Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

atapi.sys and i8042prt.sys detected by AVG and return after reboot


  • This topic is locked This topic is locked
15 replies to this topic

#1 Cannendrum

Cannendrum

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 25 August 2013 - 06:43 PM

Hello.

 

Some days ago, AVG detected three medium severity infections during its scan, they were two atapi.sys and one i8042prt.sys. I removed them and rebooted, only for them to come back after a rescan. I haven't noticed any slow-downs or any popups and my computer seems to be behaving normally, but I don't want the problem to escalate if possible.

 

If I recall correctly, the problem started appearing after I downloaded and installed some updates for Windows XP.

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by Acer at 2:18:07 on 2013-08-26
Microsoft Windows XP Professional  5.1.2600.3.1256.1.1033.18.1014.195 [GMT 3:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Acer\OrbiCam10\OrbiCam.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Acer\Desktop\USB_Disk_Eject.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uProxyServer = 127.0.0.1:9666
uProxyOverride = 127.0.0.1;*.local
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: FGCatchUrl: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - c:\program files\flashget\jccatch.dll
BHO: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: IplexToALLPlayer: {DF925EF3-7A87-44E4-9CAF-8D7B280BF616} - c:\program files\opensubtitlesplayer\iplex\IplexToALLPlayer.dll
BHO: FlashGet GetFlash Class: {F156768E-81EF-470C-9057-481BA8380DBA} - c:\program files\flashget\getflash.dll
TB: Vuze Remote Toolbar: {BA14329E-9550-4989-B3F2-9732E92D17CC} - c:\program files\vuze_remote\prxtbVuz0.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logitech\lcommgr\Communications_Helper.exe"
mRun: [AcerOrbicamRibbon] "c:\program files\acer\orbicam10\OrbiCam.exe" /hide
mRun: [LVCOMSX] "c:\program files\common files\logitech\lcommgr\LVComSX.exe"
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{47BD1830-F211-499A-A0DC-800695E1249E} : DHCPNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\acer\application data\mozilla\firefox\profiles\9ssflnno.default-1377449282921\
FF - plugin: c:\documents and settings\acer\local settings\application data\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\acer\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1203133.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\Npindeo.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-08-25 19:53; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\acer\application data\mozilla\firefox\profiles\9ssflnno.default-1377449282921\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-08-25 20:03; donottrackplus@abine.com; c:\documents and settings\acer\application data\mozilla\firefox\profiles\9ssflnno.default-1377449282921\extensions\donottrackplus@abine.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 246072]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 96568]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 39224]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 171320]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 182072]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2013-7-4 4939312]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2013-7-23 283136]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2013-4-25 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-8-24 22856]
R3 NETwLx32;    Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2013-2-17 6609920]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-8-24 418376]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-8-24 701512]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-1 1684736]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
S3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2012-10-20 847392]
S3 Neo_First;VPN Client Device Driver - First;c:\windows\system32\drivers\Neo_0031.sys [2011-12-22 22000]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
=============== Created Last 30 ================
.
2013-08-25 14:12:43    --------    d-sha-r-    C:\cmdcons
2013-08-25 14:10:27    98816    ----a-w-    c:\windows\sed.exe
2013-08-25 14:10:27    256000    ----a-w-    c:\windows\PEV.exe
2013-08-25 14:10:27    208896    ----a-w-    c:\windows\MBR.exe
2013-08-24 06:58:09    --------    d-----w-    c:\documents and settings\acer\application data\Malwarebytes
2013-08-24 06:57:37    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes
2013-08-24 06:57:33    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-08-24 06:57:32    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-08-22 22:16:19    --------    d-----w-    c:\windows\system32\MRT
2013-08-17 07:37:04    92056    ----a-w-    c:\program files\mozilla firefox\webapprt-stub.exe
2013-08-17 07:37:04    20616088    ----a-w-    c:\program files\mozilla firefox\xul.dll
2013-08-17 07:37:03    869656    ----a-w-    c:\program files\mozilla firefox\uninstall\helper.exe
2013-08-17 07:37:03    272792    ----a-w-    c:\program files\mozilla firefox\updater.exe
2013-08-17 07:37:03    170232    ----a-w-    c:\program files\mozilla firefox\webapp-uninstaller.exe
2013-08-17 07:37:02    152984    ----a-w-    c:\program files\mozilla firefox\softokn3.dll
2013-08-17 07:37:00    26520    ----a-w-    c:\program files\mozilla firefox\plugin-hang-ui.exe
2013-08-17 07:37:00    12800    ----a-w-    c:\program files\mozilla firefox\plugins\npwachk.dll
2013-08-02 22:33:54    --------    d-----w-    c:\documents and settings\acer\local settings\application data\ALLPlayer
2013-08-02 22:33:05    --------    d-----w-    c:\program files\OpenSubtitlesPlayer
.
==================== Find3M  ====================
.
2013-08-21 07:49:30    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-21 07:49:30    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-07-26 02:47:17    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-07-26 02:47:13    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-07-26 02:47:12    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-07-25 15:52:59    385024    ------w-    c:\windows\system32\html.iec
2013-07-19 22:51:00    246072    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2013-07-19 22:50:56    60216    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2013-07-19 22:50:56    208184    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2013-07-19 22:50:50    171320    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2013-07-10 10:37:53    406016    ----a-w-    c:\windows\system32\usp10.dll
2013-07-09 22:32:40    39224    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
2013-07-04 03:03:25    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08:30    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-23 23:11:16    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-23 23:11:12    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-06-23 23:11:11    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-06-23 23:11:11    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-04 07:23:02    562688    ----a-w-    c:\windows\system32\qedit.dll
2013-06-04 01:40:45    1876736    ----a-w-    c:\windows\system32\win32k.sys
2013-05-28 01:59:37    590848    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-05-28 00:41:07    6144    ----a-w-    c:\windows\system32\xpsp4res.dll
.
============= FINISH:  2:18:57.34 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:31 PM

