BSOD - aswSP.sys - anti-rootkit

Avast Free Antivirus / Premium Security
1

Greetings, new member here

Don’t know what the board etiquette here is - when I thought to post on a thread titled the same, I got this message:
Warning: this topic has not been posted in for at least 20 days.
Unless you’re sure you want to reply, please consider starting a new topic.

So, I am posting a new topic.

To the reason for the post - This morning, I accessed a hacked page of anonplus.com and within 5 minutes got a BSOD

(See the story at http://www.reddit.com/r/technology/comments/jdt1k/caution_after_accessing_hacked_anonpluscom_on/ )

While I am running a boot scan, I thought to check here and read previous posts about aswSP.sys - BSODs and saw that the reason for the BSOD was related to the anti-rootkit functionality of Avast.

Do I need to be concerned that a rootkit has been installed or am I just being paranoid?

The machine is running XP SP3 with the current AvastPro.

Thanks for your assistance

2

We could check to ensure that there was no rootkit placed on the system

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

3

Thanks for your reply essexboy

I should also tell you I uninstalled Avast Free ( I thought that I was running Pro then remembered that I couldn’t reorder Pro due to the purchasing process erroring out when there was no place to put in my state >:( - another issue, another time ) and was able to download aswMBR.exe.

I then reinstalled the Avast Free and it BSODed before I could get this written - so I uninstalled it again, ran aswMBR.exe.

Below is the output of running aswMBR.exe

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-10 08:44:12

08:44:12.625 OS Version: Windows 5.1.2600 Service Pack 3
08:44:12.625 Number of processors: 2 586 0xF0D
08:44:12.625 ComputerName: AUM UserName:
08:44:16.375 Initialize success
08:44:31.406 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
08:44:31.406 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
08:44:31.421 Disk 0 MBR read successfully
08:44:31.421 Disk 0 MBR scan
08:44:31.421 Disk 0 unknown MBR code
08:44:31.421 Disk 0 scanning sectors +976768065
08:44:31.468 Disk 0 scanning C:\WINDOWS\system32\drivers
08:44:33.359 Service scanning
08:44:33.671 Service vsdatant C:\WINDOWS\System32\vsdatant.sys LOCKED 32
08:44:34.171 Modules scanning
08:44:44.890 Disk 0 trace - called modules:
08:44:44.937 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
08:44:44.937 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86d4a030]
08:44:44.937 3 CLASSPNP.SYS[f76c6fd7] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x86d47028]
08:44:44.937 Scan finished successfully
08:45:37.734 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\RSAS\My Documents\MBR.dat”
08:45:37.734 The log file has been saved successfully to “C:\Documents and Settings\RSAS\My Documents\110810_aswMBR.txt”

Thanks again for your assistance.

4

And with the scan

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-10 10:46:18

10:46:18.171 OS Version: Windows 5.1.2600 Service Pack 3
10:46:18.171 Number of processors: 2 586 0xF0D
10:46:18.171 ComputerName: AUM UserName:
10:46:22.015 Initialize success
10:50:04.625 AVAST engine defs: 11081000
10:50:10.890 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
10:50:10.906 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
10:50:10.921 Disk 0 MBR read successfully
10:50:10.921 Disk 0 MBR scan
10:50:10.937 Disk 0 unknown MBR code
10:50:10.937 Disk 0 scanning sectors +976768065
10:50:10.984 Disk 0 scanning C:\WINDOWS\system32\drivers
10:50:14.875 Service scanning
10:50:15.156 Service vsdatant C:\WINDOWS\System32\vsdatant.sys LOCKED 32
10:50:15.671 Modules scanning
10:50:17.640 Disk 0 trace - called modules:
10:50:17.656 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
10:50:17.656 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86d4a030]
10:50:17.656 3 CLASSPNP.SYS[f76c6fd7] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x86d47028]
10:50:18.265 AVAST engine scan C:\WINDOWS
10:50:23.250 AVAST engine scan C:\WINDOWS\system32
10:51:21.359 AVAST engine scan C:\WINDOWS\system32\drivers
10:51:27.859 AVAST engine scan C:\Documents and Settings\user
10:58:04.000 AVAST engine scan C:\Documents and Settings\All Users
10:58:11.375 Scan finished successfully
11:15:49.625 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\user\My Documents\MBR.dat”
11:15:49.625 The log file has been saved successfully to “C:\Documents and Settings\user\My Documents\110810_aswMBR_a.txt”

5

Hmm something not quite right there - so lets start with an analysis first I feel

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

6

Thanks for your assistance essexboy

As you probably knew, the files were too large to put in a post so here they are

http://www.mediafire.com/?8vr5zdyr6oofc3z

http://www.mediafire.com/?zk93z2tkyfeo4v3

7

No traces of malware showing there which is good - just for my peace of mind I would like to do one further check on the MBR

Areyou still getting the crashes ?

