Win7 Boot Error - aswrvrt.sys

Viruses and worms
1

Hi,
I’ve just read some thread were different peole had the same problem that my Pc have in this moment.
The boot fail after try to start Win7 64bit and then restart.
I’ve tried even in Normal or Safe Mode but the result is the same, but I can notice that the system start up crash when it display the row with the driver for aswrvrt.sys.

In this report http://www.geekstogo.com/forum/topic/329127-aswrvrt-i-cant-boot/
the solution was the unplugging of the secondary Hard Disk.
I remeber that I had this same problem many month ago, and without relate the problem to avast or Zero access infection, I solved the problem in the same way unplugging one of my 5 storage HD.

Now the problem occurred again, and after a couple of failed start up, I tried to unplug one by one all my storage Hd, but this time the problem still remain.
So I found this forum with many case of similar problem.

This what I’ve tried to do:
Start with normal mode: Failed with a restart.
Start with safe mode: Failed with a restart after a stop to the file aswrvrt.sys
Start with System Recovery Option and after a:

  • StartUp Repair: After some operation the problem remain after a reboot
  • System Restore: Tried to Restore the the point of “Restore point made on: 2013-10-29 09:21:09”: After successed operation the problem remain
  • Restore form a Backup: I don’t have a Backup
  • Memory diagnostic Tool: Passed without error

At this point I run Farbar Recovery frst64.exe and this is the log it generated.

If someone could help me to restart my system, It would be great!

Thanks
Stefano

2

Hi,
Tell me will this fix your problem?

Open notepad.

[*]Click Start
[*] Type notepad.exe in the search programs and files box and click Enter.
[] A blank Notepad page should open.
[] Copy/Paste the contents of the code box below into Notepad.


Start
C:\Users\Etos\en_res.dll
C:\Users\Etos\es_res.dll
C:\Users\Etos\fr_res.dll
C:\Users\Etos\grm_res.dll
C:\Users\Etos\it_res.dll
C:\Users\Etos\jp_res.dll
C:\Users\Etos\mfc80u.dll
C:\Users\Etos\msvcr80.dll
C:\Users\Etos\PCPE Setup.exe
C:\Users\Etos\pt_res.dll
C:\Users\Etos\ResourceReader.dll
C:\Users\Etos\ru_res.dll
C:\Users\Etos\zh_res.dll
C:\Users\Etos\AppData\Local\Temp\Execute2App.exe
C:\Users\Etos\AppData\Local\Temp\msvcp90.dll
C:\Users\Etos\AppData\Local\Temp\msvcr90.dll
C:\Users\Etos\AppData\Local\Temp\NEventMessages.dll
C:\Users\Etos\AppData\Local\Temp\NOSEventMessages.dll
C:\Users\Etos\AppData\Local\Temp\ose00000.exe
C:\Users\Etos\AppData\Local\Temp\ose00001.exe
C:\Users\Etos\AppData\Local\Temp\pidgenx.dll
C:\Users\Etos\AppData\Local\Temp\SAV2RemoveAll.exe
LastRegBack: 2013-10-31 00:09
End

[*] Save it to your USB flashdrive as fixlist.txt

Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt on your USB flashdrive.

Exit out of Recovery Environment and post me the log please.

3

Hi, Thanks for your fast reply…!

I’ve just done it, but unfortunately the problem is perfect the same:
Normal Mode: failed with a reboot
Safe Mode: failed at row of aswrvrt.sys

This the fixlog generated by FRST

4

Let’s try again. I do have some tricks under my sleeve. Tell me will this fix your problem?

This script shall fully delete all avast’s related files to see will this fix a problem. If all fails, then we shall try to restore system.
First things first…

Open notepad.

[*]Click Start
[*] Type notepad.exe in the search programs and files box and click Enter.
[] A blank Notepad page should open.
[] Copy/Paste the contents of the code box below into Notepad.


