Author Topic: aswMBR crash in W7  (Read 3424 times)

0 Members and 1 Guest are viewing this topic.

Offline gordon451

  • Full Member
  • ***
  • Posts: 165
  • It MUST be beer\\\\food'o'clock SOMEwhere!
aswMBR crash in W7
« on: September 30, 2014, 02:08:52 PM »
Hi, I was running aswMBR this afternoon (29 Sept 14) as a checkout, to see what I was looking at.  It was travelling quite well for about 15 or so minutes, then hit a pothole...  I've pasted the available Windows crash reports:

aswMBR run in Admin account.  Avast! v7.0.1466, all shields disabled.
OS etc in sig.  No user apps running.  App was renamed to include version # before I lit it up.
---------------------------------------------------------------------
Version=1
EventType=APPCRASH
EventTime=130564416935998680
ReportType=2
Consent=1
UploadTime=130564416937538768
ReportIdentifier=794ed6e9-4798-11e4-a4e9-50e549cda06d
IntegratorReportIdentifier=794ed6e8-4798-11e4-a4e9-50e549cda06d
WOW64=1
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=aswMBR1-0-1-2041.exe
Sig[1].Name=Application Version
Sig[1].Value=1.0.1.2041
Sig[2].Name=Application Timestamp
Sig[2].Value=539e8df7
Sig[3].Name=Fault Module Name
Sig[3].Value=ntdll.dll
Sig[4].Name=Fault Module Version
Sig[4].Value=6.1.7601.17725
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=4ec49b8f
Sig[6].Name=Exception Code
Sig[6].Value=c0000005
Sig[7].Name=Exception Offset
Sig[7].Value=0002e41b
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.1.7601.2.1.0.768.3
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=3081
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=0a9e
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=0a9e372d3b4ad19135b953a78882e789
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=0a9e
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=0a9e372d3b4ad19135b953a78882e789
UI[2]=D:\Basement\InternetTools\Security\AntiVirus\aswMBR1-0-1-2041.exe
UI[3]=avast! Antirootkit has stopped working
UI[4]=Windows can check online for a solution to the problem.
UI[5]=Check online for a solution and close the program
UI[6]=Check online for a solution later and close the program
UI[7]=Close the program
LoadedModule[0]=D:\Basement\InternetTools\Security\AntiVirus\aswMBR1-0-1-2041.exe
LoadedModule[1]=C:\Windows\SysWOW64\ntdll.dll
LoadedModule[2]=C:\Windows\syswow64\kernel32.dll
LoadedModule[3]=C:\Windows\syswow64\KERNELBASE.dll
LoadedModule[4]=C:\Windows\syswow64\WININET.dll
LoadedModule[5]=C:\Windows\syswow64\msvcrt.dll
LoadedModule[6]=C:\Windows\syswow64\SHLWAPI.dll
LoadedModule[7]=C:\Windows\syswow64\GDI32.dll
LoadedModule[8]=C:\Windows\syswow64\USER32.dll
LoadedModule[9]=C:\Windows\syswow64\ADVAPI32.dll
LoadedModule[10]=C:\Windows\SysWOW64\sechost.dll
LoadedModule[11]=C:\Windows\syswow64\RPCRT4.dll
LoadedModule[12]=C:\Windows\syswow64\SspiCli.dll
LoadedModule[13]=C:\Windows\syswow64\CRYPTBASE.dll
LoadedModule[14]=C:\Windows\syswow64\LPK.dll
LoadedModule[15]=C:\Windows\syswow64\USP10.dll
LoadedModule[16]=C:\Windows\syswow64\Normaliz.dll
LoadedModule[17]=C:\Windows\syswow64\iertutil.dll
LoadedModule[18]=C:\Windows\syswow64\urlmon.dll
LoadedModule[19]=C:\Windows\syswow64\ole32.dll
LoadedModule[20]=C:\Windows\syswow64\OLEAUT32.dll
LoadedModule[21]=C:\Windows\syswow64\SHELL32.dll
LoadedModule[22]=C:\Windows\system32\IMM32.DLL
LoadedModule[23]=C:\Windows\syswow64\MSCTF.dll
LoadedModule[24]=C:\Program Files\AVAST Software\Avast\defs\14092801\aswEngin.dll
LoadedModule[25]=C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCP90.dll
LoadedModule[26]=C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
LoadedModule[27]=C:\Program Files\AVAST Software\Avast\defs\14092801\aswCmnIS.dll
LoadedModule[28]=C:\Program Files\AVAST Software\Avast\defs\14092801\aswCmnOS.dll
LoadedModule[29]=C:\Program Files\AVAST Software\Avast\defs\14092801\aswCmnBS.dll
LoadedModule[30]=C:\Program Files\AVAST Software\Avast\defs\14092801\aswScan.dll
LoadedModule[31]=C:\Program Files\AVAST Software\Avast\defs\14092801\aswRep.dll
LoadedModule[32]=C:\Program Files\AVAST Software\Avast\defs\14092801\aswFiDb.dll
LoadedModule[33]=C:\Program Files\AVAST Software\Avast\defs\14092801\aswCleanerDLL.dll
LoadedModule[34]=C:\Program Files\AVAST Software\Avast\defs\14092801\algo.dll
LoadedModule[35]=C:\Windows\syswow64\WS2_32.dll
LoadedModule[36]=C:\Windows\syswow64\NSI.dll
LoadedModule[37]=C:\Windows\system32\secur32.dll
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=avast! Antirootkit
AppPath=D:\Basement\InternetTools\Security\AntiVirus\aswMBR1-0-1-2041.exe


