Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Safe mode hangs on 'aswrvt.sys' [Solved]


  • This topic is locked This topic is locked

#1
tdubs

tdubs

    New Member

  • Member
  • Pip
  • 7 posts

Hello,

 

Recently I've been booting my computer into Safe Mode to check on some things and I noticed upon boot, that it hangs on "aswrvt.sys." I know this isn't normal and I've been looking up solutions to fix this but most of them are done by FRST. Attached is a log of my FRST scan.

 

Thanks! :)

Attached Files


  • 0

Advertisements


#2
tdubs

tdubs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Anyone?


  • 0

#3
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Hi. My name is Brian, and I would be happy to look into your issue.
 


- General Instructions -

  • Please read all instructions and fixes thoroughly. Read the ENTIRE post BEFORE performing any steps so you understand all that needs to be done.
  • I would advise printing any instructions for easy reference as some of the fixes may require you to boot in Safe mode. Access to these instructions may not be available in Safe Mode.
  • Any fixes provided by myself are for this log file only and should not be used on any other systems.
  • Do not run any other removal software or perform updates other than the ones I provide, as it will complicate the cleaning process.
  • It's very likely that part of our cleanup will include emptying your recycle bin. If you use your recycle bin as an archive and do not wish this to be emptied, please let me know.
  • You have 4 days to reply to each post or the topic will be closed. You will be able to request that the topic be re-opened by sending me a PM (Personal Message) or PM a moderator.
  • Please feel free to ask any questions, especially if you are having problems with my instructions.


- Save ALL Tools to your Desktop-

 

All tools that I have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.
 
Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
and the click the "Select Folder" button. Click OK to get out of the Options menu.
IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
 

- Finally Before We Start-

 
Removing malware is a complicated multiple step process, Please stay with me until I have declared your system clean. I strongly recommend you backup your personal files and folders. Although rare, attempting to remove malware can render your machine unbootable or cause data loss. Having backups of your data is your responsibility. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

 

 

 

 

Hi tdubs -

 

It's not uncommon for you to see a delay on aswrvt.sys when booting into Safe Mode (as long as it gets past this and boots). This is your Avast antivirus and I don't believe it is an issue. You can always uninstall your Avast antivirus and install another one such as Microsoft Security Essentials which in my opinion is just as good. I don't believe you are infected with any kind of malware.

 

I will point out a few things I see in your logs though and would like to take a closer look at one item with the fix below.

 

Step#1 - Warnings

CCleaner

I see that you have CCleaner installed. This is indeed a good product but I wanted to caution you on running the registry cleaning functionality of the tool. Please avoid this as it can do more harm than good.

 

IObit

The vendor is untrustworthy and deemed a rogue within the Anti-Malware community as a whole. I would recommend that you uninstall any programs from this vendor. I've personally seen the Smart Defrag cause blue screen/crashes on machines. Following are the ones I would recommend uninstalling.

 

Driver Booster 2.1
IObit Uninstaller
Smart Defrag 3
Smart Defrag 4

 

Step#2 - CKScanner
1. Download CKScanner by askey127 from here & save it to your Desktop.
2. Right-click on CKScanner.exe then click Run as Administrator to open. Allow if prompted.
3. Click Search For Files
4. When the cursor hourglass disappears, click Save List To File
5. A message box will verify the file saved
6. Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply.

 

Step#3 - FRST Fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop.Attached File  fixlist.txt   196bytes   33 downloads
Note. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
2. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.

 

 

 

Items for your next post

1. CKScanner log

2. FRST Fix log.

 

 

 

 


  • 0

#4
tdubs

tdubs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\program files\adobe\adobe photoshop cc (64 bit)\presets\brushes\cracksandwalls.abr
c:\program files\gimp 2\share\gimp\2.0\patterns\cracked.pat
c:\program files (x86)\adobe\adobe dreamweaver cc\configuration\taglibraries\html\keygen.vtm
c:\program files (x86)\adobe\adobe photoshop cc\presets\brushes\cracksandwalls.abr
scanner sequence 3.BB.11.XTAPDZ
 ----- EOF ----- 
 
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-03-2015 03
Ran by Tyler at 2015-03-08 16:11:54 Run:1
Running from C:\Users\Tyler\Desktop
Loaded Profiles: Tyler (Available profiles: Tyler & DefaultAppPool)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
CreateRestorePoint:
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
file: C:\Windows\explorer.exe
EmptyTemp:
*****************
 
Restore point was successfully created.
"HKLM\Software\Wow6432Node\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => Key deleted successfully.
 
========================= file: C:\Windows\explorer.exe ========================
 
MD5: 3198AAC9511A10CA5DEE2654D1C73B44
Creation and modification date: 2014-05-13 21:08 - 2011-04-27 18:29
Size: 2871808
Attributes: ----A
Company Name: Microsoft Corporation
Internal Name: explorer
Original Name: EXPLORER.EXE.MUI
Product Name: Microsoft® Windows® Operating System
Description: Windows Explorer
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Product Version: 6.1.7600.16385
Copyright: © Microsoft Corporation. All rights reserved.
 