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

[QUOTE]Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

8

Thanks for your assistance

I am really appreciative of the depth and breadth of your analysis.

The results of MBRCheck.exe are at http://www.mediafire.com/?ibefci3ajzsz2ba
I did get an 'N’as I do have a non-Windows partition.

I am running a dual boot system with Mepis 11. I have had this setup for the past six months and long before getting the BSOD.

I am not getting crashes as I do not currently have Avast installed. As I explained previously, when Avast was installed I was able to boot into a desktop and then ~ 5 minutes later I would get the above referenced BSOD.

I have been only activating the wireless connection to check here and, as you may have seen, have AdBlock Plus and NoScript running. I also have not been using my mail client while I am exposed.

9

OK the dual boot explains the mystery MBR

Could you now do a clean install of Avast and see if the problem returns

10

Thanks for your ongoing help and patience as I work through this issue.

Your comment to do a clean install triggered an idea. I did a system search for ‘avast’ and found the remnants of previous installations and deleted them.

Then I downloaded a new copy of avast via cnet ( as the avast download page came up with a 404 ).

While XP was shutting down it installed 8 updates/upgrades. I am assuming these were for avast.

The system ran for about half and hour fine until it BSOD with the below screen

More in a minute as it died again

11

OK, so it did run fine for approximately one half hour and then got a BSOD shown below

http://i.imgur.com/KoAxM.jpg

I rebooted and then it was back to the same BSOD problem as before

http://i.imgur.com/rRL1W.jpg

Thanks for your ongoing assistance

12

Sorry for this interruption, but…

Why the need to use registry cleaners for Avast old (un)installations?

Clean your web browser’s cache and download the latest stable Avast setup from Avast’s official website (if it works) or from http://www.filehippo.com (for example).

Try http://www.avast.com/uninstall-utility instructions (maybe better under Windows Safe Mode), and use the new setup just downloaded to reinstall anew. Reboot between EACH step, including after the latest Avast installation finishes.

13

I appreciate any assistance and do not consider it an interruption.

I apologize if I wasn’t clear - I did not use a registry cleaner, only deleted old installation folder / files

Firefox cleans the cache and BetterPrivacy cleans the flash cookies every time I close the browser.

I will try the uninstall-utility next if the computer will stay up long enough to complete the steps.

Thanks for your ideas

14

Ah the fact that you are finding old installations means that the uninstall failed

Download a fresh copy of Avast to your desktop
Download aswclear to your desktop http://www.avast.com/uninstall-utility

Remove avast via add/remove
Reboot to safe mode and run aswclear
Reboot to normal mode and reinstall Avast

Let me know if you get a recurrence

15

I did run aswclear.exe ( version 1.0.0.1 ) in Safe mode
Selected Avast 6
Showed that files removed
Shut down Windows

Rebooted to normal desktop

Ran setup_av_free.exe ( version 6.0.1203.0 )

5 minutes later I got the BSOD shown in http://i.imgur.com/rRL1W.jpg

My only thought was that since I have been using Avast Pro since at least version 4, perhaps there are remnants of previous installations making life difficult for me now, so …

Rebooted back into Safe mode
Selected Avast 6 Free/Pro
Showed that files removed
Shut down Windows

Rebooted back into Safe mode
Selected Avast 4 Free/Pro
Showed that files removed
Shut down Windows

Rebooted back into Safe mode
Selected Avast 5 Free/Pro
Showed that files removed
Shut down Windows

Rebooted back into Safe mode
Selected Avast 32
Showed that files removed
Shut down Windows

Rebooted to normal desktop

Ran setup_av_free.exe ( version 6.0.1203.0 )

So far so good, though while typing this an Avast “Suspicious Files Found” window popped up

Suspicious files have been detected ( using a heuristic method). This may be a sign of malware infection. Please allow the files to be submitted to our virus lab for analysis. Further information File name C:/Documents and Settings\RSAS\...\sessionstore-103.js

with the Ignore / Delete options in the Actions To Take box available

I am leaving it open until I hear back from you about your advice regarding Ignore/Delete

So the good news is that I have been able to type this post without seeing a BSOD and possibly may have found an issue ( the Suspicious File Found window popped up about the same time that the BSOD usually showed up )

Thanks again for your time and advice.

16

Thanks for your insights

When I attempted to download

17

That is a java script file so place it in quarantine

18

And then about a minute later it BSODed again - arrgghh !!

Getting better with this board options though

Attachment is latest BSOD

19

Don’t know where Reply#15 came from

The only options for the Suspicious File were Ignore or Delete, no Quarantine option was available.

Not that it matters now ( due to the BSOD )

And thanks for your time and advice nonetheless

20

As you are offline and I feel like I am beating my head against a wall, I am taking a break.

Thanks for all of your help, I truly appreciate your time and effort - hopefully we’ll get this resolved in the future.