Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Repost to Gary R.AVG Free Finds/Secures/And Then Finds Again

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Repost to Gary R.AVG Free Finds/Secures/And Then Finds A

Unread postby Raptor » July 2nd, 2013, 1:35 pm

Computer is very slow right now...cursor arrow is shaky and sticks on screen for millisecond. ....
======================================================
SystemLook 04.09.10 by jpshortstuff
Log created at 13:33 on 02/07/2013 by Administrator
Administrator - Elevation successful

========== Filefind ==========

Searching for "sp*.sys"
C:\WINDOWS\ServicePackFiles\i386\splitter.sys -----c- 6272 bytes [13:54 18/06/2013] [04:15 14/04/2008] AB8B92451ECB048A4D1DE7C3FFCB4A9F
C:\WINDOWS\system32\drivers\splitter.sys --a---- 6272 bytes [19:51 17/06/2013] [04:15 14/04/2008] AB8B92451ECB048A4D1DE7C3FFCB4A9F
C:\WINDOWS\system32\drivers\sptd.sys --a---- 691696 bytes [15:05 19/06/2013] [15:05 19/06/2013] (Unable to calculate MD5)

-= EOF =-
Last edited by Raptor on July 2nd, 2013, 6:26 pm, edited 1 time in total.
Raptor
Regular Member
 
Posts: 36
Joined: March 12th, 2012, 2:13 am
Location: Pinetops, NC (USA)
Advertisement
Register to Remove

Re: Repost to Gary R.AVG Free Finds/Secures/And Then Finds A

Unread postby Gary R » July 2nd, 2013, 5:25 pm

OK, that didn't get us too far, however it has thrown up something that I believe needs investigating ....

I'd like you to check a file for Viruses.
C:\WINDOWS\system32\drivers\sptd.sys

  • Browse to the file in the quote box above.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.
  • Post me the details please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21869
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Repost to Gary R.AVG Free Finds/Secures/And Then Finds A

Unread postby Raptor » July 3rd, 2013, 8:44 pm

My Internet service went off again. I don't want you to think I am slacking on this. Here are the results:
I went to Jotti's with my I.E. browser to upload the sptd.sys file and right away I got this:
"File is empty (0 bytes)!" Therefore it would not load.
I went to C:\WINDOWS\system32\drivers\sptd.sys (The file actually doesn't load at Jotti's with a ".sys" extension...just as "sptd")
There I checked the properties of the file and it registered at 675kb.
I returned to Jotti's with my Firefox browser and loaded the file again. After 2 hours the file was still loading (the "upload progress" was still at zero and to the right, the "service load was at about 10% which is where it was when I started. The message was "Uploading, please wait..."
Something isn't right.
Raptor
Regular Member
 
Posts: 36
Joined: March 12th, 2012, 2:13 am
Location: Pinetops, NC (USA)

Re: Repost to Gary R.AVG Free Finds/Secures/And Then Finds A

Unread postby Gary R » July 4th, 2013, 1:04 am

  • Double click on TDSSKiller.exe to launch it.
    • If using Vista or Windows7, when prompted by UAC allow the prompt.
  • Click on Start Scan
  • The scan will run.
  • When the scan has finished a list of detected items should be displayed.
  • Check to make sure the Cure option is selected in the drop down options. If cure is not available DO NOT select either Delete or Quarantine, just select Skip and let me know.
  • Please click on Continue
  • TDSSKiller will now attempt to clean the infection from your computer.
  • It will now ask for a reboot to complete the process, please click on Reboot now
  • When finished re-booting, a log of the cleanup will be found at C:\TDSSKiller.2.4.0.0_DD.MM.YYYY_HH.MM.SS_log.txt (where DD.MM.YYYY_HH.MM.SS are the date and time the tool was run)
  • Post the contents in your next reply please.

Next

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Files
C:\WINDOWS\system32\drivers\sptd.sys

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21869
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Repost to Gary R.AVG Free Finds/Secures/And Then Finds A

