Hello,
I had an Alueron L on my MBR 0, I followed what someone said in the forum which is:
Download aswMBR.exe, run it , save the log and then download tdskiller.exe and run it.
Now here is my problem, I have downloaded pretty much all the tools on the net, none are working against this file.
I have a file in the system32 called sptd.sys and the aswMBR.exe keeps telling me that the file is locked, this is true, I tried to open it without luck.
Then the aswMBR.exe program found 2 other rootkits called
ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffadf38c212c0]<<
and
\Driver\atapi[0xfffffadf3843b620] → IRP_MJ_CREATE → 0xfffffadf38c212c0
Now, when I use the tdskiller application, it removes the 2 above without a problem but unfortunatly cannot repair nor open the sptd.sys, a few minutes later, the 2 lines above reappear again…I just cannot get rid of it.
Here is the aswMBR Log:
aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-22 11:00:57
11:00:57.140 OS Version: Windows x64 5.2.3790 Service Pack 2
11:00:57.140 Number of processors: 4 586 0x1706
11:00:57.140 ComputerName: BEN UserName:
11:01:24.781 Initialze error C000010E - driver not loaded
11:01:24.859 AVAST engine defs: 11082101
11:01:27.171 Service scanning
11:01:28.343 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys LOCKED 32
11:01:29.031 Modules scanning
11:01:29.031 Disk 0 trace - called modules:
11:01:29.031
11:01:29.484 AVAST engine scan C:\WINDOWS
11:01:33.515 AVAST engine scan C:\WINDOWS\system32
11:02:06.656 AVAST engine scan C:\WINDOWS\system32\drivers
11:02:10.203 AVAST engine scan C:\Documents and Settings\Administrator
11:15:19.750 AVAST engine scan C:\Documents and Settings\All Users
11:17:34.890 Scan finished successfully
11:23:43.968 The log file has been saved successfully to “C:\Documents and Settings\Administrator\Desktop\aswMBR.txt”
aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-22 11:23:51
11:23:51.875 OS Version: Windows x64 5.2.3790 Service Pack 2
11:23:51.875 Number of processors: 4 586 0x1706
11:23:51.875 ComputerName: BEN UserName:
11:23:53.078 Initialize success
11:23:53.140 AVAST engine defs: 11082101
11:24:00.203 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
11:24:00.203 Disk 0 Vendor: ST3250410AS 3.AAF Size: 238474MB BusType: 3
11:24:00.218 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP1T1L0-1b
11:24:00.218 Disk 1 Vendor: WDC_WD10EALX-009BA0 15.01H15 Size: 953869MB BusType: 3
11:24:00.218 Device \Driver\atapi → MajorFunction fffffadf38c212c0
11:24:02.250 Disk 0 MBR read successfully
11:24:02.250 Disk 0 MBR scan
11:24:02.250 Disk 0 Windows XP default MBR code
11:24:02.250 Service scanning
11:24:02.562 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys LOCKED 32
11:24:03.093 Modules scanning
11:24:03.093 Disk 0 trace - called modules:
11:24:03.109 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffadf38c212c0]<<
11:24:03.109 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffadf37ffa1b0]
11:24:03.109 3 CLASSPNP.SYS[fffffadf2929a8c9] → nt!IofCallDriver → \Device\00000077[0xfffffadf37fff260]
11:24:03.109 5 ACPI.sys[fffffadf29452e69] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0xfffffadf38c13930]
11:24:03.109 \Driver\atapi[0xfffffadf3843b620] → IRP_MJ_CREATE → 0xfffffadf38c212c0
11:24:04.296 AVAST engine scan C:
11:27:48.843 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Administrator\Desktop\MBR.dat”
11:27:48.843 The log file has been saved successfully to “C:\Documents and Settings\Administrator\Desktop\aswMBR.txt”
Can I upload the sptd.sys to the forum or is it a risk for the others and myself??? I have no idea what is inside this file.
My operating system is Windows XP pro 64 bit fully updated.
Thank you,
Ben