General aswMBR questions

system · May 14, 2014, 5:36pm

Hi all. Occasional lurker turned member here. Thanks for a great site. I believe I’ve got a rootkit on my pc and I was pointed to run aswMBR. It’s been running for a little while but everything I’ve read says it should be a very fast scan. I know that’s all relative so if someone could tell me how long a typical scan should take, I’d be very grateful. 5 minutes, 25 minutes, 3 hours? And does the window tell me when it’s completed it’s scan?

Thanks for the assistance!

Weaser

avastuser3796 · May 14, 2014, 5:37pm

Shouldn’t take more then 5 minutes

system · May 14, 2014, 5:50pm

Wow, then I may have a bigger issue than I think. Mine has been running for about an hour and a half and it’s still scanning the Applications folder. I had previously run ComboFix and that was running overnight which I know is not typical either.

Thoughts?

avastuser3796 · May 14, 2014, 5:53pm

No don’t run CF! Very bad idea. Wait

Pondus · May 14, 2014, 5:53pm

attach OTL diagnostic log http://forum.avast.com/index.php?topic=53253.0

avastuser3796 · May 14, 2014, 5:55pm

Also, attach the CF Logs located in C:\Combofix.txt

system · May 14, 2014, 5:59pm

Here is the aswMBR log but I’m not finding the CF log.

avastuser3796 · May 14, 2014, 6:17pm

Follow Pondus’ advice.

12:12:27.469 Service kl1 C:\WINDOWS\system32\DRIVERS\kl1.sys LOCKED 5
12:12:27.594 Service klim5 C:\WINDOWS\system32\DRIVERS\klim5.sys LOCKED 5
12:12:27.625 Service klkbdflt C:\WINDOWS\system32\DRIVERS\klkbdflt.sys LOCKED 5
12:12:27.656 Service klmouflt C:\WINDOWS\system32\DRIVERS\klmouflt.sys LOCKED 5
12:12:27.703 Service klpd C:\WINDOWS\system32\DRIVERS\klpd.sys LOCKED 5
12:12:27.734 Service kltdi C:\WINDOWS\system32\DRIVERS\kltdi.sys LOCKED 5
12:12:27.827 Service kneps C:\WINDOWS\system32\DRIVERS\kneps.sys LOCKED 5

^^

Not normal, and probably why aswMBR had issues

system · May 14, 2014, 6:28pm

I’m assuming by "Follow Pondus’ advice, you mean follow the steps in his link (i.e. start with Malware Anti-Malware. I’ll download that and start following the steps as written. My day here is almost done so I’ll have to be back at it again tomorrow. Thanks for the help so far, have a great evening and I’m sure we’ll be talking tomorrow!

Pondus · May 14, 2014, 6:29pm

just do OTL and the malware experts will take it from there…

system · May 14, 2014, 6:31pm

Will do. Thanks, Pondus.

magna86 · May 14, 2014, 6:49pm

Hi WeaserP,

Locked driver (files) are legit. They are Kaspersky related. aswMBR doesn’t have access to KAV/KIS’s drivers and that’s why it tell the file is “locked”.

However aswMBR could’t load his driver. This may be the couse of rootkit activities. Use TDSSKiller to check the presence of Rootkit or MBR based malware.
Of course, OTL diagnostic log is necessary.

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

system · May 15, 2014, 11:16am

Good morning, all! Back at the controls. OTL never completed (at least not through the last 16 hours) so I killed it and went on to TDSSKiller as instructed. Attached is that log. Looking forward to hearing your thoughts, thanks!

Pondus · May 15, 2014, 11:17am

OTL never completed (at least not through the last 16 hours)........

try run it from safe mode

if still no success magan86 have other diagnostic tools…

system · May 15, 2014, 11:24am

Will do…

magna86 · May 15, 2014, 11:46am

Hi,

TDSSKiller is clean.

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

system · May 15, 2014, 11:50am

OTL is now running in safe mode. Should I kill that and move on to Farber or wait for that to finish? And should I run Farber in safe mode or regular?

Stopped OTL and running Farber now…

system · May 15, 2014, 12:07pm

Farber logs attached…

magna86 · May 15, 2014, 12:18pm

Hi WeaserP,

This isn’t home PC, right? For what you are using “GoToAssist” Remote Support Customer software?

magna86 · May 15, 2014, 12:21pm

Plus:

I see you have been run the ComboFix.

General aswMBR questions

Announcements