====== End Of File: ======
 
EmptyTemp: => Removed 51 MB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog 16:12:59 ====

  • 0

#5
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

It appears your explorer.exe is patched. Please do the following.

 

Step#1 - File Identification
1. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
2. Copy explorer.exe and paste it into the Search box of the FRST window.
3. Click the Search Files button.
4. When the search is done it will open a notepad window with the results. Can you copy/paste the contents of this window into your next post?

 

Step#2 - Rootkit Scan
1. Download aswMBR to your desktop.
2. Right-click on aswMBR.exe and select Run as administrator to run it.
3. If you get a question about Virtualization Technology, answer Yes.
4. If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
5. Click the "Scan" button to start scan.
6. On completion of the scan click "Save log", save it to your desktop and post in your next reply.
NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

 

 

 

Items for your next post

1. FRST Search results

2. Rootkit Scan log

 

 


  • 0

#6
tdubs

tdubs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Farbar Recovery Scan Tool (x64) Version: 08-03-2015 03
Ran by Tyler at 2015-03-08 17:37:05
Running from C:\Users\Tyler\Desktop
Boot Mode: Normal
 
================== Search Files: "explorer.exe" =============
 
C:\Windows\explorer.exe
[2014-05-13 21:08][2011-04-27 18:29] 2871808 ____A (Microsoft Corporation) 3198AAC9511A10CA5DEE2654D1C73B44
 
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe
[2014-05-13 21:08][2011-02-25 22:19] 2616320 ____A (Microsoft Corporation) 0FB9C74046656D1579A64660AD67B746 [File is signed]
 
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe
[2014-05-13 21:08][2011-02-24 22:30] 2616320 ____A (Microsoft Corporation) 8B88EBBB05A0E56B7DCC708498C02B3E [File is signed]
 
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe
[2010-11-20 20:24][2010-11-20 20:24] 2616320 ____A (Microsoft Corporation) 40D777B7A95E00593EB1568C68514493 [File is signed]
 
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe
[2014-05-13 21:08][2011-02-25 23:14] 2871808 ____A (Microsoft Corporation) 3B69712041F3D63605529BD66DC00C48 [File is signed]
 
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe
[2014-05-13 21:08][2011-02-24 23:19] 2871808 ____A (Microsoft Corporation) 332FEAB1435662FC6C672E25BEB37BE3 [File is signed]
 
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe
[2010-11-20 20:24][2010-11-20 20:24] 2872320 ____A (Microsoft Corporation) AC4C51EB24AA95B77F705AB159189E24 [File is signed]
 
C:\Windows\SysWOW64\explorer.exe
[2014-05-13 21:08][2011-02-24 22:30] 2616320 ____A (Microsoft Corporation) 8B88EBBB05A0E56B7DCC708498C02B3E [File is signed]
 
====== End Of Search ======
 
aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2015-03-08 17:52:06
-----------------------------
17:52:06.635    OS Version: Windows x64 6.1.7601 Service Pack 1
17:52:06.635    Number of processors: 6 586 0x200
17:52:06.636    ComputerName: TYLER-PC  UserName: Tyler
17:52:08.351    Initialize success
17:52:08.480    VM: initialized successfully
17:52:08.495    VM: Amd CPU supported virtualized 
17:52:11.346    AVAST engine defs: 15030801
17:52:12.458    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
17:52:12.462    Disk 0 Vendor: ST31000528AS HP40 Size: 953869MB BusType: 3
17:52:12.684    Disk 0 MBR read successfully
17:52:12.686    Disk 0 MBR scan
17:52:12.689    Disk 0 Windows 7 default MBR code
17:52:12.701    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       953767 MB offset 206848
17:52:12.715    Disk 0 default boot code
17:52:12.866    Disk 0 scanning C:\Windows\system32\drivers
17:52:32.685    Service scanning
17:52:46.244    Modules scanning
17:52:46.259    Disk 0 trace - called modules:
17:52:46.627    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS amdide64.sys PCIIDEX.SYS hal.dll atapi.sys 
17:52:46.636    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800dbee060]
17:52:46.645    3 CLASSPNP.SYS[fffff8800192b43f] -> nt!IofCallDriver -> [0xfffffa800d595520]
17:52:46.653    5 ACPI.sys[fffff88000ee97a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800d593680]
17:52:47.888    AVAST engine scan C:\Windows
17:53:23.873    AVAST engine scan C:\Windows\system32
17:56:29.134    AVAST engine scan C:\Windows\system32\drivers
17:56:39.124    AVAST engine scan C:\Users\Tyler
18:10:46.866    AVAST engine scan C:\ProgramData
18:13:10.484    Disk 0 statistics 5083018/0/0 @ 2.29 MB/s
18:13:10.504    Scan finished successfully
18:13:17.194    Disk 0 MBR has been saved successfully to "C:\Users\Tyler\Desktop\MBR.dat"
18:13:17.194    The log file has been saved successfully to "C:\Users\Tyler\Desktop\aswMBR.txt"

  • 0

#7
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

OK, let's fix you up and check for remnants.

