aswMBR scan results, what does it mean?

Hello,

I know that some expertise is required to understand the results of the aswMBR rootkit scan. which I have not.

The scan results gave 2 yellow and 2 red files:

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-12-24 15:11:04

15:11:04.963 OS Version: Windows 6.0.6002 Service Pack 2
15:11:04.963 Number of processors: 2 586 0xF0B
15:11:04.965 ComputerName: PC_VAN_BEKKER UserName: Bekker
15:11:42.212 Initialize success
15:13:36.860 AVAST engine defs: 13122301
15:17:04.424 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
15:17:04.427 Disk 0 Vendor: SAMSUNG_HD321KJ CP100-12 Size: 305245MB BusType: 3
15:17:04.685 Disk 0 MBR read successfully
15:17:04.688 Disk 0 MBR scan
15:17:05.457 Disk 0 Windows VISTA default MBR code
15:17:05.880 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
15:17:05.980 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 112640
15:17:06.135 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 294949 MB offset 21084160
15:17:06.221 Disk 0 scanning sectors +625139712
15:17:07.087 Disk 0 scanning C:\Windows\system32\drivers
15:19:41.798 Service scanning
15:20:32.087 Service MpKsld2c805c3 C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates{CE8B8991-2365-4C6F-AD87-CCAB54A92655}\MpKsld2c805c3.sys LOCKED 32
15:20:59.971 Service sptd C:\Windows\System32\Drivers\sptd.sys LOCKED 32
15:21:37.696 Modules scanning
15:22:15.296 Disk 0 trace - called modules:
15:22:15.326 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85d321e8]<<
15:22:15.327 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86ff6ac8]
15:22:15.327 3 CLASSPNP.SYS[8bfaa8b3] → nt!IofCallDriver → [0x866bb620]
15:22:15.327 5 acpi.sys[83db76bc] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x867008a0]
15:22:15.328 \Driver\atapi[0x866f1560] → IRP_MJ_CREATE → 0x85d321e8
15:22:18.721 AVAST engine scan C:\Windows
15:22:33.039 AVAST engine scan C:\Windows\system32
15:31:20.563 AVAST engine scan C:\Windows\system32\drivers
15:32:48.925 AVAST engine scan C:\Users\Bekker
16:36:39.228 AVAST engine scan C:\ProgramData
16:50:37.751 Scan finished successfully

Is it possible to find out whether these results are “false positive” or real threats?
And is it risky just to click the FixMBR button?

Thanks,

Hi,

To be sure, we need another scan.

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

Hello,

TDSSKiller gave one Suspicious result:

22:24:23.0177 0x1c5c Scan started
22:24:23.0177 0x1c5c Mode: Manual; SigCheck; TDLFS;
22:24:23.0177 0x1c5c ============================================================
22:24:23.0177 0x1c5c KSN ping started
22:24:36.0584 0x1c5c KSN ping finished: true
22:24:38.0328 0x1c5c ================ Scan system memory ========================
22:24:38.0328 0x1c5c System memory - ok
22:24:38.0328 0x1c5c ================ Scan services =============================
|
|
22:25:38.0109 0x1c5c Suspicious file ( NoAccess ): C:\Windows\System32\Drivers\sptd.sys. md5: 8EA0FD60A5B047E0C734D51AACE531C9, sha256: 5C3925A810AC113EE519E5014DCEE68D30E7515858D28E6B9CACCCCCA1B28E18
22:25:38.0110 0x1c5c sptd - detected LockedFile.Multi.Generic ( 1 )
22:25:48.0218 0x1c5c sptd ( LockedFile.Multi.Generic ) - warning
22:25:48.0218 0x1c5c Force sending object to P2P due to detect: C:\Windows\System32\Drivers\sptd.sys
|
|
22:26:25.0071 0x1c5c Scan finished
22:26:25.0071 0x1c5c ============================================================
22:26:25.0100 0x1c7c Detected object count: 1
22:26:25.0100 0x1c7c Actual detected object count: 1
22:27:52.0748 0x1c7c sptd ( LockedFile.Multi.Generic ) - skipped by user
22:27:52.0748 0x1c7c sptd ( LockedFile.Multi.Generic ) - User select action: Skip

Hey OCD,

Twin is probably on holidays and will get back to you ASAP

PC seems clean, any remaining problems?

So that file is/ those files are harmless?
No, none remaining problems, only the question is it risky just to click the FixMBR button?

Thanks for your help. :slight_smile: