AVG | AVG Support and Discussion Forums

English
- Česky
- English
- Español
- Français
- Português

Can’t find the answer you are looking for?

Get free phone support.

Folder

AVG Forums » Other topics » Virus Removal, Tools for Removing » [SOLVED] AVG Can't Remove Rootkit

February 14, 2013 08:05	[SOLVED] AVG Can't Remove Rootkit #224553
	Top
dixie31 Novice Join Date: 14.2.2013 Posts: 2	Hi, i did a scan with AVG and it came up with this: detection name: i8042prt.sys, hooked import HAL.dll READ_PORT_UCHAR - sphn.sys +0x11B90 description C:\windows\system32\drivers\sphn.sys severity: medium state: infected source: anti-rootkit Then I tried to remove it and it didn't Downloaded aswMBR the log says: aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software Run date: 2013-02-14 17:38:03 ----------------------------- 17:38:03.156 OS Version: Windows 5.1.2600 Service Pack 3 17:38:03.156 Number of processors: 2 586 0x1C02 17:38:03.156 ComputerName: HPMINI110-1111T UserName: Brendon 17:38:05.140 Initialize success 18:00:48.921 AVAST engine defs: 13021304 18:01:01.531 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 18:01:01.531 Disk 0 Vendor: WDC_WD16 13.0 Size: 152627MB BusType: 3 18:01:01.562 Disk 0 MBR read successfully 18:01:01.562 Disk 0 MBR scan 18:01:01.625 Disk 0 Windows XP default MBR code 18:01:01.625 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63 18:01:01.640 Disk 0 scanning sectors +312560640 18:01:01.734 Disk 0 scanning C:\WINDOWS\system32\drivers 18:01:23.812 Service scanning 18:01:45.703 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys LOCKED 32 18:01:52.593 Modules scanning 18:01:59.078 Disk 0 trace - called modules: 18:01:59.078 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spuh.sys hal.dll >>UNKNOWN [0x8a6b5938]<< 18:01:59.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6f4030] 18:01:59.093 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a6f5030] 18:01:59.828 AVAST engine scan C:\WINDOWS 18:02:05.390 AVAST engine scan C:\WINDOWS\system32 18:07:29.828 AVAST engine scan C:\WINDOWS\system32\drivers 18:08:00.359 AVAST engine scan C:\Documents and Settings\Brendon 18:18:21.718 AVAST engine scan C:\Documents and Settings\All Users 18:20:45.375 Scan finished successfully 18:56:49.593 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Brendon\My Documents\MBR.dat" 18:56:49.593 The log file has been saved successfully to "C:\Documents and Settings\Brendon\My Documents\aswMBR.txt" Tried to fix the MBR but on reboot the rookit is still there so I need some help to remove it thanks heaps

February 14, 2013 08:37	Re: AVG Can't Remove Rootkit #224560
	Top
Whirl-Wire Novice Join Date: 14.2.2013 Posts: 2	Same problem.. Hi, today my AVG found the following: "";"C:\Windows\System32\Drivers\spne.sys";"Inline-Hook ataport.SYS DllUnload -> spne.sys +0x5E360";"Verstecktes Objekt" "";"C:\Windows\System32\Drivers\spne.sys";"atapi.sys, Import-Hook ataport.SYS AtaPortReadPortBufferUshort -> spne.sys +0x2D35C";"Verstecktes Objekt" "";"C:\Windows\System32\Drivers\spne.sys";"atapi.sys, Import-Hook ataport.SYS AtaPortReadPortUchar -> spne.sys +0x2D224";"Verstecktes Objekt" "";"C:\Windows\System32\Drivers\spne.sys";"atapi.sys, Import-Hook ataport.SYS AtaPortWritePortUchar -> spne.sys +0x2DA24";"Verstecktes Objekt" "";"C:\Windows\System32\Drivers\spne.sys";"atapi.sys, Import-Hook ataport.SYS AtaPortWritePortBufferUshort -> spne.sys +0x2DBA0";"Verstecktes Objekt" "";"C:\Windows\System32\Drivers\spne.sys";"pci.sys, Import-Hook ntoskrnl.exe IoAttachDeviceToDeviceStack -> spne.sys +0x62650";"Verstecktes Objekt" "";"C:\Windows\System32\Drivers\spne.sys";"pci.sys, Import-Hook ntoskrnl.exe IoDetachDevice -> spne.sys +0x625DC";"Verstecktes Objekt" (verstecktes Objekt means hidden object) It seems to be similar to this thread: http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=208665 I hope this is a false positive too and AVG will updates its signatures soon.

February 14, 2013 11:44	Re: AVG Can't Remove Rootkit #224584
	Top
_malchys_ TechBuddy Ambassador Join Date: 2.5.2012 Posts: 1633	Hi all, Please follow this guide to provide us with all necessary information regarding the false positive detection. Thanks. AVG Team How-To articles \| FAQ \| Free Support We Protect Us Computer not working? Laptop slowing down? Let our AVG TechBuddy expert remotely fix it for you. Find out more (US & Canada)

February 15, 2013 07:33	Re: AVG Can't Remove Rootkit #224638
	Top
Whirl-Wire Novice Join Date: 14.2.2013 Posts: 2	solved.. The latest signatures fix the problem, the file is no longer marked as a rootkit.

February 15, 2013 21:31	Re: AVG Can't Remove Rootkit #224701
	Top
dixie31 Novice Join Date: 14.2.2013 Posts: 2	cool.. I was hoping it was a false positive thanks for the help

February 19, 2013 09:09	Re: AVG Can't Remove Rootkit #224821
	Top
Pokornyz TechBuddy Ambassador Join Date: 29.11.2010 Posts: 5994	Hello Whirl-Wire, We are happy to see that your issue is resolved. Thank you for posting back. AVG Team How-To articles \| FAQ \| Free Support We Protect Us Computer not working? Laptop slowing down? Let our AVG TechBuddy expert remotely fix it for you. Find out more (US & Canada)

Go to

Previous thread |

Up to parent | Next thread