Start
HKLM-x32\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\AvastUI.exe [4858968 2013-08-30] (AVAST Software)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [46808 2013-08-30] (AVAST Software)
S2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [33400 2013-08-30] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [80816 2013-08-30] (AVAST Software)
S1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [72016 2013-08-30] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65336 2013-08-30] ()
S1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [1030952 2013-08-30] (AVAST Software)
S1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [378944 2013-08-30] (AVAST Software)
S1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [64288 2013-08-30] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [204880 2013-08-30] ()
C:\Program Files\AVAST Software
C:\Windows\System32\Drivers\aswFsBlk.sys
C:\Windows\system32\drivers\aswMonFlt.sys
C:\Windows\System32\Drivers\aswrdr2.sys
C:\Windows\System32\Drivers\aswRvrt.sys
C:\Windows\System32\Drivers\aswSnx.sys
C:\Windows\System32\Drivers\aswSP.sys
C:\Windows\System32\Drivers\aswTdi.sys
C:\Windows\System32\Drivers\aswVmm.sys
End

[*] Save it to your USB flashdrive as fixlist.txt

Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt on your USB flashdrive.

Exit out of Recovery Environment and post me the log please.

5

Thanks again … :wink:
Funny to know that last thing I was doing on pc before last shutdown was playing to Assassin’s Creed II after a stop of maybe 1yrs… :frowning:

Anyway…
this second attemp made some modify, but essentially the problem is still remain the same.

Normal Mode: failed with a reboot
Safe Mode: failed with a reboot but the last file this time is CLASSPNP.SYS

Here the second fixlog.

Thanks
Stefano

6

Ok, this fix contains two steps. You shall deploy one step by one.
==> After completions of each steps, you shall try to boot normaly. Only if you fail to boot normaly, deploy second step.
First fix will preform some pre-systems modifications. Second fix shall try to forse Windows to restore point made on 2013-11-01 at 12:52:25.

Step#1

Open notepad.

[*]Click Start
[*] Type notepad.exe in the search programs and files box and click Enter.
[] A blank Notepad page should open.
[] Copy/Paste the contents of the code box below into Notepad.


cmd: bootrec /FixMbr
cmd: bootrec /fixBoot

[*] Save it to your USB flashdrive as fixlist.txt
[/list]

Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt on your USB flashdrive.

Exit out of Recovery Environment and post me the log please.

Step#2

Open notepad.
[list]
[*]Click Start
[*] Type notepad.exe in the search programs and files box and click Enter.
[] A blank Notepad page should open.
[] Copy/Paste the contents of the code box below into Notepad.


Restore point made on: 2013-11-01 12:52:25

[*] Save it to your USB flashdrive as fixlist.txt

Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt on your USB flashdrive.

Exit out of Recovery Environment and post me the log please.

==> If all these fail, then create fresh FRST.txt logreport as you did in your first reply and post me here.

7

Nothing change after this two step.

What I’ve tried:

Run Step 1
Restart in Normal Mode: failed
Restart in Safe Mode: reboot at CLASSPNP.SYS

Run Step 2
Restart in Normal Mode: failed
Restart in Safe Mode: reboot at CLASSPNP.SYS

Here the fixlog for the run3 (step1) and run4 (step2).

Thanks
Stefano

8

Hm…
Please post fresh FRST.txt and we shall continue tomorow.

9

OK… :wink:
For the moment a big thanks for your costant support!
Tomorrow evening I’ll post a fresh txt from FRST.

'night
Stefano

10

Hi, again…
Here the new FRST.txt just generate from my Pc…

Thanks in advance… :wink:

11

Hm… we do not have many lefted options I’m afraid. Let’s try these fixes one more time.
We shall re-try to restore PC on system restore point made on 2013-11-01 at 12:52:25

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Restore point made on: 2013-11-01 12:52:25

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

12

Unfortunately nothing changes… :-\

Did you have any other ideas??

13

I’m running out of ideas… :frowning:

FRST tells me you have two drives ( two HardDisks ). For one HDD it stands that MBR code is for Windows 7 and for anather one it stands that MBR is XP related.

Could you remove (unplug) Disk1, HDD with 8GB of size and to see will this solve your problem?

14

That Was my 8gb USB Key i use for save the listfix and run the frst.
when i try the reboot it Was always disconnected.
I’ve another 6 internal hd and 1 usb Hd plus 1 DVD, and all of them are unplugged at the moment…

Ok… if I have to reinstall a new Os from a black hd, there are some trick i could do to prevent same problem in the future? Something like some hd clean from this virus, to recovery all my old data in security?

15

I can’t tell what the problem is as I do not see from FRST logs. :frowning:

Also, you don’t need to install new system. Windows Repair using Windows installation disk should done the trick.
Via Widnows disk you can fully repair Windows OS without formatting the system partition.

16

Well I’ve posted a similar reply to another user before but I’ll outline the solution that worked for me again.

The aswrvt.sys driver isn’t digitally signed by microsoft and windows 7 doesn’t like it.

What works for me is:

Boot to safe mode advanced options the scroll down to “disable driver signature enforcement” and select that option.

If boot continues and is successful then you’ll need to either:

Permanently disable driver signature enforcement (although this lowers system security it’s still possible to run other software that warns if an unsigned file attempts to run).

or

Manually sign the Avast driver using a certificate that you created locally.

If the safe boot “driver signature enforcement” disabled works - post back here and I’ll ad more detail. In the meantime if you get up and running I’d suggest a safe mode boot followed by a disk check using the command

chkdsk /f /r

from the run dialog box (in safe mode).

17

Hi Callender, thanks for input.

The aswrvt.sys driver isn't digitally signed by microsoft and windows 7 doesn't like it.

Hm…I didn’t think of it. This should been reported to avast team. Also, they should have some information about this.
Yes, it is possible and gives an nice explanation why many users here does complaining about the same or simular error, but something bothers me in this theory.
Have you tried this in filed? Is it truly solve the problem?

If aswrvt.sys isn’t signed by Microsoft then Driver Signing Policy wouldn’t even allow this driver to be loaded.
How is avast installed then? As upon the installation and mashines reboot, avast drivers been loaded into the windows kernel.
Otherwise the avast’s GUI should report to user that something is wrong.

And yet, in the event that all other signed drivers succeeded to load in the kernel and only aswrvt.sys isn’t, then the user should immediately after the installation of the avast got an error. And this is not the case.

Also, FRST does own some might rootines and does shows the complete list of services and drivers (FRST has whitelist) that are loaded into kernel.
My tools doesn’t shows aswrvt.sys in driver list.

Second, avast need to pay Microsoft for signature. In this case, it’s Microsoft’s fault then. When avast was paying to Microsoft for signature, I doubt they are skipped that one driver.

But it’s worth a try

@Etos
We’ll try the Callender advice, this may solve the problem. Are you still with me?

Start FRST in a similar manner to when you ran a scan earlier, in Recovery Environment but this time when it opens …

  1. Search …

[*]Type aswrvrt.sys into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

  1. Also, create and post me fresh FRST.txt log report.
    The only difference in creating FRST is that this time before you hit Scan button you’ll remove in Whitelist section, hook from checkbox for Drivers option.
    Now hit Scan button and post me fresh FRST.txt logreport.

If aswrvrt.sys is out there somewhere, FRST’s search shall tell us so. Then we can kill it. This shall confirm Callender’s theory.
Also at this time, FRST shall show fully list of all drivers files (avast including) no exceptions.
Also, If you are here I would like to get copy of Minidump folder that may tell us what is couse of problem.

18

In response all I can say is that I had boot issues with aswrvt.sys and after test signing the driver manually using third party sofware the issue was resolved and has never resurfaced. It used to happen on a regular basis and I would restore my windows partition from backup but that meant losing recent work as I only make system image backups every week or so. It might be worth noting that there are other unsigned drivers on my machine including one from Softperfect RAMdisk. I had boot problems so often that in addition to manually signing drivers I resorted to permanently disabling driver signature enforcement and all has been well since I took that step. I use the application whitelisting component of Secure Aplus (no AV) to provide some protection against unsigned files and potentially harmful scripts as obviously security would be lessened otherwise.

In addition aswVmm.sys also appears to be unsigned.

19

I can’t explain how the driver gets installed or why it sometimes appears to load successfully. Perhaps it’s do do with users who have admin accounts rather than limited user accounts. I’d admit that I don’t know enough to work out why!

20
...there are other unsigned drivers on my machine...
There are ways for non-signed driver to be loaded in kernelspace on x32bit masine. But in the x64bit machine is impossible (for now) as Driver Signing Policy and Kernel Patch Guardl will not allow. Use google for thouse tearms for understanding.
Perhaps it's do do with users who have admin accounts rather than limited user accounts.
This can't applies due to the nature od kernelspace. For understanding, search google for kernelspace, userspace and Rung (CPU).

There is no theoretical possibility for avast driver to be unsignet. These drivers are the force and power of avast. But it may be that some other kernel driver influences with avast’s driver. Guessing …

However, we will examine your theory in this or in case that follows.