Avast WEBforum

Other => Viruses and worms => Topic started by: davexnet on May 04, 2011, 09:48:56 PM

Title: xp unusual behavior; SPTD.sys, awsMBR results
Post by: davexnet on May 04, 2011, 09:48:56 PM

HI all, experienced a couple of strange crashes, a momentary lag in the system,
a blue screen with text which appeared for about 1/4 second, not enough time to read it,
and upon rebooting a message in Event viewer corresponding to the time of the crash :
"An error was detected on device \Device\Harddisk0\D during a paging operation."

I decided to run awsMBR,
since I'd seen it mentioned many times recently (I just ran the scan I didn't fix anything),
and the log mentions sptd.sys which it says is a rootkit, also nvata was highlighted in
red on the summary screen.

I have Deamon tools lite installed, that is where sptd.sys comes from, also nvata is the Nvidia
sata driver.  Is it a false positive or possibly something is going on....

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-04 11:42:56
-----------------------------
11:42:56.140    OS Version: Windows 5.1.2600 Service Pack 3
11:42:56.140    Number of processors: 2 586 0x2302
11:42:56.140    ComputerName: AMD12ME  UserName:
11:42:56.671    Initialize success
11:42:58.890    Disk 0  \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:42:58.890    Disk 0 Vendor: Maxtor_6Y160P0 YAR41BW0 Size: 156334MB BusType: 3
11:42:58.890    Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\00000073
11:42:58.890    Disk 1 Vendor: ST3250310AS 3.AAC Size: 238475MB BusType: 3
11:42:58.890    Device \Driver\nvata -> MajorFunction 8a5cc1e8
11:43:00.890    Disk 1 MBR read successfully
11:43:00.890    Disk 1 MBR scan
11:43:00.890    Disk 1 unknown MBR code
11:43:02.890    Disk 1 scanning sectors +488392065
11:43:02.906    Disk 1 scanning C:\WINDOWS\system32\drivers
11:43:06.750    File C:\WINDOWS\system32\drivers\sptd.sys TDL3 **ROOTKIT**
11:43:06.750    Disk 1 trace - called modules:
11:43:06.765    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a5cc1e8]<<
11:43:06.765    1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8a5baab8]
11:43:06.765    3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000074[0x8a4cff18]
11:43:06.765    5 ACPI.sys[b7e57620] -> nt!IofCallDriver -> \Device\00000073[0x8a4f4030]
11:43:06.765    \Driver\nvata[0x8a46ca08] -> IRP_MJ_CREATE -> 0x8a5cc1e8
11:43:06.765    Scan finished successfully
11:45:19.796    Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Dave New\Desktop\MBR.dat"
11:45:19.796    The log file has been saved successfully to "C:\Documents and Settings\Dave New\Desktop\aswMBR.txt"

EDIT - I uninstalled SPTD/Daemon tools and the scan looks a bit cleaner now.  Is the scanning tool
making a mistake on sptd.sys?  I scanned it with MSE and Avast - neither of them report anything.
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-04 13:33:47
-----------------------------
13:33:47.531    OS Version: Windows 5.1.2600 Service Pack 3
13:33:47.531    Number of processors: 2 586 0x2302
13:33:47.531    ComputerName: AMD12ME  UserName:
13:33:47.750    Initialize success
13:33:51.093    Disk 0  \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:33:51.093    Disk 0 Vendor: Maxtor_6Y160P0 YAR41BW0 Size: 156334MB BusType: 3
13:33:51.093    Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\00000071
13:33:51.093    Disk 1 Vendor: ST3250310AS 3.AAC Size: 238475MB BusType: 3
13:33:53.109    Disk 1 MBR read successfully
13:33:53.109    Disk 1 MBR scan
13:33:53.109    Disk 1 unknown MBR code
13:33:55.109    Disk 1 scanning sectors +488392065
13:33:55.140    Disk 1 scanning C:\WINDOWS\system32\drivers
13:33:58.859    Service scanning
13:34:00.062    Disk 1 trace - called modules:
13:34:00.062    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
13:34:00.062    1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8a500ab8]
13:34:00.062    3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000072[0x8a4bdf18]
13:34:00.062    5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000071[0x8a4e3030]
13:34:00.062    Scan finished successfully
13:34:10.531    Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Dave New\Desktop\MBR.dat"
13:34:10.546    The log file has been saved successfully to "C:\Documents and Settings\Dave New\Desktop\aswMBR.txt"

Title: Re: xp unusual behavior; SPTD.sys, awsMBR results
Post by: Pondus on May 05, 2011, 01:06:35 AM

Quote

I scanned it with MSE and Avast - neither of them report anything.

does that mean you have MSE and avast installed ? 
running multiple AV programs can create all kind of mysterious windows errors and false positive detections

Never install two antivirus (see reply from quietman7)
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638

Title: Re: xp unusual behavior; SPTD.sys, awsMBR results
Post by: davexnet on May 05, 2011, 02:09:18 AM

Hi Pondus, I've got two installs of XP on the same box.  Avast 6 on one, and MSE on the other.
Separate partitions, but they can access each others files (good for troubleshooting).
This issue occurred on the system with MSE and Daemon tools installed.  Scanning with MSE revealed
nothing; likewise, booting up the other XP and using Avast to scan the former partition also
showed nothing.

Title: Re: xp unusual behavior; SPTD.sys, awsMBR results
Post by: essexboy on May 05, 2011, 08:26:50 PM

The sptd is not a false alarm - trust me I am working on one now on another forum