I have been trying to debug a problem in one of my computers. I wanted to run the Avast rootkit scanner and decided to run it first on a system that was working fairly well.

This is a Dell Inspiron 5040 running Windows 8 64bit. When I run aswMBR.exe it runs and the stops before completing. The last entry in the on-screen list is

Scanning: service winDefend C:\Program Files sys

I can’t tell whether it has crashed on that file or on the start of the scan of the next in line. I do get the dialog box stating avast! Antirootkit has stopped working.

The other computer is a Windows 7 32bit system that has an intermittant (but almost continuous) loss of internet access even with a good signal. I don’t want to start with a new tool that isn’t reliable so if someone can point out my problem on the 64bit system, I would appreciate the help.

Hi suti,

aswMBR drivers can’t work on Windows 8.x kernel.

Do you have any problems? Do you need malware/rootkit check?

I wasn’t aware that the app was not compatible with win8. I didn’t get a response when I ran the compatibility check. My problem with win8 is minor. An app that I have been using for years to monitor my internet access on my satellite ISP, runs but has quit displaying on the monitor screen. It ran perfectly for about 6 months after I updated to win8 then quit. I haven’t had an answer to the problem. One of the few things I haven’t tried is to look for rootkits.

I have a larger problem with my Win7 machine, where I am told I have internet access but I can’t even get a consistent ping return. I hope the rootkit scanner will run on that. If not, I will try your suggestion.

Thanks for your help.

The kernel isn’t the problem or else it wouldn’t be able to launch at all, not even in compatibility mode.
The main problems are compatibility issues with the new windows defender which are - just like the compatibility issues with Visual Studio and possibly other things - apparently not a very high priority for the avast developers to fix.

There are better alternatives like GMER and/or scanning with different rescue CDs outside of Windows.

Hi Randissimo,

The kernel isn't the problem or else it wouldn't be able to launch at all, not even in compatibility mode. The main problems are compatibility issues with the new windows defender which are - just like the compatibility issues with Visual Studio and possibly other things - apparently not a very high priority for the avast developers to fix.

Allow me rephrase the sentence…
The kernel is the problem as aswMBR’s drivers can’t be loaded at kernel version on Windows 8 or 8.1 systems.

AntiRootKit tools (like aswMBR or GMER …etc) are these diagnostic tools which operate on kernelspace, not on userspace level. The purpose is to verify the Windows “core” segments that userspace tool does not have access (not aware of their existence). Malicious RootKit works on kernel levels, so these tools are referred as ARK tools.

avast! can detect known RootKits as well so …

Then tell me why it stops exactly on the same part, why it even bothers to load+scan files and why there is a software compatibility issue with Visual Studio.

What’s your basis that it cannot be a simple “software” problem because of the new Defender when there still exists a known compatibility issue with Visual Studio even on earlier Windows versions?

Are you standing for what you’re talking on about the aswmbr.exe issues on a knowledge basis or is that just an answer you’ve learned and/or are told to write?

I don’t want to sound rude, but rather I’d like to make things clear on this matter.

Also, when you write “avast! can detect known RootKits as well”, are you referring to boot-time scans, to the scans from the created rescue disk or to the normal scan?

Avast runs an anti-rootkit scan 8 minutes after boot.

That’s a nice fact to know, but from where do you have that information?

Many years of using avast and helping in the forums.

You can check the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log\aswAr.log (XP) or C:ProgramData\AVAST Software\Avast\log\aswAr.log (win7 and later). At the top of that log it gives the start time, you can then work roughly back to when you booted.

I vaguely remember that those logs are stored in the hidden ProgramData folder, though I didn’t bother to skim through it by myself, so thanks for telling me.
Do you have any information about the incompatibility issues with the mentioned programs?

I’m not sure which you mean as you have mentioned several and I have lost the context.

If you are talking about aswMBR and windows 8/8.1 (which seemed to kick this off) then aswMBR was designed prior to win8’s release, so it was never designed for compatibility with win8. I have no idea if this is going to be updated to work on win8/8.1 systems.

Well the Visual Studio issues are actually an old problem, see http://forum.avast.com/index.php?topic=96929.msg773679#msg773679 or http://forum.avast.com/index.php?topic=100019.msg798736#msg798736 and they still haven’t fix those, so you can guess that the developers simply don’t care in providing support for non-Avast users in detecting rootkits.

