I used the root kit scanner to scan one of my desktops and it came up with some issues. The log is below.

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-12 19:04:07

19:04:07.260 OS Version: Windows 6.1.7601 Service Pack 1
19:04:07.260 Number of processors: 4 586 0x402
19:04:07.270 ComputerName: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
19:04:13.360 Initialize success
19:04:13.490 AVAST engine defs: 11091200
19:04:19.870 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T0L0-4
19:04:19.870 Disk 0 Vendor: ST3640323AS CC1F Size: 610480MB BusType: 11
19:04:21.900 Disk 0 MBR read successfully
19:04:21.910 Disk 0 MBR scan
19:04:21.920 Disk 0 Windows 7 default MBR code
19:04:21.930 Disk 0 scanning sectors +1250260992
19:04:22.000 Disk 0 scanning C:\Windows\system32\drivers
19:04:29.310 Service scanning
19:04:30.350 Service sptd C:\Windows\System32\Drivers\sptd.sys LOCKED 32
19:04:30.910 Modules scanning
19:04:34.950 Disk 0 trace - called modules:
19:04:34.970 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x855441f8]<<
19:04:34.970 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x864a5aa0]
19:04:34.980 3 CLASSPNP.SYS[8c01859e] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T0L0-4[0x86291908]
19:04:34.980 \Driver\atapi[0x86284db8] → IRP_MJ_CREATE → 0x855441f8
19:04:39.660 AVAST engine scan C:\Windows
19:04:41.620 AVAST engine scan C:\Windows\system32
19:05:54.632 AVAST engine scan C:\Windows\system32\drivers
19:06:02.182 AVAST engine scan C:\Users\Kennon
19:08:58.755 AVAST engine scan C:\ProgramData
19:15:35.380 Scan finished successfully

The output was shown as above. One locked file and a bunch of normal system files that the scanner doesn’t like. I tried to fix the MBR using the tool and reboot and the scan came up the same. Used bootrec /fixmbr from Windows recovery and rebooted, no dice. I checked the locked file and saw that it was related to Daemon Tools Lite which is software I don’t use so I uninstalled it. Ran the scan again to see if the locked file had cleared and I got the results below.

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-12 21:26:22

21:26:22.210 OS Version: Windows 6.1.7601 Service Pack 1
21:26:22.210 Number of processors: 4 586 0x402
21:26:22.210 ComputerName: KENNON_LR_PC UserName: Kennon
21:26:23.629 Initialize success
21:26:23.707 AVAST engine defs: 11091201
21:26:28.637 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T0L0-4
21:26:28.637 Disk 0 Vendor: ST3640323AS CC1F Size: 610480MB BusType: 11
21:26:30.665 Disk 0 MBR read successfully
21:26:30.665 Disk 0 MBR scan
21:26:30.681 Disk 0 Windows 7 default MBR code
21:26:30.696 Disk 0 scanning sectors +1250260992
21:26:30.759 Disk 0 scanning C:\Windows\system32\drivers
21:26:37.903 Service scanning
21:26:39.385 Modules scanning
21:26:45.204 Disk 0 trace - called modules:
21:26:45.251 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
21:26:45.251 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86421030]
21:26:45.251 3 CLASSPNP.SYS[8bd9559e] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T0L0-4[0x8624d030]
21:26:49.057 AVAST engine scan C:\Windows
21:26:50.898 AVAST engine scan C:\Windows\system32
21:28:01.395 AVAST engine scan C:\Windows\system32\drivers
21:28:09.008 AVAST engine scan C:\Users\Kennon
21:30:12.887 AVAST engine scan C:\ProgramData
21:35:26.386 Scan finished successfully

So something about Daemon Tools was a little off. Some of this is above my head so I don’t know whether I was looking at a false positive or a well used program that has some shadiness going on.

Any insights?

Thanks in advance for you responses.

Hopefully somebody comes by that knows a bit more than I about the Avast Rootkit scanner…

Well the good thing is that the aswMBR.exe was reporting that the MBR was the default one before running bootrec /fixmbr. So it doesn’t appear this is an MBR rootkit.

19:04:21.920 Disk 0 Windows 7 default MBR code

Removing the daemon tools lite, appears to have not only removed the locked entry, but also the Unknown entries and also the other Red entry.
Service sptd C:\Windows\System32\Drivers\sptd.sys LOCKED 32
19:04:34.970 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x855441f8]<<
19:04:34.980 \Driver\atapi[0x86284db8] → IRP_MJ_CREATE → 0x855441f8

So it does look better, though I’m no expert in this, essexboy is the man, unfortunately it is 3:50am in the UK right now; so it will be tomorrow evening after work when he is likely to be back on the forums.

Though with the limited information scythe944 gave about the problem in your Provider saying there was some malware activity on your IP. I find it strange that this could be anything to do with Daemon Tools Lite, which I would have though was a local system application. I just wonder how your Provider would determine malicious activity and why they didn’t say what that was.

So essexboy would probably want to run some other analysis tools.

Thanks David!

You’re welcome.

It may be worth having boxtop download and run OTL and post the log so essexboy has something to work with when he does come on-line. Still a few hours before he is likely to be on-line, but I have PM’d him about the topic.

Ready and waiting… ;D

Thanks for joining the topic essexboy.

I like mysteries ;D

OK I am trying to run this scan but I am only getting one log file. OTL.txt is created but the extra.txt is not. I will post as soon as I can.

I only get one file. It is attached.

What are your current problems ? As there is very little showing in that log

I am not having any problems. I only ran scans on my machines because of an email I received from my ISP. Maybe the letter was a canned letter to get me to download and use their security offerings. At any rate they said there might be an issue so I ran the root kit detector and got the first results I posted above. After some searching I found that the locked file was related to Daemon tools lite so I decided to uninstall Daemon tools and after that the next scan came up completely clean. I was only trying to fix the locked file issue but it ended up fixing everything. I am starting to think that this was all a coincidence (canned email from ISP to peddle their security suite) combined with a false positive caused by software that was legitimately installed for a while. Incidentally I had that same version of Daemon tools installed on two other machines in my house and neither of them came up with errors. I have since removed Daemon tools from all my machines.

I guess I just wanted some more skilled eyes to have a look. I am wondering if I should go through the process of changing the several hundred internet passwords that I have or if that would be overkill. I really am not convinced that I ever had malicious software present to begin with.

Thanks for having a look and please feel free to comment with any additional insights you may have.

Normally there are remnants left behind after an automated tool removal, but here I could see nothing. So your surmise may well be correct

As for Daemon tools I have had one where that was masking a rootkit and removal revealed it, but not in this case

If you have never had any symptoms then changing passwords would probably be an overkill

Thank you for your insights.