Rootkit mbr\\.\physicaldrive1

Viruses and worms
1

I’ve been researching this and here is my log :

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-06 17:43:47

17:43:47.831 OS Version: Windows 6.0.6002 Service Pack 2
17:43:47.831 Number of processors: 2 586 0x6B02
17:43:47.833 ComputerName: TONY-PC UserName: Tony
17:43:49.613 Initialize success
17:43:50.475 AVAST engine defs: 11090601
17:43:53.045 Disk 0 \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP4T0L0-4
17:43:53.048 Disk 0 Vendor: WDC_WD3200AAJS-00B4A0 01.03A01 Size: 305245MB BusType: 3
17:43:53.052 Disk 1 (boot) \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP3T0L0-3
17:43:53.055 Disk 1 Vendor: WDC_WD3200AAJS-00B4A0 01.03A01 Size: 305245MB BusType: 3
17:43:53.060 Disk 2 \Device\Harddisk2\DR2 → \Device\Ide\IdeDeviceP5T0L0-7
17:43:53.063 Disk 2 Vendor: Hitachi_HDT725032VLA380 V54OA73A Size: 305245MB BusType: 3
17:43:55.093 Disk 1 MBR read successfully
17:43:55.097 Disk 1 MBR scan
17:43:55.102 Disk 1 MBR:Whistler-C [Rtk]
17:43:55.106 Disk 1 Whistler@MBR code has been found
17:43:55.111 Disk 1 MBR [Whistler] ROOTKIT
17:43:55.165 Disk 1 scanning C:\Windows\system32\drivers
17:44:08.497 Service scanning
17:44:09.670 Service sptd C:\Windows\System32\Drivers\sptd.sys LOCKED 32
17:44:10.267 Modules scanning
17:44:16.583 Disk 1 trace - called modules:
17:44:16.616 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84a1b1f8]<<
17:44:16.624 1 nt!IofCallDriver → \Device\Harddisk1\DR1[0x85392ac8]
17:44:16.631 3 CLASSPNP.SYS[881af8b3] → nt!IofCallDriver → [0x84af5a70]
17:44:16.639 5 acpi.sys[8073c6bc] → nt!IofCallDriver → \Device\Ide\IdeDeviceP3T0L0-3[0x84ad5660]
17:44:16.647 \Driver\atapi[0x84ab3828] → IRP_MJ_CREATE → 0x84a1b1f8
17:44:17.204 AVAST engine scan C:\Windows
17:44:20.070 AVAST engine scan C:\Windows\system32
17:46:20.133 AVAST engine scan C:\Windows\system32\drivers
17:46:33.308 AVAST engine scan C:\Users\Tony
17:46:50.672 Disk 1 MBR has been saved successfully to “C:\Users\Tony\Desktop\MBR.dat”
17:46:50.678 The log file has been saved successfully to “C:\Users\Tony\Desktop\aswMBR.txt”

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-06 17:43:47

17:43:47.831 OS Version: Windows 6.0.6002 Service Pack 2
17:43:47.831 Number of processors: 2 586 0x6B02
17:43:47.833 ComputerName: TONY-PC UserName: Tony
17:43:49.613 Initialize success
17:43:50.475 AVAST engine defs: 11090601
17:43:53.045 Disk 0 \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP4T0L0-4
17:43:53.048 Disk 0 Vendor: WDC_WD3200AAJS-00B4A0 01.03A01 Size: 305245MB BusType: 3
17:43:53.052 Disk 1 (boot) \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP3T0L0-3
17:43:53.055 Disk 1 Vendor: WDC_WD3200AAJS-00B4A0 01.03A01 Size: 305245MB BusType: 3
17:43:53.060 Disk 2 \Device\Harddisk2\DR2 → \Device\Ide\IdeDeviceP5T0L0-7
17:43:53.063 Disk 2 Vendor: Hitachi_HDT725032VLA380 V54OA73A Size: 305245MB BusType: 3
17:43:55.093 Disk 1 MBR read successfully
17:43:55.097 Disk 1 MBR scan
17:43:55.102 Disk 1 MBR:Whistler-C [Rtk]
17:43:55.106 Disk 1 Whistler@MBR code has been found
17:43:55.111 Disk 1 MBR [Whistler] ROOTKIT
17:43:55.165 Disk 1 scanning C:\Windows\system32\drivers
17:44:08.497 Service scanning
17:44:09.670 Service sptd C:\Windows\System32\Drivers\sptd.sys LOCKED 32
17:44:10.267 Modules scanning
17:44:16.583 Disk 1 trace - called modules:
17:44:16.616 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84a1b1f8]<<
17:44:16.624 1 nt!IofCallDriver → \Device\Harddisk1\DR1[0x85392ac8]
17:44:16.631 3 CLASSPNP.SYS[881af8b3] → nt!IofCallDriver → [0x84af5a70]
17:44:16.639 5 acpi.sys[8073c6bc] → nt!IofCallDriver → \Device\Ide\IdeDeviceP3T0L0-3[0x84ad5660]
17:44:16.647 \Driver\atapi[0x84ab3828] → IRP_MJ_CREATE → 0x84a1b1f8
17:44:17.204 AVAST engine scan C:\Windows
17:44:20.070 AVAST engine scan C:\Windows\system32
17:46:20.133 AVAST engine scan C:\Windows\system32\drivers
17:46:33.308 AVAST engine scan C:\Users\Tony
17:46:50.672 Disk 1 MBR has been saved successfully to “C:\Users\Tony\Desktop\MBR.dat”
17:46:50.678 The log file has been saved successfully to “C:\Users\Tony\Desktop\aswMBR.txt”
17:55:41.751 Disk 1 MBR has been saved successfully to “C:\Users\Tony\Desktop\MBR.dat”
17:55:41.784 The log file has been saved successfully to “C:\Users\Tony\Desktop\aswMBR.txt”

Seems there’s definitely a rootkit but there are other red flags that i’m concerned about.
Any suggestions?

I am going to now use fixmbr and see what results…

Thanks

2

scan again, click “fix mbr” and reboot

after reboot scan again, click “save log” and post it here

3

I don’t know about this in a multi-disk/partition system 3 drives/partitions, if they are bootable/dual boot, etc. rewriting the MBR could mess any dual boot.

So I would say it needs someone like essexboy to confirm this is the way to go.

@ RootKitsSuck
What lines are the Red entries:

17:44:16.616 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84a1b1f8]<<
and
17:44:09.670 Service sptd C:\Windows\System32\Drivers\sptd.sys LOCKED 32

Yes, no, any more ?