However, there are still better alternatives such as GMER or SARDU to scan for rootkits, because they don’t have software and/or operating system issues.
On a side note, SARDU might create some false positive because of the PUPs which you can skip/deselect in the installer if you’re paying attention and even if there is no virus alert even after creating the rescue stick, you might need to temporarily turn of Avast shields so that the formation can work smoothly => it should rename the USB-stick to something like “SARDU” after formatting it, if not, you might need to create it again without the intervention of AV-software.
If your stick does not boot, you can test different sizes and vendors.

GMER

http://www.gmer.net/

Download

The latest version of GMER 2.1.19357

GMER runs only on Windows NT/W2K/XP/VISTA/7/8
GMER application: or ZIP archive: gmer.zip ( 372kB )
It’s recommended to download randomly named EXE (click button above) because some malware won’t let gmer.exe launch.

GMER.exe SHA256: 812CFD967188DE56C88134E6125724D3F2ECA26A2A1A7ACD8FDDFAA36D712947

Avast! antivirus integrated with GMER
actively protecting over 200 million PCs … http://www.avast.com/

http://en.wikipedia.org/wiki/GMER

Hi Randissimo,

Let’s clear up some things. I am not member of avast tim, nor of his developer department.
I am not associated with aswMBR developer department but I have access to some information that makes me feel competent to say a thing with certificate.
aswMBR is product of joint forces of Gmerek and avast Tim.
I am member of big alliance of Security Forum that does provide valid Malware Removal assistance.
Also know this. I would also like for aswMBR to be compatible with Windows 8.x systems, but it is not. As I need diagnostics for kernel RootKit, not to pay attention to what software displays on the screen, for valid ARK diagnostics I can not rely on aswMBR to Windows 8, which just has a lot of changes compared to Windows 7
Also, I do not care what you’re gonna use it. I just telling you how things are.

Then tell me why it stops exactly on the same part, why it even bothers to load+scan files and why there is a software compatibility issue with Visual Studio. [...] What's your basis that it cannot be a simple "software" problem because of the new Defender when there still exists a known compatibility issue with Visual Studio even on earlier Windows versions?

It does not matter where stalls. It's load and preform because it's made so to work. Visual Studio is software working on userspace, does not have any driver loaded in kernel. Simple software as you say works in userspace. Windows Defender on Windows 8 is AntiVirus, therefore it's owns his own loaded drivers in kernel.

Are you standing for what you're talking on about the aswmbr.exe issues on a knowledge basis or is that just an answer you've learned and/or are told to write?

I am standing to tell you that ARK tools are something else, they work differently and can not be measured with generic diagnostic tools that run in userspace level. The same goes for simple software. It’s not always that simple …run and scan.
Moreover, Windows 8 & 8.1 goes with usual GPT partition then MBR partition. For now, there is no way to use the GPT malicious purposes.
Moreover, x64bit Widndows editions ( including Win 8.x) own Kernel Patch Protection + Driver Signing Policy on x64. Un-signed driver can NOT be loaded in kernel.
Moreover, Windows 8.x have something that is called Secure Boot. In short, prevents any malicious kernel-level RootKit to be loaded into the system
Also, beginning with Windows 8 UEFI Secure Boot-enabled platforms have additional signing requirements, including requirements for ARM platforms. The driver code signing policy for 32-bit versions of Windows 8 UEFI Secure Boot-enabled platforms also requires drivers have a digital signature.
aswMBR reads MBR, it read partitions, then it uses his own heuristics to scan drivers (kernel) that it uses avast! engine to scan drivers.
Keep in mind that the aswMBR primarily set up to do diagnostics and Fix for first version MBR-based RootKits like TDL4/3, Sinowal and Whistler, never upgraded (at least not so often) to recognize and later versions of RootKit. aswMBR does that using his heuristics scan.

If you wanna ARK check on Windows 8.x, you may use TDSSKiller or MBAR it searches for malware that is larger rank and therefore scan takes longer.
But if you understand me right, you’re be wondering, does I realy need ARK scan on Windows 8 !?

Also, when you write "avast! can detect known RootKits as well", are you referring to boot-time scans, to the scans from the created rescue disk or to the normal scan?

avast! is AntiVirus, therefore it has strongest system privileges (kernel driver as well) and therefore is able to detect known kernel-level RootKit. It has nothing to do with boot time scan, that’s something else…

Edit: Maybe you these semantics help you to understand better

@ Randissimo

Well the GMER guy actually works for avast now and he designed the aswMBR anti-rootkit scanner. A user doesn’t have to have avast installed to use aswMBR, they just don’t have the ability to do the additional scan.

I’m not sure about your assumption about developers not caring about non-avast users (given the above) and when both of your links indicate they are avast users, so you have me confused.

That is me done with this, as an avast user I have no control/input on what avast developers do.

Rootkit scan at startup …

@ magna86: I believe you about the issues with Windows 8.X, but that still doesn’t explain why the program still has the problems on userspace level with certain software during the file scan phase with the (down)loaded Avast signatures.
Also if a developer from GMER actually is working on aswMBR how come it still has those issues with Visual Studio (which original GMER never had) and is still not compatible even with Windows 8?
Why do other companies like Malwarebytes or Kaspersky or the one behind GMER even bother to make their anti-rootkit tools work on Windows 8.X when Secure Boot and UEFI installation on GPT formated drives supposedly prevent every rootkit?

@ DavidR: of course you would ask in an Avast forum about a problem related to an Avast product, regardless of whether the users themselves use Avast as their AV or not. It’s just meant as an evidence that such software related problems do exist in aswMBR.

@ AdrianH: I know that option, but thanks for posting that screen shot.

Randissimo, I see you many things do not understand or do not want to understand so I will stop to explain as you stubbornly pursue your own story even though I clearly explained how the things are but you do not want to hear abaut.
aswMBR does not work on userspace nor is it an essential part for him, it checks only when it start avast engine in small, short range (services). ARK are kernel based tools.

Why do other companies like Malwarebytes or Kaspersky or the one behind GMER even bother to make their anti-rootkit tools work on Windows 8.X when Secure Boot and UEFI installation on GPT formated drives supposedly prevent every rootkit?

Malwarebytes and Kaspersky ( MBAR and TDSSKiller ) works on known level of detection. They shall detect and remove only these rootkits that is known to them.
They have a large range of database and many heuristic detection, but in addition they can always skip of detectio and allow to run some malicious rootkit for which they are not aware that it is malicious.

GMER again works differently, purely diagnostic nature. GMER should report in his ARK logs any suspicious-legitimate and malicious activity. It will not always detect the loading point but for helper who preform diagnosis and who can read GMER logs (a lot of them do not know), this is enough.

Why do other companies like Malwarebytes or Kaspersky or the one behind GMER even bother to make their anti-rootkit tools work on Windows 8.X when Secure Boot and UEFI installation on GPT formated drives supposedly prevent every rootkit?

I wasn’t asking in detail how they operate, though it’s a nice fact to know, thank you.
I was asking why they do work and why aswmbr still doesn’t on Windows 8/8.1

Randissimo, I see you many things do not understand or do not want to understand so I will stop to explain as you stubbornly pursue your own story even though I clearly explained how the things are but you do not want to hear abaut.

Let's see about how "clearly" you explained things:

Question: “What’s your basis that it cannot be a simple “software” problem because of the new Defender when there still exists a known compatibility issue with Visual Studio even on earlier Windows versions?”

Answer: “It does not matter where stalls. It’s load and preform because it’s made so to work. Visual Studio is software working on userspace, does not have any driver loaded in kernel.
Simple software as you say works in userspace. Windows Defender on Windows 8 is AntiVirus, therefore it’s owns his own loaded drivers in kernel.”

I get the part about the Windows Defender driver, but what is the issue with scanning a “software working on userspace” on Windows 7 or earlier which supposedly should work without issues? How come that only having a simple software installed which doesn’t even have drivers loaded can ruin a whole program of it’s main purpose? Is it really that easy to stop an anti-rootkit tool by installing a simple “software working in userspace”?

Well, I guess I’ll take a break again for now and I hope for this thread that some official wordings are made about the ongoing Visual Studio issues and/or if and when aswMBR will be made compatible with Windows 8/8.1.

You don’t need to answer back if you can’t or don’t want to.

Have a nice day.

• Randissimo.