are below:

aswMBR Log:

aswMBR version Copyright© 2011 AVAST Software
Run date: 2012-10-15 19:46:13
19:46:13.108 OS Version: Windows x64 6.1.7601 Service Pack 1
19:46:13.109 Number of processors: 8 586 0x1A05
19:46:13.109 ComputerName: JONATHAN-PC UserName: Jonathan
19:46:15.252 Initialize success
19:48:29.415 AVAST engine defs: 12101500
19:50:19.240 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
19:50:19.242 Disk 0 Vendor: SAMSUNG_HD103UJ 1AA01113 Size: 953868MB BusType: 3
19:50:19.264 Disk 0 MBR read successfully
19:50:19.266 Disk 0 MBR scan
19:50:19.270 Disk 0 Windows 7 default MBR code
19:50:19.278 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 953867 MB offset 2048
19:50:19.300 Disk 0 scanning C:\Windows\system32\drivers
19:50:30.554 Service scanning
19:50:53.676 Modules scanning
19:50:53.684 Disk 0 trace - called modules:
19:50:53.696 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8005f202c0]<<spwm.sys ataport.SYS pciide.sys
19:50:53.699 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80062be790]
19:50:53.702 3 CLASSPNP.SYS[fffff88001a6f43f] -> nt!IofCallDriver -> [0xfffffa8006095520]
19:50:53.706 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8006097060]
19:50:53.710 \Driver\atapi[0xfffffa8006039730] -> IRP_MJ_CREATE -> 0xfffffa8005f202c0
19:50:58.913 AVAST engine scan C:\Windows
19:51:07.058 AVAST engine scan C:\Windows\system32
19:55:39.250 AVAST engine scan C:\Windows\system32\drivers
19:56:14.461 AVAST engine scan C:\Users\Jonathan
20:25:21.092 Disk 0 MBR has been saved successfully to "C:\Users\Jonathan\Desktop\MBR.dat"
20:25:21.097 The log file has been saved successfully to "C:\Users\Jonathan\Desktop\aswMBR.txt"


Rootkit/Malware tab of GMER:

GMER - http://www.gmer.net
Rootkit scan 2012-10-15 22:14:19
Windows 6.1.7601 Service Pack 1
Running: 3mcvobty.exe

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9A 0x3A 0x1D 0x31 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9A 0x3A 0x1D 0x31 ...
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Jonathan\AppData\Local\Logitech\xae Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe 1

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)


#2 narenxp


  • BC Advisor
  • 16,371 posts
  • Gender:Male
  • Location:India
  • Local time:10:58 PM

Posted 16 October 2012 - 02:17 AM

Please uninstall Daemon tools from add or remove programs


ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply



Install,update and run a full scan

Click on Show results.Right click on the list ,select all and remove them.

Post the generated log here


mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size
List restore points

Click Go and post the result.


Farbar service scanner

Checkmark all the boxes

Click on "Scan".
Please copy and paste the log to your reply.


adware cleaner

Launch it click on Delete

A log should be generated after scan ,post it here


Junkware removal tool
For vista and windows 7 right click on the tool and select run as administrator

After scan gets completed,post the generated log here.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users