AVAST ASWmbr & BSODs: Software issue or Rootkit? Please Help!

Good afternoon,

+Situation: opened link in expertly spoofed e-mail (yeah, I know…but was expecting mail from purported source and it was well done), realized error (checked URL) and decided to run scans

  • AVAST ASWmbr (File Version 1.0.1.2290) and GMER (File Version 2.2.19882.0) both produced BSODs in both regular & Safe Modes: “Driver IRQL Not Less or Equal. What failed ASWMBR.SYS” (for ASWmbr), “PWTOYPOG.SYS” (for GMER).
  • BitDefender 64 found nothing in regular mode but ran so fast I have no confidence in the scan.
  • rkill & Unhide run - no issues; Stinger, Norton, Malwarebytes, Sophos Virus Removal Tool, and SuperAntispware run: nothing.
  • made boot disk for Norton: ran and found Backdoor Tidserv (from heuristic) and allegedly repaired (removed) it.
  • ASWmbr (& GMER) run again: same issue with BSODs.
  • Ran Norton boot disk again: found 2 suspicious .dll files and tried to fix them - indicated that remediation failed. Ran Norton later: same .dll files identified as a problem - scanned files individually with Norton, Malwarebytes, & SuperAntispyware and no sign of malware. But the Boot disk still flags these files as High Risk. Interesting as the files are purportedly Norton Download Manager Plugins.
  • ASWmbr (& GMER) run again: same issue with BSODs.

I have no confidence that machine is clean as both anti-rootkit softwares mentioned above won’t run. Also, had one phishing pop-up but nothing since that time. As I can’t find any obvious malware, is the issue between the ant-rootkit software and my computer and not some bad actor? BTW - tried to run ASWmbr and GMER under different compatibilities (Win 7, 8, & XP SP3) but no success.

Logs from Malwarebytes & FRST attached. Both ASWmbr & GMER crash so can’t supply logs - could supply partial logs if I can hit tab before BSOD but such is “tricky.”

Please help if you can, this situation has become maddening as I need my main machine but can’t trust it (I’m so concerned that I am unplugging the machine from the internet when not in use).

Thank you!

Win 10 computer (upgraded from Win 7)
Core i7 920 @2.67 GHZ, Dark Knight cooler
6 GB RAM
AMD Radeon HD7800 Series graphics card
SSD boot drive, 2 platter drives, floppy, 2 optical drives
800 W PS

Hi Zoomie!

I got your PM in response to me. I’ll have someone come by to help you ASAP

Your system is clean. ASWmbr and GMER are not compatible with Windows 10 and running in compability mode will not make them work on Windows 10. If you want anti-rootkit check, you can use Malwarebytes or Kaspersky TDSSKiller.

However, you still have some of ASWmbr and GMER leftovers which we will take care of.

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
S3 aswMBR; C:\Users\Bob\AppData\Local\Temp\aswMBR.sys [62728 2018-03-30] () [File not signed] <==== ATTENTION
S3 aswVmm; C:\Users\Bob\AppData\Local\Temp\aswVmm.sys [224896 2018-03-22] () <==== ATTENTION
S3 pwtoypog; \??\C:\Users\Bob\AppData\Local\Temp\pwtoypog.sys [X] <==== ATTENTION
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

As per your directions the Fixlog is attached. I will await further directions.

Thank you for your quick attention to my issue and your assistance!

Well, that would be it. FRST logs doesn’t show traces of malware infection and anti-rootkit tools you used are not compatible with Windows 10.

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Good afternoon,

I followed your directions and received the following message:


Error Saving File
C:\Windows\ERUNT\DelFix\SCHEMA.DAT!

Continue with the next file?

[RegCreateKeyEx: 87 - The parameter is incorrect]


I continued with the process and the indication from the program indicated that Registry copy made and restore point established (didn’t attach box - power out and UPS chirping).

I really appreciate your assistance - thank you.

Manually delete folder C:\FRST if it exsists. You can ignore that error message. :wink:

I’m grateful to you - thanks!