Oldie but goodie - need your help: Black screen w/ cursor on boot/aswrvrt.sys

Hi guys,

After installing (what was then) the latest Avast update, the computer took the overnight to load the new program and upon reboot never got back to normal.
On boot I only have the black screen with cursor issue that many other have had.

After reading in many posts I used the FRST software and have produced a scan log that tells me that in the registry is the issue:

HKLM.…\InprocServer32: [Default-wbemess] ATTENTION! ====> ZeroAccess?
HKLM.…D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess?

I could use your help in next steps and in producing a fixlist file to solve this issue.

Thanks in advance!

Post the entire FRST log. It seems 1, Something is corrupt, and 2, you have ZeroAccess

Thanks Michael. Attached is the complete log.

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

Well, those should also be signed. Slightly weird.

Remover Notified. It’ll take a while as they are all asleep right now.

edit: Did you make this?

HKLM.…\RunOnce: [*Restore] => C:\windows\system32\rstrui.exe [296960 2010-11-20] (Microsoft Corporation)

That isn’t normal, and would be counter productive to ZA.

Also, you appear to be running Avast! and Norton. True?

I definitely understand as far as Remover file. (I waited this long… a few more hours won’t hurt.)

No, I did not create/edit:
HKLM.…\RunOnce: [*Restore] => C:\windows\system32\rstrui.exe [296960 2010-11-20] (Microsoft Corporation)
What is it meant to do?Will it revert back even after the cleaning up we’re working on?

And yes, after Norton expired, I purchased Avast. I removed some elements of Norton (directly from the unistall) but some were left behind. This was to be wiped after Avast install but never got to that point.

Would it be useful to produce a new FRST log right now?

No, don’t bother. Someone should arrive soon

Thanks Michael.

What I will do is remove Norton and disable Avast from starting (so that will need to be re-installed)

Download the attached fixlist.txt to the same location as FRST
Start FRST and press Fix
On completion try a normal boot

Thanks essexboy.
I went ahead and did as you instructed.

Upon reboot, the aswrvrt.sys driver is gone (along with the other avast and norton drivers.)
However, after loading through, I still have only the black screen and cursor showing.
…we’re almost there :slight_smile:

I await your next instructions/steps.

Is it stopping at mup.sys or proceeding past that point in safe mode ?

The most common cause is the executing PnP (Plug and Play) and ACPI routines issue.
To fix the issue, we need to access the computer from Recovery Console.

If you do have your Windows CD

  1. To start the Recovery Console directly from the Windows XP CD you would do the following:

[*]Insert the Windows XP cd in your computer.[*]Restart your computer so you are booting off of the CD.[*]When the Welcome to Setup screen appears, press the R button on your keyboard to start the Recovery Console.[*]The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.[*]It will then prompt you for the Administrator’s password. If there is no password, simply press enter. Otherwise type in the password and then press enter.[*]If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.

  1. Type map and press enter.
    It will give you the drive letters.
    Note down the letter of you CD-ROM.
    If it is a letter other than E you should replace the letter E with your CD drive letter when applying the expand command later on if the command is needed to be applied.

Type following commmands, pressing Enter after each one.

[*]ren c:\windows\system32\drivers\atapi.sys atapi.old
(It will returns to the prompt again without notification)[*]copy c:\windows\servicepackfiles\i386\atapi.sys c:\windows\system32\drivers
(If you get a notification “1 file(s) copied” you don’t need to do the next expand command and go to exit command. But if you get notification that the file doesn’t exist proceed with expand command)[*]expand e:\I386\atapi.sy_ c:\windows\system32\drivers
(You should be notified that the file expanded)[*]exit

You may remove the CD or let Windows boot normally.

If you don’t have your Windows CD
Please download ARCDC from Artellos.com.

[*]Double click ARCDC.exe
[*]Follow the dialog until you see 6 options. Please pick: [i]Windows Professional SP2 & SP3[/i]
[*]You will be prompted with a Terms of Use by Microsoft, please accept.
[*]You will see a few dos screens flash by, this is normal.
[*]Next you will be able to choose to add extra files. Select the Default Files.
[*]The last window will allow you to burn the disk using BurnCDCC
Then, follow instructions from Step #1 above.

It goes past mup.sys. The last file is the CLASSPNP, as you noted.

I’ll look for the CD but don’t remember if I ever got it with this pc. Just as a point of clarification, that first step references a Windows XP CD, should I disregard that and use the one that applies? In my case Win 7?

Continued thanks…

Yes use the win 7 cd … Ooops