Posted 27 August 2013 - 03:06 PM

Good evening. :)

If possible, could you post the results of the AVG scan - i'd like to see exactly what AVG thinks it is finding.


So long, and thanks for all the fish.

 

 


#3 Cannendrum

Cannendrum
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 27 August 2013 - 03:20 PM

Thank you for replying to my post.

 

Is this how I can post it? I'm using AVG Free Edition 2013, and I copied\pasted what I could find. If there's another way to post them in more detail, please let me know.

 

 

"";"atapi.sys, hooked import HAL.dll READ_PORT_UCHAR -> spff.sys +0x2042, C:\WINDOWS\system32\drivers\spff.sys";"Infected"
"";"atapi.sys, hooked import HAL.dll READ_PORT_BUFFER_USHORT -> spff.sys +0x213E, C:\WINDOWS\system32\drivers\spff.sys";"Infected"
"";"i8042prt.sys, hooked import HAL.dll READ_PORT_UCHAR -> spff.sys +0x11B90, C:\WINDOWS\system32\drivers\spff.sys";"Infected"
 



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:31 PM

Posted 27 August 2013 - 04:17 PM

That's fine for now. Do you have any CD Emulator Software installed?


So long, and thanks for all the fish.

 

 


#5 Cannendrum

Cannendrum
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 27 August 2013 - 04:21 PM

Yes, I have PowerISO + MagicISO.


Edited by Cannendrum, 27 August 2013 - 04:22 PM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:31 PM

Posted 28 August 2013 - 02:10 PM

Good evening. :)

I think that you'll find that the file in question, C:\WINDOWS\system32\drivers\spff.sys is linked to that. Follow the following and post accordingly:

 

Please go to Jotti's and click on the Browse... button at the top and navigate to the following file and then click on Submit:

C:\WINDOWS\system32\drivers\spff.sys

When all the scans have been completed, please copy and paste the "Permalink" that you'll find in the "Jotti's malware scan" box in the upper left hand part of the page into your next reply.

