Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » [SOLVED] AVG Cannot Remove
Page 2 of 2 ‹‹12
June 17, 2012 10:09 Re: AVG Cannot Remove #209057
Top
Darth_Biagio

Avatar

Novice
Join Date: 17.6.2012
Posts: 2
Same problem here.

This is what I get after a rootkit scan:

C:\WINDOWS\system32\drivers\spyn.sys ; i8042prt.sys, hooked import HAL.dll READ_PORT_UCHAR -> spyn.sys +0x11E9C ; Object is hidden
C:\WINDOWS\system32\drivers\spyn.sys ; atapi.sys, hooked import HAL.dll READ_PORT_UCHAR -> spyn.sys +0x2042 ; Object is hidden
C:\WINDOWS\system32\drivers\spyn.sys ; atapi.sys, hooked import HAL.dll READ_PORT_BUFFER_USHORT -> spyn.sys +0x213E ; Object is hidden
C:\WINDOWS\system32\drivers\spyn.sys ; atapi.sys, hooked import HAL.dll READ_PORT_USHORT -> spyn.sys +0x20C0 ; Object is hidden
C:\WINDOWS\system32\drivers\spyn.sys ; atapi.sys, hooked import HAL.dll WRITE_PORT_BUFFER_USHORT -> spyn.sys +0x2800 ; Object is hidden
C:\WINDOWS\system32\drivers\spyn.sys ; atapi.sys, hooked import HAL.dll WRITE_PORT_UCHAR -> spyn.sys +0x26D6 ; Object is hidden

If I try to correct the infections, restart the pc and do a new rootkit scan, I get the same 6 infections back, but with just a different sp*.sys name.
June 17, 2012 13:50 Re: AVG Cannot Remove #209063
Top
RandomRootkit

Avatar

Novice
Join Date: 15.6.2012
Posts: 4
This is certainly a false positive.

1. AVG reports that a different (sp**.sys) file is infected every time the computer is rebooted. The file does not exist, and creating the file reduces the error messages.

2. The problems only start after installing the most recent Patch Tuesday updates, this has been confirmed by a friend of mine who scanned before and after installing the updates.

3. GMER, SpyBot S&D, Malwarebytes and MSE all find nothing.

What version of Windows/AVG are you guys using? I'm guessing this might help AVG to identify and fix the problem.

OS: Win 7 Home Premium (SP1) 64-bit
AVG: 2012.0.2178
June 17, 2012 14:45 Re: AVG Cannot Remove #209073
Top
Darth_Biagio

Avatar

Novice
Join Date: 17.6.2012
Posts: 2
Problem solved...

I downloaded and used Kaspersky TDSSKiller and it actually found the sp*.sys threat and 3 more :surprised: !

Just to be sure, I let it delete anything, and there it went my audio controller :undecided: ...

I uninstalled what was left of my Realtek AC'97 driver and did a clean reinstall from CD.

Now, I have the audio back and AVG doesn't seems to find any threats anymore :smile:.
(Kaspersky still finds 1 threat, but I did a fast research on Google and it seems to be a false positive about a Realtek process).

I'm using AVG Free Edition 2012.0.2180 with Windows XP Professional SP3 v5.1.2600.
June 17, 2012 21:15 Re: AVG Cannot Remove #209157
Top
jacfr

Avatar

Novice
Join Date: 17.6.2012
Posts: 1
Same problem here..

My logs are:

"";"C:\WINDOWS\system32\drivers\spol.sys";"atapi.sys, hooked import HAL.dll READ_PORT_UCHAR -> spol.sys +0x2042";"Object is hidden"
"";"C:\WINDOWS\system32\drivers\spol.sys";"atapi.sys, hooked import HAL.dll READ_PORT_BUFFER_USHORT -> spol.sys +0x213E";"Object is hidden"
"";"C:\WINDOWS\system32\drivers\spol.sys";"atapi.sys, hooked import HAL.dll READ_PORT_USHORT -> spol.sys +0x20C0";"Object is hidden"
"";"C:\WINDOWS\system32\drivers\spol.sys";"atapi.sys, hooked import HAL.dll WRITE_PORT_BUFFER_USHORT -> spol.sys +0x2800";"Object is hidden"
"";"C:\WINDOWS\system32\drivers\spol.sys";"atapi.sys, hooked import HAL.dll WRITE_PORT_UCHAR -> spol.sys +0x26D6";"Object is hidden"
"";"C:\WINDOWS\system32\drivers\spol.sys";"i8042prt.sys, hooked import HAL.dll READ_PORT_UCHAR -> spol.sys +0x11B90";"Object is hidden"

After every rebooting there is another sp**.sys which causes AVG to alarm. I've found no such files in drivers directory.
Is it false positive?


Problem SOLVED.
After trying many GMER-, OTL-, aswMBR-like programs I've found it was caused by SPTD driver. After uninstalling it (look: http://www.duplexsecure.com/en/faq none of this programs (and AVG too) found any threat. So it was false positive cause SPTD is crucial for virtual drives and not a virus/rootkit.
June 19, 2012 11:15 Re: AVG Cannot Remove #209481
Top
RandomRootkit

Avatar

Novice
Join Date: 15.6.2012
Posts: 4
This appears to be fixed as of virus database version: 2437/5079.

Thanks, AVG!
June 19, 2012 14:53 Re: AVG Cannot Remove #209551
Top
_malchys_

Avatar

Administrator
Join Date: 2.5.2012
Posts: 1875
Hello ,

We are glad that the issue is resolved now. Do not hesitate to contact us again if we can be of further assistance.

Thank you.



AVG Team
How-To articles | FAQ | Free Support

Page 2 of 2 ‹‹12