PDA

View Full Version : Avast keeps warning me about SPTD.SYS is it bad?


matson
2011-06-01, 23:36
It never happened before. since yesterday, Avast seems to be upset about SPTD.SYS which happened to be a file associated with Alcohol52% (an emulation driver).
the thing is after running several time malware byte and spybot none of them found anything.
it start by avast saying there is a rootkit on the sys32, and in order to clean it you need to restart. after that avast keeps coming back with the SPTD.SYS thing.
here is the malware byte log

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org (http://www.malwarebytes.org)

Database version: 6748

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2011-06-01 16:16:54
mbam-log-2011-06-01 (16-16-54).txt

Scan type: Quick scan
Objects scanned: 152422
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS log

.
DDS (Ver_2011-06-01.06) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25
Run by NICOU at 16:22:53 on 2011-06-01
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page =
mStart Page =
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{2D910C84-4AE8-4338-B616-08A91C617263} : DhcpNameServer = 192.168.2.1 192.168.2.1
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\nicou\application data\mozilla\firefox\profiles\mtc5e0vx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\documents and settings\nicou\application data\mozilla\firefox\profiles\mtc5e0vx.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R? Cubase32;Cubase32
R? epmntdrv;epmntdrv
R? EuGdiDrv;EuGdiDrv
R? RDID1044;Roland SP-606
S? aswFsBlk;aswFsBlk
S? aswSnx;aswSnx
S? aswSP;aswSP
S? avast! Antivirus;avast! Antivirus
S? HSFHWATI;HSFHWATI
S? StarWindServiceAE;StarWind AE Service
.
=============== Created Last 30 ================
.
2011-05-22 04:30:28 -------- d-----w- c:\program files\Softube
2011-05-17 18:05:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-13 18:42:16 253952 ------w- c:\windows\Setup1.exe
2011-05-13 18:42:16 -------- d-----w- c:\program files\Previsio
2011-05-13 18:42:14 74752 ----a-w- c:\windows\ST6UNST.EXE
2011-05-13 01:04:46 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-13 01:04:23 40112 ----a-w- c:\windows\avastSS.scr
2011-05-13 01:04:11 -------- d-----w- c:\program files\AVAST Software
2011-05-13 01:04:11 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-05-10 02:33:29 -------- d-----w- c:\program files\SpywareGuard
2011-05-10 02:27:02 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-05-10 02:27:00 -------- d-----w- c:\program files\SpywareBlaster
2011-05-07 18:29:07 -------- d-----w- c:\windows\system32\XPSViewer
2011-05-07 18:28:30 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-05-07 18:28:12 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-05-07 18:28:12 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-05-07 18:28:12 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-05-07 18:28:12 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-05-07 18:28:12 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-05-07 18:28:12 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-05-07 18:28:12 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-05-07 18:28:12 117760 ------w- c:\windows\system32\prntvpt.dll
2011-05-07 18:28:11 -------- d-----w- C:\ce10f287d9ee23a3100d2f7320fdee
.
==================== Find3M ====================
.
2011-05-29 12:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 12:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-09 18:15:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-09 18:15:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-28 03:21:56 0 ----a-w- c:\windows\Xgihetiy.bin
2011-04-10 00:55:01 1025 ----a-w- c:\windows\system32\sysprs7.dll
2011-04-10 00:55:01 1025 ----a-w- c:\windows\system32\clauth2.dll
2011-04-10 00:55:01 1025 ----a-w- c:\windows\system32\clauth1.dll
2011-04-06 22:07:29 436792 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-03-31 14:18:18 23376 ----a-w- c:\windows\system32\dopdfmn7.dll
2011-03-31 14:18:16 20304 ----a-w- c:\windows\system32\dopdfmi7.dll
2011-03-25 23:04:16 18048 ----a-w- c:\windows\system32\EuEpmGdi.dll
2011-03-25 23:03:44 2340992 ----a-w- c:\windows\system32\BootMan.exe
2011-03-24 13:57:54 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2011-03-24 13:57:54 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2011-03-24 13:57:54 13192 ----a-w- c:\windows\system32\epmntdrv.sys
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
.
============= FINISH: 16:27:25,93 ===============

I wanted to post the attach.txt in zip but I saved the log on the desktop but they don't show up!!!! I don't where they are, they just don't show up. I am glad I copied and pasted the DDS log otherwise I would have not been able to post anything...

http://forums.spybot.info/showthread.php?p=404484#post404484
http://forums.spybot.info/showthread.php?p=403834#post403834
jeffce
2011-06-02, 02:26
Hi and Welcome!! My name is Jeff. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
Having said that....Let's get going!! :thumbup:

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
This may cause a delay, but I will do my best to keep it as short as possible. Please bear with me, I will post back to you as soon as I can.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable. (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.
matson
2011-06-02, 08:03
No problem Jeff, I'll follow your instructions!!!!

and welcome in your new world :thanks:
jeffce
2011-06-03, 02:35
Hi Matson,

Lets get this going shall we?