Unread postby Raptor » July 4th, 2013, 1:31 am

After TDSSKiller run--"Cure" was unavailable--selected "skip" and continued. (1 detection--LOCKED FILE - Service: sptd - suspicious object. medium risk). TDSSKiller log is posted below. I stopped here as I was not sure to continue with instructions.
===============================================================================
01:17:08.0706 3556 TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
01:17:09.0307 3556 ============================================================
01:17:09.0317 3556 Current date / time: 2013/07/04 01:17:09.0307
01:17:09.0317 3556 SystemInfo:
01:17:09.0317 3556
01:17:09.0317 3556 OS Version: 5.1.2600 ServicePack: 3.0
01:17:09.0317 3556 Product type: Workstation
01:17:09.0317 3556 ComputerName: STEPHEN
01:17:09.0317 3556 UserName: Administrator
01:17:09.0317 3556 Windows directory: C:\WINDOWS
01:17:09.0317 3556 System windows directory: C:\WINDOWS
01:17:09.0317 3556 Processor architecture: Intel x86
01:17:09.0317 3556 Number of processors: 1
01:17:09.0317 3556 Page size: 0x1000
01:17:09.0317 3556 Boot type: Normal boot
01:17:09.0317 3556 ============================================================
01:17:12.0241 3556 Drive \Device\Harddisk0\DR0 - Size: 0x6FC7C8000 (27.95 Gb), SectorSize: 0x200, Cylinders: 0xE40, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
01:17:12.0251 3556 ============================================================
01:17:12.0251 3556 \Device\Harddisk0\DR0:
01:17:12.0251 3556 MBR partitions:
01:17:12.0251 3556 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x37DFF40
01:17:12.0251 3556 ============================================================
01:17:12.0381 3556 C: <-> \Device\Harddisk0\DR0\Partition1
01:17:12.0381 3556 ============================================================
01:17:12.0381 3556 Initialize success
01:17:12.0381 3556 ============================================================
01:18:02.0303 3556 ============================================================
01:18:02.0303 3556 Scan started
01:18:02.0303 3556 Mode: Manual;
01:18:02.0303 3556 ============================================================
01:18:03.0064 3556 ================ Scan system memory ========================
01:18:03.0074 3556 System memory - ok
01:18:03.0084 3556 ================ Scan services =============================
01:18:03.0405 3556 Abiosdsk - ok
01:18:03.0425 3556 abp480n5 - ok
01:18:03.0535 3556 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
01:18:03.0535 3556 ACPI - ok
01:18:03.0595 3556 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
01:18:03.0595 3556 ACPIEC - ok
01:18:03.0775 3556 [ 9915504F602D277EE47FD843A677FD15 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
01:18:03.0785 3556 AdobeFlashPlayerUpdateSvc - ok
01:18:03.0795 3556 adpu160m - ok
01:18:03.0895 3556 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
01:18:03.0895 3556 aec - ok
01:18:03.0986 3556 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
01:18:03.0986 3556 AFD - ok
01:18:03.0996 3556 Aha154x - ok
01:18:04.0016 3556 aic78u2 - ok
01:18:04.0026 3556 aic78xx - ok
01:18:04.0076 3556 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
01:18:04.0076 3556 Alerter - ok
01:18:04.0126 3556 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
01:18:04.0126 3556 ALG - ok
01:18:04.0136 3556 AliIde - ok
01:18:04.0156 3556 amsint - ok
01:18:04.0256 3556 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
01:18:04.0266 3556 AppMgmt - ok
01:18:04.0276 3556 asc - ok
01:18:04.0296 3556 asc3350p - ok
01:18:04.0306 3556 asc3550 - ok
01:18:04.0506 3556 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
01:18:04.0506 3556 aspnet_state - ok
01:18:04.0566 3556 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
01:18:04.0566 3556 AsyncMac - ok
01:18:04.0637 3556 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
01:18:04.0647 3556 atapi - ok
01:18:04.0657 3556 Atdisk - ok
01:18:04.0717 3556 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
01:18:04.0717 3556 Atmarpc - ok
01:18:04.0787 3556 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
01:18:04.0787 3556 AudioSrv - ok
01:18:04.0847 3556 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
01:18:04.0847 3556 audstub - ok
01:18:06.0329 3556 [ 50185186719134FA8F307D269106A51C ] AVGIDSAgent C:\Program Files\AVG\AVG2013\avgidsagent.exe
01:18:07.0821 3556 AVGIDSAgent - ok
01:18:08.0102 3556 [ 4750A2A188D39034F5DDDDAE1BF38BF8 ] AVGIDSDriver C:\WINDOWS\system32\DRIVERS\avgidsdriverx.sys
01:18:08.0162 3556 AVGIDSDriver - ok
01:18:08.0232 3556 [ B0DEF92F4E1E6B9242E6C8FAB82703F7 ] AVGIDSHX C:\WINDOWS\system32\DRIVERS\avgidshx.sys
01:18:08.0252 3556 AVGIDSHX - ok
01:18:08.0272 3556 [ A426B2DC795531D99E2EE1952AEC051A ] AVGIDSShim C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys
01:18:08.0282 3556 AVGIDSShim - ok
01:18:08.0372 3556 [ 08FA13787D77A75DC413E27FD92B44E8 ] Avgldx86 C:\WINDOWS\system32\DRIVERS\avgldx86.sys
01:18:08.0422 3556 Avgldx86 - ok
01:18:08.0512 3556 [ 3E587EE55C70E6DB78A98D7121D3052E ] Avglogx C:\WINDOWS\system32\DRIVERS\avglogx.sys
01:18:08.0572 3556 Avglogx - ok
01:18:08.0642 3556 [ 5AC56B2CF8EE751796C5A8FC5C631B66 ] Avgmfx86 C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
01:18:08.0682 3556 Avgmfx86 - ok
01:18:08.0702 3556 [ C29E6070396E437FDE184D739CCBA2C7 ] Avgrkx86 C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
01:18:08.0722 3556 Avgrkx86 - ok
01:18:08.0823 3556 [ 14370FB29526F593C04FA48B5D69F7F0 ] Avgtdix C:\WINDOWS\system32\DRIVERS\avgtdix.sys
01:18:08.0873 3556 Avgtdix - ok
01:18:08.0923 3556 [ 8DCD8B53E5935D9AF52CB62FD2B965B5 ] avgtp C:\WINDOWS\system32\drivers\avgtpx86.sys
01:18:08.0933 3556 avgtp - ok
01:18:09.0043 3556 [ 3A0977CB68AF13E2579E47EB8984056B ] avgwd C:\Program Files\AVG\AVG2013\avgwdsvc.exe
01:18:09.0123 3556 avgwd - ok
01:18:09.0173 3556 [ 5D7BE7B19E827125E016325334E58FF1 ] BANTExt C:\WINDOWS\System32\Drivers\BANTExt.sys
01:18:09.0173 3556 BANTExt - ok
01:18:09.0413 3556 [ BF84C5CAB6392BB4EF01248287F69388 ] BCM43XX C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
01:18:09.0534 3556 BCM43XX - ok
01:18:09.0614 3556 [ E727776A56A51B7E6B7C87C02EA8B405 ] bcm4sbxp C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
Raptor
Regular Member
 