App. Log Error 1000 (100) @29-Sep-14 13:21:33
   General
Faulting application name: aswMBR1-0-1-2041.exe, version: 1.0.1.2041, time stamp: 0x539e8df7
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b8f
Exception code: 0xc0000005
Fault offset: 0x0002e41b
Faulting process id: 0xefc
Faulting application start time: 0x01cfdba14c94cf6e
Faulting application path: D:\Basement\InternetTools\Security\AntiVirus\aswMBR1-0-1-2041.exe
Faulting module path: C:\Windows\SysWOW64\ntdll.dll
Report Id: 794ed6e8-4798-11e4-a4e9-50e549cda06d

   Details - XML
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Application Error" />
  <EventID Qualifiers="0">1000</EventID>
  <Level>2</Level>
  <Task>100</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2014-09-29T05:21:33.000000000Z" />
  <EventRecordID>65793</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Ummmm</Computer>
  <Security />
  </System>
- <EventData>
  <Data>aswMBR1-0-1-2041.exe</Data>
  <Data>1.0.1.2041</Data>
  <Data>539e8df7</Data>
  <Data>ntdll.dll</Data>
  <Data>6.1.7601.17725</Data>
  <Data>4ec49b8f</Data>
  <Data>c0000005</Data>
  <Data>0002e41b</Data>
  <Data>efc</Data>
  <Data>01cfdba14c94cf6e</Data>
  <Data>D:\Basement\InternetTools\Security\AntiVirus\aswMBR1-0-1-2041.exe</Data>
  <Data>C:\Windows\SysWOW64\ntdll.dll</Data>
  <Data>794ed6e8-4798-11e4-a4e9-50e549cda06d</Data>
  </EventData>
  </Event>

App. Info  1001 @29-Sep-14 13:21:42
   General
Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: aswMBR1-0-1-2041.exe
P2: 1.0.1.2041
P3: 539e8df7
P4: ntdll.dll
P5: 6.1.7601.17725
P6: 4ec49b8f
P7: c0000005
P8: 0002e41b
P9:
P10:
Attached files:
C:\Users\Gordon Edwards\AppData\Local\Temp\WERC2E7.tmp.WERInternalMetadata.xml
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_aswMBR1-0-1-2041_2aa079f2149476801a2af518cf6ef6fe6ead56b_021be4e8
Analysis symbol:
Rechecking for solution: 0
Report Id: 794ed6e8-4798-11e4-a4e9-50e549cda06d
Report Status: 1

