Hi everybody!!

I need help! 2 days ago My Avast (2014.9.0.2018 version) pop up and told me that it had found a rootkit (SPTISRV.exe win32:evo-gen [susp]). My operating system is windows vista.

I have done the next analysis: virustotal.com, aswMBR, MBAR, MBAM and OTL. I followed the steps of this link
https://forum.avast.com/index.php?topic=53253.0

I will attach the results of the analysis:

virustotal.com

https://www.virustotal.com/es/file/e8a23c282c135b0213f1ba80e514722da78d9f316b053a2355f8a34b1001102b/analysis/1403082021/

aswMBR

aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
Run date: 2014-06-17 13:04:50

13:04:50.065 OS Version: Windows 6.0.6002 Service Pack 2
13:04:50.065 Number of processors: 2 586 0xF0D
13:04:50.065 ComputerName: USUARIO1 UserName: Usuario
13:04:50.580 Initialize success
13:04:50.580 VM: initialized successfully
13:04:50.689 VM: outdated driver version !
13:04:54.885 AVAST engine defs: 14061601
13:04:57.163 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
13:04:57.163 Disk 0 Vendor: Size: 238475MB BusType: 0
13:04:57.163 Disk 1 \Device\Harddisk1\DR1 → \Device\0000006a
13:04:57.179 Disk 1 Vendor: RICOH 01 Size: 238475MB BusType: 0
13:04:57.179 Disk 2 \Device\Harddisk2\DR2 → \Device\0000006b
13:04:57.179 Disk 2 Vendor: RICOH 02 Size: 238475MB BusType: 0
13:04:57.491 Disk 0 MBR read successfully
13:04:57.491 Disk 0 MBR scan
13:04:57.506 Disk 0 Windows VISTA default MBR code
13:04:57.522 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 11374 MB offset 2048
13:04:57.553 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 227099 MB offset 23296000
13:04:57.569 Disk 0 scanning sectors +488395120
13:04:57.896 Disk 0 scanning C:\Windows\system32\drivers
13:05:24.837 Service scanning
13:06:06.488 Service SPTISRV C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe INFECTED Win32:Evo-gen [Susp]
13:06:13.836 Modules scanning
13:06:38.172 Disk 0 trace - called modules:
13:06:38.188 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
13:06:38.203 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x89f35620]
13:06:38.203 3 CLASSPNP.SYS[8dda08b3] → nt!IofCallDriver → [0x8927a410]
13:06:38.203 5 acpi.sys[8069b6bc] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x88d0e028]
13:06:39.436 AVAST engine scan C:\Windows
13:06:43.336 AVAST engine scan C:\Windows\system32
13:11:52.641 AVAST engine scan C:\Windows\system32\drivers
13:12:43.450 AVAST engine scan C:\Users\Usuario
13:52:06.893 AVAST engine scan C:\ProgramData
14:07:32.466 Scan finished successfully
14:26:04.317 Disk 0 MBR has been saved successfully to “C:\Users\Usuario\Desktop\MBR.dat”
14:26:04.380 The log file has been saved successfully to “C:\Users\Usuario\Desktop\aswMBR.txt”

MBAR

When I ran this program for the first time it show me the next text: ‘Registry value “AppInit_Dlls” has been found, which may be caused by rootkit activity’. I said ‘yes’ and when it ended said that everything was ok.

Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org

Database version: v2014.06.17.05

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Usuario :: USUARIO1 [administrator]

17/06/2014 14:58:11
mbar-log-2014-06-17 (14-58-11).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 277043
Time elapsed: 12 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

MBAM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 18/06/2014
Scan Time: 16:29:58
Logfile: MBAM_eng.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.18.06
Rootkit Database: v2014.06.02.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Usuario

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 277575
Time Elapsed: 13 min, 56 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

I don’t know if it is a false positive or is something bad. OTL texts are very big, and don’t let me post them in this post.

Thanks in advance for your help!!! I appreciate a lot your help

That looks to be a false positive, see http://www.bleepingcomputer.com/startups/Sony_SPTI_Service-7637.html

Are you experiencing any problems ?

I have no problems at all. Only Avast is popping up everytime warning me about this rootkit.

There should be the option to ignore… Please select that

Could you then add the following file to the avast virus chest and then upload to the virus labs :

C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Ok, so is this a false positive?

I could add OTL results if you need to read them.

Thanks

Certainly I could check the OTL log if you wish. Just attach it in your next post

OTL documents are very big and I can`t post them. Do you know how can I show you them?

You can attach the log

I have attached OTL documents. I hope everything is ok.

Thanks

Could you ensure that OTL is saved in the ansi format please

Ok. Now they are in ANSI format.

Looks good, a little bit of adware is all

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

There it is the logfile.

Hmm a bit more junk than I thought. Is the computer behaving now ?

Apparently everything is ok. I’m not using a lot my computer these days, but I have tried now to use different programs at the same time and I have had no problems.

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

Thank you very much for your help!!!

My pleasure