Please run DDS once more so I can get a fresh log and post it into your next reply. :)
----------

aswMBR

Lets get a scan of your Master Boot Record shall we:
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the Scan button to start scan
On completion of the scan click Save Log, save it to your Desktop and post in your next reply


In your next reply please post the new DDS logs and the log created by aswMBR. :)
matson
2011-06-03, 07:01
DDS log
.
DDS (Ver_2011-06-01.06) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25
Run by NICOU at 23:52:29 on 2011-06-02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1543 [GMT -3:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
F:\Programmes\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page =
mStart Page =
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\nicou\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{2D910C84-4AE8-4338-B616-08A91C617263} : DhcpNameServer = 192.168.2.1 192.168.2.1
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\nicou\application data\mozilla\firefox\profiles\mtc5e0vx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\documents and settings\nicou\application data\mozilla\firefox\profiles\mtc5e0vx.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-12 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-12 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-12 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-12 42184]
R2 StarWindServiceAE;StarWind AE Service;f:\programmes\alcohol 52\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
S2 Cubase32;Cubase32;c:\windows\system32\drivers\Cubase32.sys [2011-4-11 11808]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-4-5 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-4-5 8456]
S3 RDID1044;Roland SP-606;c:\windows\system32\drivers\rdwm1044.sys [2011-4-11 161422]
.
=============== Created Last 30 ================
.
2011-06-02 19:10:16 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-06-02 15:17:31 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-06-02 15:17:31 215920 ----a-w- c:\windows\system32\muweb.dll
2011-06-02 15:17:31 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-05-22 04:30:28 -------- d-----w- c:\program files\Softube
2011-05-17 18:05:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-13 18:42:16 253952 ------w- c:\windows\Setup1.exe
2011-05-13 18:42:16 -------- d-----w- c:\program files\Previsio
2011-05-13 18:42:14 74752 ----a-w- c:\windows\ST6UNST.EXE
2011-05-13 01:04:46 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-13 01:04:23 40112 ----a-w- c:\windows\avastSS.scr
2011-05-13 01:04:11 -------- d-----w- c:\program files\AVAST Software
2011-05-13 01:04:11 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-05-10 02:33:29 -------- d-----w- c:\program files\SpywareGuard
2011-05-10 02:27:02 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-05-10 02:27:00 -------- d-----w- c:\program files\SpywareBlaster
2011-05-07 18:29:07 -------- d-----w- c:\windows\system32\XPSViewer
2011-05-07 18:28:30 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-05-07 18:28:12 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-05-07 18:28:12 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-05-07 18:28:12 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-05-07 18:28:12 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-05-07 18:28:12 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-05-07 18:28:12 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-05-07 18:28:12 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-05-07 18:28:12 117760 ------w- c:\windows\system32\prntvpt.dll
2011-05-07 18:28:11 -------- d-----w- C:\ce10f287d9ee23a3100d2f7320fdee
.
==================== Find3M ====================
.
2011-05-29 12:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 12:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-09 18:15:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-09 18:15:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-28 03:21:56 0 ----a-w- c:\windows\Xgihetiy.bin
2011-04-10 00:55:01 1025 ----a-w- c:\windows\system32\sysprs7.dll
2011-04-10 00:55:01 1025 ----a-w- c:\windows\system32\clauth2.dll
2011-04-10 00:55:01 1025 ----a-w- c:\windows\system32\clauth1.dll
2011-04-06 22:07:29 436792 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-03-31 14:18:18 23376 ----a-w- c:\windows\system32\dopdfmn7.dll
2011-03-31 14:18:16 20304 ----a-w- c:\windows\system32\dopdfmi7.dll
2011-03-25 23:04:16 18048 ----a-w- c:\windows\system32\EuEpmGdi.dll
2011-03-25 23:03:44 2340992 ----a-w- c:\windows\system32\BootMan.exe
2011-03-24 13:57:54 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2011-03-24 13:57:54 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2011-03-24 13:57:54 13192 ----a-w- c:\windows\system32\epmntdrv.sys
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 23:55:48,78 ===============


