Boot failure, hangs on aswrvrt.sys

[REDACTED]

Hi all,

I'm having a similar problem to this thread:
https://forum.avast.com/index.php?topic=120531.0

Also Win 7 with unknown version of Avast
Visio CT15

These are my options:
Windows Error Recovery
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Start Windows normally

I also get stuck on aswrvrt.sys. I don't get to the starting windows screen, but just a black screen with an active cursor.

Most of my important files were backed up prior to the crash, so it's not the end of the world if I have to start from scratch, but would love to recover if possible.

I'm assuming a similar procedure as the above post is my starting point, but as the thread is 2 years old I thought I'd check before I started doing things.

Any help is greatly appreciated!

[essexboy]

Can you access safe mode ?   or at least the command prompt

[REDACTED]

Not when I try from the Windows Recovery Menu.

If I hit F8 to Advanced Boot Options, I get:

Repair Your Computer
Safe Mode
Safe Mood with Networking
Safe Mode with Command Prompt
Enable Boot Logging
Enable low-resolution video (640x480)
Last Known Good Configuration
Directory Services restore Mode
Debugging Mode
Disable automatic restart on system failure
Disable Driver Signature enforcement
Start Windows Normally

On Repair Your Computer, I am able to get to system recovery options, where I am able to access the command prompt.

[essexboy]

OK then lets get to work, prior to non booting what was the sequence of events ?

Download . Farbar Recovery Scan Tool x64 
Or           . Farbar Recovery Scan Tool  

Copy this to a USB

Get the computer to the command prompt and then insert the USB

At the command prompt type the following  :
 
notepad and press Enter. 
The notepad opens. Under File menu select Open. 
Select "Computer" and find your flash drive letter and close the notepad. 
In the command window type e:\frst64.exe  or  e:\frst.exe dependant on system
 and press Enter 
Note: Replace letter e with the drive letter of your flash drive. 
The tool will start to run. 
When the tool opens click Yes to disclaimer. 

Press Scan button. 
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
 

[REDACTED]

I had been browsing with a few tabs open on firefox, but had left the computer idle for some time and when I went to use it again the screen went black.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:31-08-2015
Ran by SYSTEM on MININT-G0BAFAT (01-09-2015 16:40:12)
Running from f:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet003
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [fspuip] => C:\Program Files\FSP\fspuip.exe [6319512 2012-07-19] (Sentelic Corporation)
HKLM\...\Run: [SRS Premium Sound HD] => C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2170752 2012-05-09] (SRS Labs, Inc.)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [1020064 2012-02-13] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [800416 2012-02-13] (Atheros Commnucations)
HKLM\...\Run: [MCTDUtil] => C:\Program Files (x86)\Common Files\DesktopUtil\Util-Desktop.exe [195200 2011-05-03] ()
HKLM\...\Run: [FDispPos] => C:\Program Files (x86)\Common Files\DesktopUtil\Util-Desktop.exe [195200 2011-05-03] ()
HKLM\...\Run: [Onboard] => C:\Program Files\Western Digital\WD SmartWare\WDSmartWare.exe [3165040 2013-08-14] (Western Digital Technologies, Inc.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-26] (Intel Corporation)
HKLM-x32\...\Run: [OSD Utility] => C:\Program Files (x86)\VIZIO\VIZIO_FN_Key_Utility\VZx.exe [7887872 2012-04-27] (VIZIO Computer Inc.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [2678784 2011-10-18] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [4085896 2014-08-01] (AVAST Software)
HKLM-x32\...\Run: [WD Drive Unlocker] => C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe [1694080 2013-07-10] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5537136 2013-08-14] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [KiesTrayAgent] => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [310064 2014-06-14] (Samsung Electronics Co., Ltd.)
HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [296960 2010-11-20] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\InprocServer32: [Default-wbemess] ATTENTION! ====> ZeroAccess?
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess?
HKLM\...26dfa299cadb\InprocServer32: [Authentication UI Logon UI]  <==== ATTENTION
HKU\102314\...\Run: [Spotify] => C:\Users\102314\AppData\Roaming\Spotify\Spotify.exe [6737976 2014-12-14] (Spotify Ltd)
HKU\Sir AndrewII\...\Run: [EADM] => C:\Program Files (x86)\Origin\Origin.exe [3618648 2014-12-21] (Electronic Arts)
HKU\Sir AndrewII\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [22869088 2014-10-21] (Google)
Startup: C:\Users\Sir AndrewII\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2013-08-19]
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\Sir AndrewII\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk [2013-08-19]
ShortcutTarget: MagicDisc.lnk -> C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
Startup: C:\Users\Sir AndrewII\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2014-10-15]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office\Office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Sir AndrewII\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Verizon Wireless Software Utility Application for Android – Samsung.lnk [2014-01-11]
ShortcutTarget: Verizon Wireless Software Utility Application for Android – Samsung.lnk ->  (No File)

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-08-01] (AVAST Software)
S2 GManager; C:\Windows\system32\GManager.exe [313432 2012-08-28] ()
S2 irstrtsv; C:\Windows\SysWOW64\irstrtsv.exe [193536 2012-03-27] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2012-02-07] (Intel Corporation)
S2 MCTDesktopSvr; C:\Program Files (x86)\Common Files\DesktopUtil\MCTDesktopSvr.exe [199296 2011-05-03] ()
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
S2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1042808 2013-08-14] (Western Digital Technologies, Inc.)
S2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [270704 2013-07-10] (Western Digital Technologies, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-08-01] (AVAST Software)
S1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-08-01] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-08-01] ()
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1041168 2014-11-21] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427360 2014-08-01] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [224896 2014-08-01] ()
S3 AX88178; C:\Windows\System32\DRIVERS\ax88178.sys [59392 2010-11-24] (ASIX Electronics Corp.)
S3 AX88772B; C:\Windows\System32\DRIVERS\ax88772b.sys [98816 2011-09-02] (ASIX Electronics Corp.)
S3 CirrusLFD; C:\Windows\System32\DRIVERS\CSLFDx64.sys [35840 2012-05-02] (Cirrus Logic)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 fspad_win764; C:\Windows\System32\DRIVERS\fspad_win764.sys [125848 2012-07-19] (Sentelic Corporation)
S3 irstrtdv; C:\Windows\system32\drivers\irstrtdv.sys [26504 2012-03-28] (Intel Corporation)
S3 mctkmd; C:\Windows\system32\drivers\mctkmd64.sys [152344 2013-05-20] (Magic Control Technology Corporation)
S0 mctkmdldr; C:\Windows\System32\drivers\mctkmdldr64.sys [19584 2011-04-08] (Magic Control Technology Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
S3 t2usb64; C:\Windows\System32\drivers\t2usb64.sys [428664 2013-03-29] (Magic Control Technology Corp.)
S1 aswTdi; \??\C:\Windows\system32\drivers\aswTdi.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)


==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-01 16:40 - 2015-01-17 20:54 - 00000000 ____D C:\FRST
2015-09-01 12:26 - 2013-08-21 06:49 - 00002813 _____ C:\Windows\System32\GManager.ini
2015-09-01 12:26 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-09-01 07:55 - 2009-07-13 20:45 - 00027744 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-09-01 07:55 - 2009-07-13 20:45 - 00027744 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-09-01 07:50 - 2012-07-12 04:40 - 01687191 _____ C:\Windows\WindowsUpdate.log

Some files in TEMP:
====================
C:\Users\Sir AndrewII\AppData\Local\Temp\BackupSetup.exe
C:\Users\Sir AndrewII\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpasv7ji.dll
C:\Users\Sir AndrewII\AppData\Local\Temp\Execute2App.exe
C:\Users\Sir AndrewII\AppData\Local\Temp\LiveUpdater.exe
C:\Users\Sir AndrewII\AppData\Local\Temp\msvcp90.dll
C:\Users\Sir AndrewII\AppData\Local\Temp\msvcr90.dll
C:\Users\Sir AndrewII\AppData\Local\Temp\ose00000.exe
C:\Users\Sir AndrewII\AppData\Local\Temp\SUABnRRemoveAll.exe
C:\Users\Sir AndrewII\AppData\Local\Temp\vcredist_x64.exe
C:\Users\Sir AndrewII\AppData\Local\Temp\_is2BE8.exe
C:\Users\Sir AndrewII\AppData\Local\Temp\_is348F.exe


==================== Known DLLs (Whitelisted) =========================

[2014-12-09 20:26] - [2014-11-21 17:00] - 1888256 ____A () C:\Windows\SysWOW64\WININET.dll

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================

Restore point date: 2014-12-29 11:37:20
Restore point date: 2015-01-01 20:30:23

==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 3985.91 MB
Available physical RAM: 3344.65 MB
Total Virtual: 3984.11 MB
Available Virtual: 3345.82 MB

==================== Drives ================================

Drive c: (WINDOWS) (Fixed) (Total:104.9 GB) (Free:6.08 GB) NTFS
Drive d: (SYSTEM) (Fixed) (Total:0.59 GB) (Free:0.36 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive e: (Recovery) (Fixed) (Total:11.72 GB) (Free:1.6 GB) NTFS
Drive f: (EMTEC) (Removable) (Total:7.21 GB) (Free:7.21 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or (Size: 119.2 GB) (Disk ID: 02D3ABF0)
Partition 1: (Active) - (Size=600 MB) - (Type=27)
Partition 2: (Not Active) - (Size=104.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11.7 GB) - (Type=27)
Partition 4: (Not Active) - (Size=2 GB) - (Type=84)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 7.2 GB) (Disk ID: 71D79695)
Partition 1: (Not Active) - (Size=7.2 GB) - (Type=0C)


LastRegBack: 2014-12-26 10:02

==================== End of FRST.txt ============================

[essexboy]

Initially I will reset the registry

Download the attached fixlist.txt to the same location as FRST
Start FRST as before then press fix

On completion try a normal boot

[REDACTED]

Well, that did the trick. I booted in safe mode and then booted normally. Are there any follow up procedures I should follow, or anything I should know about what caused this in the first place?

Thank you very much for your help!

[essexboy]

Not sure as to the cause as it is a totally random occurrence

Could you run FRST from normal mode please as there are a few bits that need removing

[REDACTED]

After booting normally, opening the command prompt, and running FRST, I get "The application was unable to start correctly (0xc000007b). Click OK to close the application."

[essexboy]

Download a fresh copy

Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Select  additions at the bottom
• Press Scan button.
  
  
• It will produce a log called FRST.txt in the same directory the tool is run from. 
  
• Please attach both logs generated.

[REDACTED]

I downloaded both versions and tried them both after booting in normal mode and still get an error. Show I try safe mode with command prompt?

[essexboy]

Yes please

[REDACTED]

I don't know if it matters, but when I run command prompt via windows repair the removable drive is f:/ but is e:/ via normal boot or safe mode with command prompt. Safe mode with command prompt did not work. The tool did work with command prompt via windows repair tool. Addition.txt is not an available option on the version I downloaded. Attached is the log as it was too big to copy.

[essexboy]

Intriguing it is not showing the bad registry entries now

How is the computer behaving ?

[REDACTED]

It seems to be functioning just fine, with the following exceptions.

When I boot normal mode I get "This application was unable to start correctly" on:
msseces.exe
Origin.exe
UA.exe
avastui.exe
WDDMStatus.exe
KiesTrayAgent.exe

I also get, "Windows cannot find 'UpdateTool.exe'. Make sure you typed the name correctly, and then try again.