Hello there

avast was recommended to me by quite a few techies. However, since I installed it two months ago, my laptop, a Dell Inspiron 1525 which runs on Vista, has been blue screening.

Event manager has given the following error messages:
The computer has rebooted from a bugcheck. The bugcheck was: 0x0000008e (0xc0000005, 0x005a0053, 0x949dac50, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP.

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000d1 (0x0032003b, 0x00000002, 0x00000001, 0x8d3721b9). A dump was saved in: C:\Windows\MEMORY.DMP.

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000d1 (0x00000015, 0x00000002, 0x00000001, 0x8d7521b9). A dump was saved in: C:\Windows\MEMORY.DMP.

I’ve also noticed messages about:
driver irql not less or equal
fault page in nonpaged area
aswSP.sys

I’ve asked on various techie forums for help and they said aswSP.sys is an avast driver.

I am using the free version and it’s 110528-1.

Please can you give me some advice. Also, I’m not very tech savvy, so please explain as if speaking to a child!!

If you need any more info, please let me know.
Thank you.

The aswSP.sys is the avast self protection driver.

• Upload any minidump or memory.dmp files (only the latest memory.dmp file), zipped to reduce size. Give the zip file you are uploading a unique name (e.g. m0unds-mem-dump.zip, etc), so they can identify it. It might not be a bad idea to create a text file (readme.txt) with any relevant information, avast topic, user name, etc. etc. in the zip file.

Upload the zip file to the ftp server ftp://ftp.avast.com/incoming:

• Using Internet Explorer, Connect to the link and drag the file into the Right pane and drop it, that starts the upload, you don’t have read access to this folder.

Or

• Upload it using the Run command-line in Windows: Windows Key + R (to get the run box), copy and paste this

explorer ftp://ftp.avast.com/incoming

and drag the file into the window, from another explorer window.

Have (or did) you another Anti-Virus installed in this system, if so what was it and how did you get rid of it ?

Thanks for your quick response David. It’s just this minute BSOD again :-[.

The anti-virus I used to use was Anti-Vir and AVG ver8.5. I removed AVG using AVG removal tool, then checked with Appremover to confirm it had been removed. Avira AntiVir I removed with Appremover.

I will attempt to follow your other instructions.

Thank you.

Hello again

How do I create a readme text and zip it with the file please?

Thanks.

You’re welcome.

Check this out for avira removal - Avira AntiVir Uninstall Package & RegistryCleaner (choose appropriate version): http://www.avira.com/en/support/support_downloads.html, Avira RegistryCleaner. http://www.avira.com/en/support-download-avira-registrycleaner

If you have notepad, you use that to use as a text editor and enter the suggested information. When you have done that, just save it and give it the name ReadMe.txt done.

You need to have a zip (archiving program), if you have got one then some will allow you to open the archive and either select add or drag and drop the readme.txt file into the zip archive.

If you haven’t got one, I use 7zip, which is fairly easy to use, www.7-zip.org, it is a free application.

Wow. Thanks for the quick response again DavidR.

I’ve just uploaded the zip file. I called it Elle8 m0unds-mem-dump.zip and I think the readme.txt dragged into it fine.

I’ve done the Anti-Vir registry cleaner and there were some items left. I deleted most of them, but five items failed to delete:
H_KEY_LOCAL\MACHINE\SYSTEM\CONTROLSET001\SERVICES\avast! ANTIVIR
H_KEY_LOCAL\MACHINE\SYSTEM\CONTROLSET002\SERVICES\avast! ANTIVIR
H_KEY_LOCAL\MACHINE\SYSTEM\CONTROLSET003\SERVICES\avast! ANTIVIR
H_KEY_LOCAL\MACHINE\SYSTEM\CONTROLSET004\SERVICES\avast! ANTIVIR
H_KEY_LOCAL\MACHINE\SYSTEM\Services\avast! ANTIVIR

Thanks.

Well since those are avast antivir [us] the US bit being dropped off the end, all very confusing, but they are protected by the avast self-defence module and windows shouldn’t allow them to be deleted since they are in use.

How strange that they are in use. I have not used AntiVir for months.

They aren’t avira but avast! antivirus, reread my last post and below, bold to show they are avast! registry keys and not avira.

H_KEY_LOCAL\MACHINE\SYSTEM\CONTROLSET001\SERVICES[b]avast![/b] ANTIVIR

Ah sorry… should have gone to Specsavers.
That is odd then! I am confused!

Nothing odd, just an unfortunate coincidence that the full registry key has been concatenated dropping the most important part the last two digits US so it looks like ANTIVIR (the alternate name of avira) and not ANTIVIRUS.

Ah I see.

Re my FTP upload, how will I know if I’ve uploaded it correctly and if it’s been read please?

Thanks.

Unless you actually use an ftp program (rather than my suggested options), you won’t know as you don’t have read permission on the avast.com/incoming folder. With an ftp program, they usually report successful completion of the upload.

If they did receive it and you gave the link to the topic, generally they will get back to you in the topic.

Oh dear, I’m not sure I linked to the topic correctly, I’ve resent.

Thanks and sorry about that.

I’ve just done a HiJack this and uploaded it here too in case there’s anything of interest.

Thanks:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:47:47, on 29/05/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19048)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10q_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5080820
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.moneysavingexpert.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5080820
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RoboForm BHO - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SimpleAdblock Class - {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Common Files\Simple Adblock\SimpleAdblock.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM..\Run: [IAAnotif] “C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe”
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Dell\MediaDirect\PCMService.exe”
O4 - HKLM..\Run: [GSISETUP] E:\setup.exe
O4 - HKLM..\Run: [LXCFCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCFtime.dll,RunDLLEntry
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Common Files\Java\Java Update\jusched.exe”
O4 - HKLM..\Run: [avast] “C:\Program Files\AVAST Software\Avast\avastUI.exe” /nogui
O4 - HKCU..\Run: [RoboForm] “C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe”
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User ‘Default user’)
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Google Sidewiki… - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra ‘Tools’ menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra ‘Tools’ menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra ‘Tools’ menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://ssl01.berenberg.de/dana-cached/sc/JuniperSetupClient.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - AppInit_DLLs: AVGRSSTX.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: lxcf_device - - C:\Windows\system32\lxcfcoms.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - Unknown owner - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

–
End of file - 8649 bytes

No problem,

That’s why I mentioned it in the initial instructions on readme.txt contents, or they are unlikely to know who it is from or how to respond. I will highlight that in future so it is clearer.

Thanks David.

You’re welcome.

I missed your HJT log last time round, but to be honest, it is a bit of a busted flush as it hasn’t been updated in a very long time and malware has progressed into areas that it doesn’t even look. A security application has to be up to date or it is worthless.

Didn’t see anything obvious in it, but you appear to have remnants of AVG:
O20 - AppInit_DLLs: AVGRSSTX.DLL

This could be a contributory factor in a BSOD (conflict, etc.) so you could elect to fix this in HJT. Or run their removal tool.

• Ensure that all remnants of AVG are gone - AVG8.x (or higher) Remover, download tool from here, http://www.avg.com/download-tools there is a 32bit and 64 bit windows version, ensure you use the correct one.

Thanks David. I think it’s removed now, as I did the removal tool thingie you suggested and then ran HiJack again and couldn’t see it on the list.

I’d like to remove this one too, as it was from a former workplace:
https://ssl01.berenberg.de/dana-cached/sc/JuniperSetupClient.cab

I know it’s nothing to do with avast, but can you help me and tell me how to do it please?

Thank you.