   Details - XML
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Windows Error Reporting" />
  <EventID Qualifiers="0">1001</EventID>
  <Level>4</Level>
  <Task>0</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2014-09-29T05:21:42.000000000Z" />
  <EventRecordID>65794</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Ummmm</Computer>
  <Security />
  </System>
- <EventData>
  <Data />
  <Data>0</Data>
  <Data>APPCRASH</Data>
  <Data>Not available</Data>
  <Data>0</Data>
  <Data>aswMBR1-0-1-2041.exe</Data>
  <Data>1.0.1.2041</Data>
  <Data>539e8df7</Data>
  <Data>ntdll.dll</Data>
  <Data>6.1.7601.17725</Data>
  <Data>4ec49b8f</Data>
  <Data>c0000005</Data>
  <Data>0002e41b</Data>
  <Data />
  <Data />
  <Data>C:\Users\Gordon Edwards\AppData\Local\Temp\WERC2E7.tmp.WERInternalMetadata.xml</Data>
  <Data>C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_aswMBR1-0-1-2041_2aa079f2149476801a2af518cf6ef6fe6ead56b_021be4e8</Data>
  <Data />
  <Data>0</Data>
  <Data>794ed6e8-4798-11e4-a4e9-50e549cda06d</Data>
  <Data>1</Data>
  </EventData>
  </Event>

Er, what happened?

Gordon.
Gigabyte H61M-USB3-B3 r2.0, I5-2400 3.10GHz, 4GB RAM; W7HPx64 SP1, Lotus SmartSuite 9.8, K-Meleon 76RC, Pale Moon 26.2, Opera 12.17x64, IE11, Clyton email 14.0, Foxit Reader 7.0.6.1126, PaintShop Pro 6.02, Avast! 12.3.2280, SuRun 1.2.1.2, VoodooShield 3.50

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 60365
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: aswMBR crash in W7
« Reply #1 on: September 30, 2014, 02:13:19 PM »
The only one who can answer this is the dev of aswMBR. ;)
-> https://forum.avast.com/index.php?action=profile;u=20999
Windows 8.1 [x64] - Avast PremSec 19.7.2388.BC - CC 5.61 - EEK - Firefox ESR 60.8 [NS/AOS/uBO] - TB 60.8 [EM] - ACP/ASB/ASL.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline gordon451

  • Full Member
  • ***
  • Posts: 165
  • It MUST be beer\\\\food'o'clock SOMEwhere!
Re: aswMBR crash in W7
« Reply #2 on: September 30, 2014, 02:21:56 PM »
Hi Asyn, thanks for the quick reply.

I've had a quick dekko at his profile, and I can make some time tomorrow (Wednesday) to re-run the test and see what happens.  I've had a bit of a think, and there are some things I need to check: maybe the box should be taken off the LAN before running aswMBR?  And perhaps a scan of SysWOW64\ntdll.dll and system32\secur32.dll would be in order!

Gordon.
Gigabyte H61M-USB3-B3 r2.0, I5-2400 3.10GHz, 4GB RAM; W7HPx64 SP1, Lotus SmartSuite 9.8, K-Meleon 76RC, Pale Moon 26.2, Opera 12.17x64, IE11, Clyton email 14.0, Foxit Reader 7.0.6.1126, PaintShop Pro 6.02, Avast! 12.3.2280, SuRun 1.2.1.2, VoodooShield 3.50

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 60365
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: aswMBR crash in W7
« Reply #3 on: September 30, 2014, 02:23:11 PM »
You're welcome.
Windows 8.1 [x64] - Avast PremSec 19.7.2388.BC - CC 5.61 - EEK - Firefox ESR 60.8 [NS/AOS/uBO] - TB 60.8 [EM] - ACP/ASB/ASL.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline gordon451

  • Full Member
  • ***
  • Posts: 165
  • It MUST be beer\\\\food'o'clock SOMEwhere!
Re: aswMBR crash in W7
« Reply #4 on: October 01, 2014, 01:32:02 AM »
OK, all fixed--I hope!

It would appear that aswMBR either (a) needs to be run from the (Admin) desktop, or (b) needs to run with an unadulterated filename, or both.

I haven't checked with gmer yet, I need to think a bit more.  Even on an infected machine it should be easy enough to pull aswMBR out of its repository onto the Admin desktop.  I can't see any rootkit spending time on my data drives looking for anti-malware!  OTOH, perhaps the ability to run it from a repository may be desirable...

Gordon.

Gigabyte H61M-USB3-B3 r2.0, I5-2400 3.10GHz, 4GB RAM; W7HPx64 SP1, Lotus SmartSuite 9.8, K-Meleon 76RC, Pale Moon 26.2, Opera 12.17x64, IE11, Clyton email 14.0, Foxit Reader 7.0.6.1126, PaintShop Pro 6.02, Avast! 12.3.2280, SuRun 1.2.1.2, VoodooShield 3.50