aswMBR crashing

system · May 10, 2015, 9:36am

Hi, the aswBMR.exe is crashing when it gets to a file called tdpipe.sys. First time it’s happened. What to do? Thanks.

TwinHeadedEagle · May 10, 2015, 9:37am

Hello,

Let’s scan with different tool:

Download
http://www.imgdumper.nl/uploads6/51a5f31352f71/51a5f31352b88-icon_MBAR.png
Malwarebytes Anti-Rootkit to your desktop.

[*]Double-click the icon to start the tool.
[*]It will ask you where to extract it, then it will start.
[*]Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
[*]Click in the introduction screen “next” to continue.
[*]Click in the following screen “Update” to obtain the latest malware definitions.
[*]Once the update is complete select “Next” and click “Scan”.
[*]When the scan is finished and no malware has been found select “Exit”.
[*]If malware was detected, make sure to check all the items and click “Cleanup”. Reboot your computer.
[*]Open the MBAR folder and paste the content of the following files in your next reply:

[*]“mbar-log-{date} (xx-xx-xx).txt”
[*]“system-log.txt”

system · May 10, 2015, 10:06am

Hi, Eagle

Yes, I have the data!

Thank you for taking the time to help me.

avastuser3796 · May 10, 2015, 7:37pm

Hello,

Please reopen that file from your computer and resave it. Reference this photo.

Keep the filename.
http://i.imgur.com/IJKehlb.png

system · May 10, 2015, 10:49pm

Here it is.
Thanks again.

system · May 11, 2015, 9:23am

There’s more… I renamed the aswMBR.exe file to Nedklaw.exe, and this time it got past the initialization error that had been happening. Ran a quickscan and the same thing happened, it crashed on scanning tdpipe.sys. So, I tried deleting c:\windows\system32\drivers\tdpipe.sys to see if it would make a difference. Ran aswMBR.exe (renamed as Nedklaw.exe), it initialized, but this time it said said “File: c:\windows\system32\drivers\tdpipe.sys HIDDEN” (in red), then it crashed again on reaching tdpipe.sys… yet when I immediately looked in drivers\ for tdpipe.sys straight after it crashed, it was no where to be seen (even after folder refresh)… See attachment.

Any ideas? Thanks.

Asyn · May 11, 2015, 9:28am

Note: Your screenshot shows you’re using an old version, the latest version is 1.0.1.2290…!!

system · May 11, 2015, 12:48pm

Hi. Thanks for pointing that out to me.

I got the new version now, but the same thing happened. This time however, the red HIDDEN tdpipe.sys line didn’t show… presumably because I restored the tdpipe.sys files into their original folders (of which there were four; one in system32 and three in winsxs)

Here’s another snapshot.

Anyone else encouter this one?

TwinHeadedEagle · May 11, 2015, 1:47pm

Did MalwareBytes Anti Rootkit find something?

system · May 11, 2015, 2:35pm

Yes. But I thought nothing of it. It was just some malware.trace thing attached to a *.lnk file that pointed to an image that loaded on windows startup.

Files Detected: 1
C:\Users\Cogniti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\George Gurdjieff__Ideas.png - Shortcut.lnk (Malware.Trace) → Delete on reboot. [c03eb8d9e0aa5fd707d2ca9eea1b9b65]

Other image files that are set to load via the Startup folder did not have this Malware.Trace issue.

But even now that the lnk file in question has been deleted, and I’ve restarted the computer and updated aswMBR, the same issue is continuing to occur… So what can make it behave like this? Is there are service that aswMBR requires to run?

TwinHeadedEagle · May 11, 2015, 2:37pm

Don’t worry about Aswmbr. It is rootkit scanner and they are known to fail sometimes. Let’s check your PC one more time:

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Make sure that Addition option is checked.
[*]Press Scan button and wait.
[*]The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

system · May 12, 2015, 12:34am

Here are the attachments FRST.txt and Addition.txt (tried to post the whole log but said “exceeds maximum length”)

Seeing anything unusual in there?

Thanks again for taking time to look over logs

TwinHeadedEagle · May 12, 2015, 6:48am

PC seems clean. Do you have any issues?

system · May 13, 2015, 7:42am

I found something curious…
I learned that if I delete all two reg traces of a service named “Tdrsvc” (which is stopped and which cannot be started because the file is apparently non-existent), then aswMBR completes the scan successfully without finding anything. However, if I then add the “Tdrsvc” info back to the reg, aswMBR crashes again on Tdpipe.sys. But the other unusual thing is that there is no actual real info on Tdrsvc that I could gauge from google… That said, I don’t appear to be experiencing anything particularly unusual… other than Kaspersky Security Scan won’t load… and the KSS service won’t start, despite showing one or two kss.exe files in the tasklist. Weird, but true.

Thanks for your help

aswMBR crashing

Announcements