If this site is busy, try VirusTotal: Click the Choose File button, navigate to the file and double click it and then click the Send button.
 

 


So long, and thanks for all the fish.

 

 


#7 Cannendrum

Cannendrum
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 28 August 2013 - 06:34 PM

The file seems to have disappeared. I searched for it in the system32\drivers folder with "Show hidden files and folders" option turned on, but didn't find it.

 

I haven't done anything in regards to fixing this problem as I was just using my laptop as always and browsing Youtube videos. The programs, PowerISO and MagicISO are still installed. Is there any way to tell if the threats have really disappeared by themselves?

 

EDIT: AVG found the three threats again this morning, but when I searched in the drivers folder I couldn't find the spff.sys file.


Edited by Cannendrum, 29 August 2013 - 04:34 AM.


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:31 PM

Posted 29 August 2013 - 02:36 PM

Good evening. :)

Do you have AVG set to automatically delete what it detects?


So long, and thanks for all the fish.

 

 


#9 Cannendrum

Cannendrum
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 29 August 2013 - 03:03 PM

Yes, but it says that it will always ask for permission to heal/remove infections concerning rootkits.



#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:31 PM

Posted 29 August 2013 - 03:51 PM

Will you check the virus vault, or whatever AVG calls it's quarantine area, and see what it has in there.


So long, and thanks for all the fish.

 

 


#11 Cannendrum

Cannendrum
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 29 August 2013 - 05:06 PM

This is what was inside the virus vault:

 

"8/2/2013, 7:30:30 AM";"Corrupted executable file, C:\Documents and Settings\Acer\Local Settings\Temp\proXPN-2.5.3-install001.exe";"Scan";""
"8/2/2013, 7:34:13 AM";"Corrupted executable file, C:\Documents and Settings\Acer\Local Settings\Temporary Internet Files\Content.IE5\FCM43T4M\proXPN-2.5.3-install001[1].exe";"Scan";""
"8/3/2013, 1:34:44 AM";"General behavioral detection, C:\DOCUME~1\Acer\LOCALS~1\Temp\is-UJ7LD.tmp\OpenSubtitlesPlayerIM.tmp";"Identity Protection";""
"8/3/2013, 7:45:14 AM";"Corrupted executable file, C:\Documents and Settings\Acer\Local Settings\Temp\proXPN-2.5.3-install001.exe";"Scan";""
"8/3/2013, 7:46:22 AM";"Corrupted executable file, C:\Documents and Settings\Acer\Local Settings\Temporary Internet Files\Content.IE5\2JMXCJUR\proXPN-2.5.3-install001[1].exe";"Scan";""
"8/20/2013, 7:13:33 AM";"Found Tracking cookie.Yieldmanager, C:\Documents and Settings\Acer\Application Data\Opera\Opera\cookies4.dat";"Scan";""
 



#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:31 PM

Posted 30 August 2013 - 01:59 PM

Good evening. :)

What is probably happening is that the file is being created, loaded into memory and then deleted from the hard drive - hence you can't find it. Fortunately we have an option to proceed with: http://www.bleepingcomputer.com/forums/t/293569/why-we-request-you-disable-cd-emulation-when-receiving-malware-removal-advice/

Will you run Defogger as the thread instructs and then have AVG run a scan and see what shows up - don't forget the reboot first.


So long, and thanks for all the fish.

 

 


#13 Cannendrum

Cannendrum
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 31 August 2013 - 03:47 AM

I ran Defogger and rebooted. AVG didn't find any threats, and also no signs of the spff.sys file.



#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:31 PM

Posted 31 August 2013 - 02:12 PM

Good evening. :)

I'd say that that was indicative of a flase-positive detection by AVG and you are good to go, unless there is anything else bothering you.


So long, and thanks for all the fish.

 

 


#15 Cannendrum

Cannendrum
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 31 August 2013 - 02:59 PM

If you say it's alright and that there's nothing to worry about, I'll take your word for it. Everything else is fine and working properly.

 

Thank you for taking the time to help me, I appreciate it :thumbup2:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users