Posts: 36
Joined: March 12th, 2012, 2:13 am
Location: Pinetops, NC (USA)

Re: Repost to Gary R.AVG Free Finds/Secures/And Then Finds A

Unread postby Gary R » July 4th, 2013, 1:49 am

Just run the fix with OTL then, and post me the log.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21869
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Repost to Gary R.AVG Free Finds/Secures/And Then Finds A

Unread postby Raptor » July 4th, 2013, 8:35 am

========== FILES ==========
C:\WINDOWS\system32\drivers\sptd.sys moved successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 07042013_083451
Raptor
Regular Member
 
Posts: 36
Joined: March 12th, 2012, 2:13 am
Location: Pinetops, NC (USA)

Re: Repost to Gary R.AVG Free Finds/Secures/And Then Finds A

Unread postby Gary R » July 4th, 2013, 10:12 am

OK, the file appears to have been removed successfully, now please do the following ....

Please double click GMER to start it ....

  • Wait for it to finish it's preliminary startup scan, which should only take a few seconds, and when it has ...
  • Click >>> to open the options.
  • Click Files and wait for it to "populate" the main window.
  • Click the + against the Windows folder to expand it.
  • Click the + against the System32 folder to expand it. (this is a large folder, so may take a few seconds to populate)
  • Click the Drivers folder. (this is a large folder, so may take a few seconds to populate)
  • In the right hand side of the GMER window, there should now be a list of files with .sys file extensions.

Scroll through the files (the scroll bar is at the bottom not the side) and look for any with the pattern .... sp**.sys .... (where ** are replaced by any other 2 letters ... eg spbh.sys, spmi.sys, etc etc)

If you find any ...

  • Note down their names
  • Do not attempt to delete them at this point.
  • Post me the names of any that you find.

This might seem like a pointless exercise, since you can scroll through the same folder using Explorer.exe in Windows, but GMER can see files which may be hidden when using Explorer.exe, so since we had problems finding these kind of files earlier, I want to make sure that there aren't any hiding on your computer now.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21869
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Repost to Gary R.AVG Free Finds/Secures/And Then Finds A

Unread postby Raptor » July 4th, 2013, 11:28 am

Out of only 21 items (including 10 folders) showing in the GMER window from the "drivers" folder there were none starting with sp**
I went to folder options (just to be sure) and unchecked "show hidden files and folders" and also unchecked "hide protected system operating files" and then "apply"
I then did a search of the system32 drivers file and it is gone.
Raptor
Regular Member
 
Posts: 36
Joined: March 12th, 2012, 2:13 am
Location: Pinetops, NC (USA)

Re: Repost to Gary R.AVG Free Finds/Secures/And Then Finds A

Unread postby Gary R » July 4th, 2013, 11:59 am

In that case, how is your computer behaving now ?

Is AVG still flagging anything ?
User avatar
Gary R
Administrator
Administrator
 
Posts: 21869
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Repost to Gary R.AVG Free Finds/Secures/And Then Finds A

Unread postby Raptor » July 4th, 2013, 12:09 pm

SystemLook 04.09.10 by jpshortstuff
Log created at 12:07 on 04/07/2013 by Administrator
Administrator - Elevation successful

========== Filefind ==========

Searching for "sp*.sys"
C:\WINDOWS\ServicePackFiles\i386\splitter.sys -----c- 6272 bytes [13:54 18/06/2013] [04:15 14/04/2008] AB8B92451ECB048A4D1DE7C3FFCB4A9F
C:\WINDOWS\system32\drivers\splitter.sys --a---- 6272 bytes [19:51 17/06/2013] [04:15 14/04/2008] AB8B92451ECB048A4D1DE7C3FFCB4A9F
C:\_OTL\MovedFiles\07042013_083451\C_WINDOWS\system32\drivers\sptd.sys --a---- 691696 bytes [15:05 19/06/2013] [15:05 19/06/2013] CDDDEC541BC3C96F91ECB48759673505

-= EOF =-
Raptor
Regular Member
 
Posts: 36
Joined: March 12th, 2012, 2:13 am
Location: Pinetops, NC (USA)

Re: Repost to Gary R.AVG Free Finds/Secures/And Then Finds A

Unread postby Gary R » July 4th, 2013, 3:18 pm

I don't recall asking for a Systemlook scan, any particular reason why you've posted me a scan log ?

I did however ask a couple of questions that I'd like to hear the answers to.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21869
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Repost to Gary R.AVG Free Finds/Secures/And Then Finds A

Unread postby Raptor » July 4th, 2013, 6:08 pm

OOPS...I must have been on page 1 of this thread. Sorry.
Anyway....My computer is faster but (perhaps unrelated) my Firefox browser keeps going back to the previous page on it's own. Weird.
I can try a reinstall.

AVG: No Flags

The "sptd" file is still in a folder on my computer at: C:/_OTL/MovedFiles/07042013_083451/C_WINDOWS/system32/drivers/sptd

The "hosts" file and the "downloads" files we moved earlier are closeby in a "07012013_104730" folder

Should I remove all of these?
I understand the sptd.sys file is used for Daemon Tools and Alcohol 120% and perhaps others
which I am not using at present.
Raptor
Regular Member
 
Posts: 36
Joined: March 12th, 2012, 2:13 am
Location: Pinetops, NC (USA)

Re: Repost to Gary R.AVG Free Finds/Secures/And Then Finds A

Unread postby Gary R » July 5th, 2013, 4:54 am

No worries, it's easy to miss the page markers if you're not looking for them.

Try uninstalling and re-installing Firefox, there's a new version just come out (version 22), so you'd probably need to update anyway. If you're still having problems with it afterwards let me know.

The files you've noticed are the encrypted backups that OTL makes, they're not hazardous, but we'll remove them in a moment anyway when we remove OTL and the other programs we've been using on your machine.

First ....

Let's clear out OTL and the files and folders it created. This will also remove TDSSKiller, SystemLook and GMER (apart from the random named .exe file).
  • Double click OTL.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTL
  • Now delete OTL.exe (if still present).

Next

Please delete ... 6wn7uw97.exe

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

If your computer is running slowly after your clean up, please read.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21869
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Repost to Gary R.AVG Free Finds/Secures/And Then Finds A

Unread postby Raptor » July 5th, 2013, 12:29 pm

OK....Gary. Did the cleanup. Went with the text links you provided and learned some new things. I alsodid the cleanup which I already do on a regular basis..I also use CCleaner and sometimes ATF cleaner to remove what Disk Cleanup doesn't. I uninstalled Firefox 22.0 and reinstalled it. I have Firefox Maintenance installed and I think that keeps me updated. I emptied out all of the Sp3 and hotfix folders and removed all but the latest restore point. Dumped more than 3 Gigs overall. I just hit the space bar and the browser jumped back to the previous page....TWICE. Hmmmmm! Also...when I try to post...it goes to the previous page and I have to hit the "forward" arrow to keep from losing my post. This happens over and over until it decides to post. GOOD NEWS.....My computer is faster than a roadrunner now. Thank you so much!!!.................Steve

Also get this a lot of this: "The submitted form was invalid. Try submitting again."
I just keep posting over and over til it takes......
Raptor
Regular Member
 
Posts: 36
Joined: March 12th, 2012, 2:13 am
Location: Pinetops, NC (USA)
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware