Rootkit detected........or was it?

[boxtop]

I used the root kit scanner to scan one of my desktops and it came up with some issues.  The log is below.

**************************************************************************************
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-12 19:04:07
-----------------------------
19:04:07.260    OS Version: Windows 6.1.7601 Service Pack 1
19:04:07.260    Number of processors: 4 586 0x402
19:04:07.270    ComputerName: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
19:04:13.360    Initialize success
19:04:13.490    AVAST engine defs: 11091200
19:04:19.870    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
19:04:19.870    Disk 0 Vendor: ST3640323AS CC1F Size: 610480MB BusType: 11
19:04:21.900    Disk 0 MBR read successfully
19:04:21.910    Disk 0 MBR scan
19:04:21.920    Disk 0 Windows 7 default MBR code
19:04:21.930    Disk 0 scanning sectors +1250260992
19:04:22.000    Disk 0 scanning C:\Windows\system32\drivers
19:04:29.310    Service scanning
19:04:30.350    Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
19:04:30.910    Modules scanning
19:04:34.950    Disk 0 trace - called modules:
19:04:34.970    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x855441f8]<<
19:04:34.970    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x864a5aa0]
19:04:34.980    3 CLASSPNP.SYS[8c01859e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x86291908]
19:04:34.980    \Driver\atapi[0x86284db8] -> IRP_MJ_CREATE -> 0x855441f8
19:04:39.660    AVAST engine scan C:\Windows
19:04:41.620    AVAST engine scan C:\Windows\system32
19:05:54.632    AVAST engine scan C:\Windows\system32\drivers
19:06:02.182    AVAST engine scan C:\Users\Kennon
19:08:58.755    AVAST engine scan C:\ProgramData
19:15:35.380    Scan finished successfully
********************************************************************************


The output was shown as above.  One locked file and a bunch of normal system files that the scanner doesn't like.  I tried to fix the MBR using the tool and reboot and the scan came up the same.  Used bootrec /fixmbr from Windows recovery and rebooted, no dice.  I checked the locked file and saw that it was related to Daemon Tools Lite which is software I don't use so I uninstalled it.  Ran the scan again to see if the locked file had cleared and I got the results below.

********************************************************************************
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-12 21:26:22
-----------------------------
21:26:22.210    OS Version: Windows 6.1.7601 Service Pack 1
21:26:22.210    Number of processors: 4 586 0x402
21:26:22.210    ComputerName: KENNON_LR_PC  UserName: Kennon
21:26:23.629    Initialize success
21:26:23.707    AVAST engine defs: 11091201
21:26:28.637    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
21:26:28.637    Disk 0 Vendor: ST3640323AS CC1F Size: 610480MB BusType: 11
21:26:30.665    Disk 0 MBR read successfully
21:26:30.665    Disk 0 MBR scan
21:26:30.681    Disk 0 Windows 7 default MBR code
21:26:30.696    Disk 0 scanning sectors +1250260992
21:26:30.759    Disk 0 scanning C:\Windows\system32\drivers
21:26:37.903    Service scanning
21:26:39.385    Modules scanning
21:26:45.204    Disk 0 trace - called modules:
21:26:45.251    ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
21:26:45.251    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86421030]
21:26:45.251    3 CLASSPNP.SYS[8bd9559e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x8624d030]
21:26:49.057    AVAST engine scan C:\Windows
21:26:50.898    AVAST engine scan C:\Windows\system32
21:28:01.395    AVAST engine scan C:\Windows\system32\drivers
21:28:09.008    AVAST engine scan C:\Users\Kennon
21:30:12.887    AVAST engine scan C:\ProgramData
21:35:26.386    Scan finished successfully
***************************************************************************

So something about Daemon Tools was a little off.  Some of this is above my head so I don't know whether I was looking at a false positive or a well used program that has some shadiness going on.

Any insights?

Thanks in advance for you responses.

[scythe944]

Hopefully somebody comes by that knows a bit more than I about the Avast Rootkit scanner...

[DavidR]

Well the good thing is that the aswMBR.exe was reporting that the MBR was the default one before running bootrec /fixmbr. So it doesn't appear this is an MBR rootkit.

19:04:21.920    Disk 0 Windows 7 default MBR code

Removing the daemon tools lite, appears to have not only removed the locked entry, but also the Unknown entries and also the other Red entry.
Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
19:04:34.970    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x855441f8]<<
19:04:34.980    \Driver\atapi[0x86284db8] -> IRP_MJ_CREATE -> 0x855441f8

So it does look better, though I'm no expert in this, essexboy is the man, unfortunately it is 3:50am in the UK right now; so it will be tomorrow evening after work when he is likely to be back on the forums.

Though with the limited information scythe944 gave about the problem in your Provider saying there was some malware activity on your IP. I find it strange that this could be anything to do with Daemon Tools Lite, which I would have though was a local system application. I just wonder how your Provider would determine malicious activity and why they didn't say what that was.

So essexboy would probably want to run some other analysis tools.

[scythe944]

Thanks David!

[DavidR]

You're welcome.

It may be worth having boxtop download and run OTL and post the log so essexboy has something to work with when he does come on-line. Still a few hours before he is likely to be on-line, but I have PM'd him about the topic.

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach both logs

[essexboy]

Ready and waiting... 

[DavidR]

Thanks for joining the topic essexboy.

[essexboy]

I like mysteries 

[boxtop]

OK I am trying to run this scan but I am only getting one log file.  OTL.txt is created but the extra.txt is not.  I will post as soon as I can.

[boxtop]

I only get one file.  It is attached.

[essexboy]

What are your current problems ?  As there is very little showing in that log

[boxtop]

What are your current problems ?  As there is very little showing in that log

I am not having any problems.  I only ran scans on my machines because of an email I received from my ISP.  Maybe the letter was a canned letter to get me to download and use their security offerings.  At any rate they said there might be an issue so I ran the root kit detector and got the first results I posted above.  After some searching I found that the locked file was related to Daemon tools lite so I decided to uninstall Daemon tools and after that the next scan came up completely clean.  I was only trying to fix the locked file issue but it ended up fixing everything.  I am starting to think that this was all a coincidence (canned email from ISP to peddle their security suite) combined with a false positive caused by software that was legitimately installed for a while.  Incidentally I had that same version of Daemon tools installed on two other machines in my house and neither of them came up with errors.  I have since removed Daemon tools from all my machines.

I guess I just wanted some more skilled eyes to have a look.  I am wondering if I should go through the process of changing the several hundred internet passwords that I have or if that would be overkill.  I really am not convinced that I ever had malicious software present to begin with.

Thanks for having a look and please feel free to comment with any additional insights you may have.

[essexboy]

Normally there are remnants left behind after an automated tool removal, but here I could see nothing.  So your surmise may well be correct

As for Daemon tools I have had one where that was masking a rootkit and removal revealed it, but not in this case 

If you have never had any symptoms then changing passwords would probably be an overkill

[boxtop]

Thank you for your insights.