 

Step#1 - FRST Fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop. Attached File  fixlist.txt   150bytes   76 downloads
Note. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
2. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.

 

Step#2 - Malwarebytes Scan


  • Open up Malwarebytes.
  • If an update is found you will be prompted to download and install. Go ahead.
  • Click the Settings button and then the Detection and Protection tab. Then check the box to Scan for rootkits. as shown below.
  • RootKitCheckBox.JPG
     
  • Click the Scan button at the top of the form and then click Scan Now.
    2.JPG
  • If anything is detected, there will be an Apply Actions button. Please click this.
  • Once the scan completes click the View detailed log link.
    3.JPG
  • Then click the Copy to clipboard button and paste into your next post.
    4.JPG

 

 

Items for your next post

1. FRST Fix log

2. Malwarebytes log

 


  • 0

#8
tdubs

tdubs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-03-2015 03
Ran by Tyler at 2015-03-08 18:33:24 Run:2
Running from C:\Users\Tyler\Desktop
Loaded Profiles: Tyler (Available profiles: Tyler & DefaultAppPool)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
replace: C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe c:\windows\explorer.exe
*****************
 
c:\windows\explorer.exe => Moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe copied successfully to c:\windows\explorer.exe
 
==== End of Fixlog 18:33:25 ====
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 3/8/2015
Scan Time: 6:34:49 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.03.08.06
Rootkit Database: v2015.02.25.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Tyler
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 448785
Time Elapsed: 10 min, 40 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

  • 0

#9
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Excellent. Is there anything else I can help you with before I provide you with some closing comments and info on cleaning up our tools?


  • 0

#10
tdubs

tdubs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Excellent. Is there anything else I can help you with before I provide you with some closing comments and info on cleaning up our tools?

 

That's all if that's all you've got for me. I appreciate the help! :)


  • 0

#11
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

OK! Well done, your computer is clean again! :thumbsup: Part of our jobs here at G2G is to help you clean your computer. But beyond that and just as important is to provide you with some information to keep you safe and secure on the net as well as to share knowledge. Following is that information.

 
1. Clean Up!
We need to remove all the tools that we used so that should you ever be re-infected, you will download updated versions which may have updated detection logic.
1. Download Delfix from here.
2. Ensure everything is checked.
3. Click Run.
Note: The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.
Note: Delete any  other .bat, .log, .reg, .txt,  and any other files created during this process, and left on the desktop and empty the Recycle Bin.
 
2. Windows Updates
Another essential task is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats. Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically. Follow the instructions below to ensure your settings are optimal.
1. Click the Start Orb in the lower left corner of the screen.
2. Type Windows Update in the search box that appears
3. Click on the Windows Update program that appears in the search results.
Windows%20Update.JPG
4. Click on Change Settings.
CheckForUpdates.JPG
5. Select "Install updates automatically (recommended)" from the Important updates drop-down.
WUChangeSettings.JPG
6. Choose a day and a time when you know the computer will be on and connected to the internet. The default is 3:00AM every day.
7. Ensure that all of the other check boxes are checked.
8. Click OK.
 
3. Keeping Programs Updated
You need to ensure that any programs installed on your machine are kept current. The bad guys exploit vulnerabilities that are found in older versions of software. A very good piece of software that keeps your programs up-to-date is Secunia Personal Software Inspector (PSI). You can download and install it from here. You can read more information about this free software as well as a video walkthrough from here.
 
4. Antimalware- Preventative

Note: Let's keep Malwarebytes installed as it's a fantastic piece of software. Malwarebytes is an anti-malware software and not an antivirus software so it won't conflict with the Antivirus that you are running. I would recommend that you open up this program, allow it to update and scan your machine at least quarterly...monthly if you can.
 
5. Crypto Warning!!!! - Complete Data Loss can occur!
There are particularly nasty infections out there at the moment that encrypt your data and hold it for ransom. You may read more about this here.
 


  • Download CryptoPrevent free for home use here following the instructions below.
  • Save the file to your desktop from the link above and then open the program by clicking Run when prompted from your browser or by going to the desktop where the file was saved and double-clicking.
  • Accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This is good and will launch the program once you click Finish.
  • You will get a prompt asking if you purchased a Product Key for Automatic Updates. You can answer No.
  • You will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to.
  • You will be prompted to click OK to continue and select your protection level. Go ahead and click OK.
  • Click the Apply button to set Default protection.
  • You may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.
  • That's it. The protection is in place.

Note: The free version doesn't provide automatic updates. Periodically, you should open up the program (there is a shortcut on your desktop now) and select the Updates! menu....and select Check for Updates to see if there are any as this infection has serious consequences.
 
UpdatesV7.4.11.JPG
 

 
For more information about computer security and how to protect yourself when on the internet, please read this guide Best Practices for Safe Computing
 
OK, all the best, and stay safe!
 
Items for your next post
1. Contents of the delfix log


  • 0

#12
tdubs

tdubs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

I deleted the DelFix log by accident but it did remove everything we used. Thank you for your help!


  • 0

#13
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP