HI all, experienced a couple of strange crashes, a momentary lag in the system,
a blue screen with text which appeared for about 1/4 second, not enough time to read it,
and upon rebooting a message in Event viewer corresponding to the time of the crash :
"An error was detected on device \Device\Harddisk0\D during a paging operation."
I decided to run awsMBR,
since I'd seen it mentioned many times recently (I just ran the scan I didn't fix anything),
and the log mentions sptd.sys which it says is a rootkit, also nvata was highlighted in
red on the summary screen.
I have Deamon tools lite installed, that is where sptd.sys comes from, also nvata is the Nvidia
sata driver. Is it a false positive or possibly something is going on....
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-04 11:42:56
-----------------------------
11:42:56.140 OS Version: Windows 5.1.2600 Service Pack 3
11:42:56.140 Number of processors: 2 586 0x2302
11:42:56.140 ComputerName: AMD12ME UserName:
11:42:56.671 Initialize success
11:42:58.890 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:42:58.890 Disk 0 Vendor: Maxtor_6Y160P0 YAR41BW0 Size: 156334MB BusType: 3
11:42:58.890 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\00000073
11:42:58.890 Disk 1 Vendor: ST3250310AS 3.AAC Size: 238475MB BusType: 3
11:42:58.890 Device \Driver\nvata -> MajorFunction 8a5cc1e8
11:43:00.890 Disk 1 MBR read successfully
11:43:00.890 Disk 1 MBR scan
11:43:00.890 Disk 1 unknown MBR code
11:43:02.890 Disk 1 scanning sectors +488392065
11:43:02.906 Disk 1 scanning C:\WINDOWS\system32\drivers
11:43:06.750 File C:\WINDOWS\system32\drivers\sptd.sys TDL3 **ROOTKIT**
11:43:06.750 Disk 1 trace - called modules:
11:43:06.765 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a5cc1e8]<<
11:43:06.765 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8a5baab8]
11:43:06.765 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000074[0x8a4cff18]
11:43:06.765 5 ACPI.sys[b7e57620] -> nt!IofCallDriver -> \Device\00000073[0x8a4f4030]
11:43:06.765 \Driver\nvata[0x8a46ca08] -> IRP_MJ_CREATE -> 0x8a5cc1e8
11:43:06.765 Scan finished successfully
11:45:19.796 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Dave New\Desktop\MBR.dat"
11:45:19.796 The log file has been saved successfully to "C:\Documents and Settings\Dave New\Desktop\aswMBR.txt"
EDIT - I uninstalled SPTD/Daemon tools and the scan looks a bit cleaner now. Is the scanning tool
making a mistake on sptd.sys? I scanned it with MSE and Avast - neither of them report anything.
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-04 13:33:47
-----------------------------
13:33:47.531 OS Version: Windows 5.1.2600 Service Pack 3
13:33:47.531 Number of processors: 2 586 0x2302
13:33:47.531 ComputerName: AMD12ME UserName:
13:33:47.750 Initialize success
13:33:51.093 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:33:51.093 Disk 0 Vendor: Maxtor_6Y160P0 YAR41BW0 Size: 156334MB BusType: 3
13:33:51.093 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\00000071
13:33:51.093 Disk 1 Vendor: ST3250310AS 3.AAC Size: 238475MB BusType: 3
13:33:53.109 Disk 1 MBR read successfully
13:33:53.109 Disk 1 MBR scan
13:33:53.109 Disk 1 unknown MBR code
13:33:55.109 Disk 1 scanning sectors +488392065
13:33:55.140 Disk 1 scanning C:\WINDOWS\system32\drivers
13:33:58.859 Service scanning
13:34:00.062 Disk 1 trace - called modules:
13:34:00.062 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
13:34:00.062 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8a500ab8]
13:34:00.062 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000072[0x8a4bdf18]
13:34:00.062 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000071[0x8a4e3030]
13:34:00.062 Scan finished successfully
13:34:10.531 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Dave New\Desktop\MBR.dat"
13:34:10.546 The log file has been saved successfully to "C:\Documents and Settings\Dave New\Desktop\aswMBR.txt"