aswMBR log

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-02 23:57:47
-----------------------------
23:57:47.390 OS Version: Windows 5.1.2600 Service Pack 3
23:57:47.390 Number of processors: 1 586 0x2402
23:57:47.390 ComputerName: MOHICAN UserName: NICOU
23:57:47.687 Initialize success
23:57:52.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
23:57:52.671 Disk 0 Vendor: ST9120824A 3.05 Size: 114473MB BusType: 3
23:57:52.687 Disk 0 MBR read error 0
23:57:52.687 Disk 0 MBR scan
23:57:52.687 Disk 0 unknown MBR code
23:57:52.687 MBR BIOS signature not found 0
23:57:52.687 Disk 0 scanning sectors +234436545
23:57:52.703 Disk 0 scanning C:\WINDOWS\system32\drivers
23:57:57.093 Service scanning
23:57:58.390 Disk 0 trace - called modules:
23:57:58.406 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys pciide.sys PCIIDEX.SYS
23:57:58.406 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89de6ab8]
23:57:58.406 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000074[0x89db5920]
23:57:58.421 5 ACPI.sys[f7233620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89df0d98]
23:57:58.812 Scan finished successfully
23:58:19.218 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\NICOU\Desktop\MBR.dat"
23:58:19.218 The log file has been saved successfully to "C:\Documents and Settings\NICOU\Desktop\aswMBR.txt"
jeffce
2011-06-03, 16:35
Hi Matson,

Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan as shown below.

http://i1224.photobucket.com/albums/ee380/jeffce74/MBAM.jpg

When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.



The log can also be found here:
C:\Documents and Settings\<User name>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
----------

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the Start button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the Back button.
Push Finish

http://www.eset.com/onlinescan/


In your next reply please post the logs created by both Malwarebytes and ESET Online scan. :)
matson
2011-06-04, 03:18
so here is the malwarebytes log:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6767

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2011-06-03 17:59:41
mbam-log-2011-06-03 (17-59-41).txt

Scan type: Quick scan
Objects scanned: 152683
Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESETscan found nothing too
in attachment a picture of the finished scan
jeffce
2011-06-04, 16:15
Hi Matson,

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :) SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :)

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.


The file that you were concerned about, SPTD.SYS, is part of your emulation drive and there is nothing to be concerned about. It is a false positive being picked up by Avast.
You can go to the following link and read a little bit about that file here (http://forum.avast.com/index.php?topic=79072.0).

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
Open Internet Explorer
Click on Tools > Internet Options
Press Security tab
Select Internet zone then place check next to Enable Protected Mode if not already done
Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.
3. Use and Update an Anti-Virus Software - I can not overemphasize the need for you to use and update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here (http://www.bleepingcomputer.com/forums/tutorial60.html).
**Do not install more than one firewall program because they will conflict with each other**

5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp) regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

6. Filehippo's Update Checker (http://www.filehippo.com/updatechecker/). It is free utilitiy that scan your computer for installed software, checks the versions and then sends this information to see if there are any newer releases. Available software updates are displayed and you can decide which ones to download and install. Among many other types of programs, they includes a number of the Anti-Spyware, Firewall/Security and Anti-Virus programs that have been recommended (though not all of them). Note: Definition files should be updated from within the programs themselves. The Update Checker look for newer versions of the software program, not definition files.

7. Consider a custom hosts file such as MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.htm). This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002 (http://www.mvps.org/winhelp2002/hosts.htm)
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

8. WOT (http://www.mywot.com/), Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
Green to go
Yellow for caution
Red to stop WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

9. Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware (http://forum.malwareremoval.com/viewtopic.php?t=13)

10. Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)


Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
matson
2011-06-05, 06:32
Thank You Jeff.
I surf with WOT, I try to be safe on the web but I think when you run on XP, there is more and more chances to get something just because somebody whant us, XP users, to move to the new 7...

Can you recommend me a good firewall that is free but not so complicated?
I looked at some firewall but honestly, just to set them up you need to be some sort of computer tech.
jeffce
2011-06-05, 16:13
Hi Matson,
I am happy that we were able to help. I personally like Online Armor as a firewall. It seems to be light on resources and works well in my opinion. If you are interested in checking that out you can find it here (https://www.online-armor.com/downloads.php). There are different versions you may choose from to include the free version which I use myself. Hope that helps. :greeting: