BSOD from aswHwid.sys on installation attempt

[REDACTED]

Please don't make any changes to your machine (the infected?) one in the meantime until the malware specialist assists you.  If you are connected to a network, disconnect this machine from the network, and do not sync this machine with any device.  And don't use a USB stick with this machine.  Thanks.

[essexboy]

There are still two avast services present and one is an emergency update for aswhid.   I will remove those and see if that was the root problem

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-07-02]
S4 aswSP; No ImagePath
S3 aswEmHWID2; \??\C:\Users\THINKP~1\AppData\Local\Temp\aswEmHWID.sys [X]
2014-07-24 12:58 - 2014-07-24 12:58 - 00043152 _____ () C:\Windows\avastSS.scr
2014-07-24 12:58 - 2014-07-24 12:58 - 00000000 ____D () C:\Program Files\AVAST Software
2014-07-24 12:57 - 2014-07-24 12:58 - 00000000 ____D () C:\ProgramData\AVAST Software
2014-07-02 18:08 - 2014-07-02 18:08 - 01039096 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys.1405094970209
2014-07-02 18:08 - 2014-07-02 18:08 - 00423240 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys.1405094970209
2014-07-02 18:08 - 2014-06-03 13:40 - 00029208 _____ () C:\Windows\system32\Drivers\aswHwid.sys
C:\Users\THINKP~1\AppData\Local\Temp\aswEmHWID.sys
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {FDED6212-DEC4-4FB4-85E2-D274135F22B8} URL =
BHO: No Name -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} ->  No File
Toolbar: HKCU - No Name - {41564952-412D-5637-4300-7A786E7484D7} -  No File
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: No Name - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-07-24]
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

Hi EssexBoy, just been reading some of your work in other posts!

So, I did exactly that, BSOD caused by aswHwid.sys

No logs.

What's next?

[EDIT] Should my system currently be clean of Avast (aswclear, rejzor tool, ccleaner)?

[essexboy]

Could you run a fresh FRST scan please so that I can ensure it is all gone

[REDACTED]

Sorry, ensure what is all gone?

[REDACTED]

Attached logs from fresh FRST scan.

[essexboy]

Once this fix has run could you post the fix log that will pop up as I want to see why the aswhid is not moving

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-07-02] ()
S4 aswSP; No ImagePath
S3 aswEmHWID2; \??\C:\Users\THINKP~1\AppData\Local\Temp\aswEmHWID.sys [X]
2014-07-25 12:27 - 2014-07-25 12:27 - 00043152 _____ () C:\Windows\avastSS.scr
2014-07-25 12:23 - 2014-07-25 12:27 - 00307344 _____ () C:\Windows\system32\aswBoot.exe
ShellIconOverlayIdentifiers: 00avast -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
REBOOT:

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

Same BSOD, no log.
See edit above, should I have already run aswclear?

[essexboy]

Could you run that fix from safe mode please and see if it generates a log then

Yes try aswclear

[REDACTED]

OK aswclear ran success.
frst in normal mode gave same bsod.
frst log attached from fix (2nd one, shorter) run in safe mode (success).

[essexboy]

That has now deleted the aswhid services

So the thought now is do you wish to try one further install

[REDACTED]

Sure. SUCCESS.
This has taken 5 days to solve overall...
THANK YOU.

So aswHwid.sys - could I have just done net delete aswHwid.sys, or whatever the service name is?

[essexboy]

It looks as though there was an emergency update to the aswhid file but for some reason it was not being applied (or was corrupt)
Just deleting the file would have done no good as the service registry key needed to be removed as well.  However, as an added embuggerance  Avast was protecting that service from deletion in normal mode

Still all is well that ends well

[REDACTED]

Yeh, joy of all joys but you knew what you were looking at and I didn't. So I'm very *very* grateful.

Sorry to come back to the question about deleting the service, I don't think I was clear (and since looking it up I definitely wasn't). I meant in cmd, run the commands:

[net stop "SERVICENAME"]
followed by
[sc delete <service_name>]

Doesn't that delete the registry key as well? If it had failed I'd have tried safe mode too... If I'd known it was a service to delete/uninstall, and I'd found out its name, I could actually have solved it in about an hour (it was the online installer taking the time on a 100k connection. Reboots etc. are no problem with SSD)...

BTW I did try renaming the file, and replacing with one from a working Avast installation, but that didn't work. Should probably have guessed service as a next step, but oh well live and learn!

[essexboy]

Yes that would do it but to save messing around with the command prompt a batch works just as well