[GUBID]

A bit more info Teima.
After I posted to you about the "new" infections.
AVG asked me to deal with the issues, I selected that option, AVG then asked for a restart to complete the process.
When I ran a scan after the restart, I wasn't surprised to find that the infections were still present!
I was surprised though to see that AVG had now found 25 infections!!!
This time I didn't opt to heal them, I decided to get feedback from you.
Another scan was run today and the number of infections is now up to 34!!
I have included the log output for you to look at:
Scheduled Scan
Medium priority;"34";"0";"34"
Folders selected for scanning:;"Scan Whole Computer"
Started:;"17/09/2013, 16:00:02"
Finished:;"17/09/2013, 16:34:54"
Total object scanned:;"3004350"
User who launched the scan:;"SYSTEM"

Status;"Priority";"Name";"Description";"Result"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_EA -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \Driver\volmgr IRP_MJ_CLEANUP -> spfb.sys +0x12CD8";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_PNP -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_QUOTA -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \Driver\volmgr IRP_MJ_INTERNAL_DEVICE_CONTROL -> spfb.sys +0x12CD8";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \Driver\volmgr IRP_MJ_PNP -> spfb.sys +0x12CD8";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \Driver\volmgr IRP_MJ_DEVICE_CONTROL -> spfb.sys +0x12CD8";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_INFORMATION -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_READ -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \Driver\volmgr IRP_MJ_READ -> spfb.sys +0x12CD8";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_VOLUME_INFORMATION -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_CREATE -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_WRITE -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_FLUSH_BUFFERS -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \Driver\volmgr IRP_MJ_CREATE -> spfb.sys +0x12CD8";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_SHUTDOWN -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \Driver\volmgr IRP_MJ_SYSTEM_CONTROL -> spfb.sys +0x12CD8";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_DIRECTORY_CONTROL -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_DEVICE_CONTROL -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"i8042prt.sys, hooked import HAL.dll READ_PORT_UCHAR -> spfb.sys +0x11E9C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_SECURITY -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \Driver\volmgr IRP_MJ_FLUSH_BUFFERS -> spfb.sys +0x12CD8";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \Driver\volmgr IRP_MJ_SHUTDOWN -> spfb.sys +0x12CD8";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \Driver\volmgr IRP_MJ_WRITE -> spfb.sys +0x12CD8";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_CLEANUP -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_QUOTA -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_EA -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \Driver\volmgr IRP_MJ_POWER -> spfb.sys +0x12CD8";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_LOCK_CONTROL -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_INFORMATION -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_SECURITY -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_FILE_SYSTEM_CONTROL -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_CLOSE -> spfb.sys +0x1204C";"C:\Windows\System32\Drivers\spfb.sys";"Infected"


I've done as you requested, checked the show hidden.
I found the C:\Windows\System32\drivers\i8042prt.sys and have uploaded it.
I could not find the C:\Windows\System32\Drivers\splb.sys, there is no folder called 'Drivers'. I thought that might be a typo on your part so I checked the 'drivers' folder for both the splb.sys file and the spfb.sys file listed above and found neither of them.

[Advertisements]

I just checked AVG scan output for today.
I now have only 3 infections!!
The output file is here:
Scheduled Scan
Medium priority;"3";"0";"3"
Folders selected for scanning:;"Scan Whole Computer"
Started:;"18/09/2013, 16:00:02"
Finished:;"18/09/2013, 16:17:44"
Total object scanned:;"2996814"
User who launched the scan:;"SYSTEM"

Status;"Priority";"Name";"Description";"Result"
Infected;"Medium";"IRP hook, \Driver\volmgr IRP_MJ_CREATE -> spqw.sys +0x12CD8";"C:\Windows\System32\Drivers\spqw.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_CREATE -> spqw.sys +0x1204C";"C:\Windows\System32\Drivers\spqw.sys";"Infected"
Infected;"Medium";"i8042prt.sys, hooked import HAL.dll READ_PORT_UCHAR -> spqw.sys +0x11E9C";"C:\Windows\System32\Drivers\spqw.sys";"Infected"

I thought you would want to check the spqw.sys file so I checked the Drivers folder and couldn't find it.

[GUBID]

I just checked AVG scan output for today.
I now have only 3 infections!!
The output file is here:
Scheduled Scan
Medium priority;"3";"0";"3"
Folders selected for scanning:;"Scan Whole Computer"
Started:;"18/09/2013, 16:00:02"
Finished:;"18/09/2013, 16:17:44"
Total object scanned:;"2996814"
User who launched the scan:;"SYSTEM"

Status;"Priority";"Name";"Description";"Result"
Infected;"Medium";"IRP hook, \Driver\volmgr IRP_MJ_CREATE -> spqw.sys +0x12CD8";"C:\Windows\System32\Drivers\spqw.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_CREATE -> spqw.sys +0x1204C";"C:\Windows\System32\Drivers\spqw.sys";"Infected"
Infected;"Medium";"i8042prt.sys, hooked import HAL.dll READ_PORT_UCHAR -> spqw.sys +0x11E9C";"C:\Windows\System32\Drivers\spqw.sys";"Infected"

I thought you would want to check the spqw.sys file so I checked the Drivers folder and couldn't find it.

[Teima]

Hello GUBID,

Thanks for uploading those files. We can confirm that this is a False Positive from the AVG side of things. I have spoken with my instructor and we think that it will be of a benefit to both yourself and ourselves that you consider switching to another alternative like the example which was included within this former post.

Both Microsoft Security Essentials and Avast anti-virus are from reputable providers and I wouldn't see the same issue to be of an occurrence like this instance. Please let me know what you think.

[GUBID]

I did a search online about the Youtube issue, one thread I came across blamed AVG!
Several posters said they solved this issue by turning off the "web protection" function of AVG.
I don't see the point in doing that, you're paying for that so why turn it off!
Another poster said the issue disappeared when he updated to AVG 2014.
I checked my version and found that for some reason my version was 2013. I thought this odd as I update
everything on a daily basis nearly. On checking I found you had to update manually! Any way I have done that
so we will see if that changes anything. I will probably change my computers protection in the way you have recommended too.
I'd like to thank you and your instructor for your support and help it has been much appreciated.
I'll let you know how I get on.

[GUBID]

Well the AVG 2014 just ran it's first scan and came up with 35 infections!
I've posted the output below:
Scheduled Scan
Medium priority;"35";"1";"34"
Folders selected for scanning:;"Scan whole computer"
Started:;"20/09/2013, 16:00:02"
Finished:;"20/09/2013, 17:12:54"
Total object scanned:;"602607"
User who launched the scan:;"SYSTEM"

Status;"Priority";"Name";"Description";"Result"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_QUERY_VOLUME_INFORMATION -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_FILE_SYSTEM_CONTROL -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\system32\drivers\volmgr.sys IRP_MJ_POWER -> 0xFFFFFFFF8598F1F8";"<unknown>";"Infected"
Infected;"Medium";"i8042prt.sys, hooked import HAL.dll READ_PORT_UCHAR -> spfp.sys +0x11E9C";"C:\Windows\System32\Drivers\spfp.sys";"Infected"
Healed;"Medium";"Corrupted executable file";"C:\Users\GUB\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YPXL94D1\Firefox%20Setup%20Stub%2023.0.1[1].exe";"Secured"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_DEVICE_CONTROL -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\system32\drivers\volmgr.sys IRP_MJ_DEVICE_CONTROL -> 0xFFFFFFFF8598F1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\system32\drivers\volmgr.sys IRP_MJ_FLUSH_BUFFERS -> 0xFFFFFFFF8598F1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\system32\drivers\volmgr.sys IRP_MJ_SHUTDOWN -> 0xFFFFFFFF8598F1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\system32\drivers\volmgr.sys IRP_MJ_WRITE -> 0xFFFFFFFF8598F1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_CLEANUP -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\system32\drivers\volmgr.sys IRP_MJ_SYSTEM_CONTROL -> 0xFFFFFFFF8598F1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\system32\drivers\volmgr.sys IRP_MJ_PNP -> 0xFFFFFFFF8598F1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_LOCK_CONTROL -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\system32\drivers\volmgr.sys IRP_MJ_CLEANUP -> 0xFFFFFFFF8598F1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_PNP -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_SET_INFORMATION -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\system32\drivers\volmgr.sys IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xFFFFFFFF8598F1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_QUERY_QUOTA -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_READ -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_QUERY_SECURITY -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_CREATE -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_SHUTDOWN -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_SET_VOLUME_INFORMATION -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_SET_EA -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_SET_QUOTA -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_QUERY_INFORMATION -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\system32\drivers\volmgr.sys IRP_MJ_READ -> 0xFFFFFFFF8598F1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_FLUSH_BUFFERS -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_SET_SECURITY -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_QUERY_EA -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\system32\drivers\volmgr.sys IRP_MJ_CREATE -> 0xFFFFFFFF8598F1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_WRITE -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_CLOSE -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"
Infected;"Medium";"IRP hook, C:\Windows\System32\Drivers\Ntfs.sys IRP_MJ_DIRECTORY_CONTROL -> 0xFFFFFFFF8631C1F8";"<unknown>";"Infected"

I'm away until Monday night. I will consider the options you suggested whilst I'm away.

[Teima]

Hello GBUID,

I did a search online about the Youtube issue, one thread I came across blamed AVG!
Several posters said they solved this issue by turning off the "web protection" function of AVG.
I don't see the point in doing that, you're paying for that so why turn it off!

Indeed. Most of these scenarios appear to be a hit and miss situation. What might work for one user might not work for another. Lets hope that manages to resolve the issue at hand.

Another poster said the issue disappeared when he updated to AVG 2014.
I checked my version and found that for some reason my version was 2013. I thought this odd as I update
everything on a daily basis nearly.

Yes that's a good course of action. As you are a paid AVG user you should be able to receive elevated support from their technical support staff who have more control over their software and should be able to rectify any future False Positives should they arise. With that in mind the AVG support forum can be situated here.

I'd like to thank you and your instructor for your support and help it has been much appreciated.

No worries. You're very much welcome. Your patience was also much appreciated. I'll present below some instructions to clean the tools we used during the process.

-------------

Congratulations your computer appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Removal of OTL

Double-click OTL to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.

Step One

Enabling Windows Updates

1. Please proceed with clicking "Start" then choosing the "Control Panel" on the left hand window.

2. Click the first menu selection named "System and Security".

3. Click the next option entitled "Windows Update".

4. Now click "Change Settings" which is situated on the left hand side.

5. Please make sure that the "Important Updates" box is selected to "Install Updates Automatically". Whilst these updates have been selected to install "Every Day".

6. Please also enable the "Recommended Updates" check box if it hasn't already been enabled.

7. Click "Ok" once these steps have been followed.

Step Two

Clearing System Restore Points

1. Please Navigate to the Start Menu

2. Once that's loaded right click on my computer and select the option named "Properties".

3. On the menu which is located on the left hand side please select "System Protection".

4. Under the system properties dialogue which is now loaded navigate to the tab named "System Protection" and proceed with clicking "Configure".

5. Click the option entitled "Delete" and proceed with clicking "Continue". Your system restore points have now been cleared.

Other recommendations

Please note that prevention is better than any cure. I'll post some recommendations below to further enhance your security.

• Please read this great article by miekiemoes entitled How to prevent Malware

[Teima]

Hello GBUID. Are you still with me mate?

[GUBID]

I certainly am!
I have deleted OTL and the other tools.
I already have the updates downloaded automatically, I just install them manually, it's more convenient for me that way.
The AVG support forum is just that a support forum that is checked by AVG staff it certainly isn't a source of elevated support.
I have posted there so hopefully will get some advice on dealing with the problem.
I tried to clear the restore points as you described but couldn't, I navigated to the system properties menu and clicked the tab
system protection. the option to configure was not available the only options available were "Create" and "System restore". So I didn't do anything!

[Teima]

Hello GUBID,

Thanks for the update. It's much appreciated.

At the moment. I'm just double checking something with my instructor to see if there's an alternative as to which we can take. Thanks.

[GUBID]

No worries. I have had a reply on the AVG forum so am going to try that.
I will keep you posted!

[Teima]

Hello GUBID,

I have spoken with my instructor and we feel that this should be able to fix it.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

[GUBID]

I followed you recommendations, did a restart but on running AVG, it found the same "infections".
The AVG forum have just asked me to submit the scan output and msinfo.
We'll see what they recommend.
There appears to be a lot of people asking about rootkits and false positives on there at the moment.
Thanks for trying!

[Teima]

Hello GUBID,

You're welcome. Did my previous set of instructions to clear the system restore points on your machine work without any issues? If so. Do you require any further assistance or should I mark this topic as resolved?

[GUBID]

Your last instructions may have worked, I'm not entirely sure what they were going to achieve.
I continue to get "infections" on each rootkit scan, that are never cured by AVG. Malwarebytes gives the all clear still.
So in one way my problems are unresolved but at least I am 80% confident that they are false positives.
If there's nothing further you can suggest (other) than getting shut of AVG then I guess we should call it a day!
Thanks for your help.
I'll let you know what turns up from AVG, OK.

[Teima]

Hello GUBID,

You're welcome. What clearing the system restore points did was prevent older machine access points to be restored. Also deleting restore points temporarily frees up disk space which isn't being used. More information about this can be situated here. With regards to if it worked as required. Did it return results similar to those situated on this topic?

Back to AVG. The files as to which you submitted online to my instructor were confirmed as clean which means a False Positive from their side of things. It's good to know that they are looking into this matter further and it would be nice to know the results. As my assistance is typically limited to the malware removal that means I'm typically limited with the responses as to which I can provide.

Consulting with the AVG technical support staff is a wise choice. Once they've discovered the issue they will roll out an update from their side to rectify the issue which is faced.