[Win7] Booting problems with aswRvrt.sys

Hello everyone. Here is yet another problem with aswRvert.sys an booting my windows. Two days ago, upon starting my computer, he asked me to check for NTFS errors for my disk’s integrity. As my computer has a double boot with Linux Mint 13, he does it all the time; it usually takes no more than 10 minutes and he boots normally; this time, I wasn’t fast enough to stop the test before it started. This time, he started changing things. He kept changing the security IDs that were said to be wrong with the default ones for a great deal of files. In fact, I actually went to sleep on it because it simply wouldn’t stop, but I was afraid to do anything in case I would corrupt data. When I woke up, I saw my mouse cursor on a black screen. I rebooted my computer, launched windows and had the same problem. I decided to launch it in safe mode, and after loading a bunch of drivers, it froze on aswRvrt.sys for about 20 seconds and then the screen went black. My cursor was on it, I could move it, but nothing I did was changing anything. I did a bit of research and saw that you guys know how to deal with these problems. Now, thanks to Linux, I can access my system files (though I have no idea were to find the one that’s messing up the system >.>) so it might be a lot easier, though I cannot run exe files such as FRST; also, I don’t have a boot CD (Windows 7 can with the laptop) and the problem that applies to safe mode also applies to DOS mode… Any idea of what I should do now?

Thanks in advance,
-Gankachi

As you cannot post logs, I have notified Essexboy to help you.

I would strongly recommend to upgrade your Linux to version 16 cause Version 13 has many security issues with the kernel.
Also Mint DOES NOT AUTOMATICALLY UPDATE THE KERNEL, the user needs to activate it in the settings of Mint Update.

Hi Gankachi,

I will be working on your problem.

Tell me, is this Windows 7 32bit or 64bit? Do you have some USB memory device?

I have windows 7 x64 and a 4 Go big SD card. Will this be enough?

We shall run FRST64 in Recovery Environment. This is how to access in RE and run FRST64 using CMD.

Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.

[*]Plug the flashdrive into the infected PC.
[*]Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
[*]Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.

[*] In the command window type in notepad and press Enter.
[*] When notepad opens, click File and select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter.

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run. When the tool opens click Yes to disclaimer.
[*]Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.

Thanks for your advice!
Interestingly enough, I don’t seem to have the Windows RE… I only got the three safe modes, and all three have the same issue (even the DOS one…).

Windows Recovery Environment is not available instantly from Advanced Menu.

To boot your computer into Recovery Environment, you need from Advanced Menu to click Repair your computer.

[*]Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
[*]Select Repair your computer.
[*]Select Language and click Next
[*]Enter password (if necessary) and click OK, you should now see the screen below …

http://i1090.photobucket.com/albums/i366/garyr56/W7InstallDisk2.png

[*]Select the Command Prompt option.
[*]A command window will open.

[*]Type notepad then hit Enter.
[]Notepad will open.
[list]
[*]Click File > Open then select Computer.
[*]Note down the drive letter for your USB Drive.
[
]Close Notepad.[/list]
[*]Back in the command window …

[*]Type e:/frst64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
[*]FRST will start to run.
[list]
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]When finished scanning it will make a log FRST.txt on the flash drive.[/list]
[*]Next

[*]Close the command window.
[*]Boot back into normal mode and post me the FRST.txt logs please.

You may watch this video for better understanding for running FRST in RE.

http://www.youtube.com/watch?v=NXndN7xq6YI

There you go, it is done. I couldn’t find it simply because I had to press F8 before starting Windows from my boot menu, but to press it while having the cursor on Windows 7. Joined with this message are the two files required.

Hi Gankachi,

We shall run few FRSTScript (FixList). After each executed script, try to load Windows in normal mode. Only if you fail in that, go to the next step and run next FRSTScript.
Work write in order FixList by FixList, no NOT create at the same time multiple FixList.


  • First FixList shall remove malware and suspicious files …

  • Second FixList shall remove all avast files and entries.

  • Last FixList shall attempt to repair&fix, it shall reset to defaults some Windows boot process, it shall also reset master boot records back to Windows defaults.
    …keep in mind that you may have to load fresh Linux Grub because Windows7 MBR can not recognize the Linux editions (Grub aka Lunux boot loader)
    Linux Grub is able to recognize Windows MBR.


Step#1

Create FixList.txt for running FRST via Script;

Open notepad.

[*]Click Start
[*] Type notepad.exe in the search programs and files box and click Enter.
[] A blank Notepad page should open.
[
] Copy/Paste the contents of the code box below into Notepad.


Start
HKU\Kévin\...\Winlogon: [Shell] expstart.exe [925184 2013-11-16] () <==== ATTENTION 
C:\Users\Kévin\AppData\Roaming\CamLayout.ini
C:\Users\Kévin\AppData\Roaming\CamShapes.ini
C:\ProgramData\hash.dat
C:\Users\Kévin\worldpainter_64_1.2.5.exe
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: DEL %WINDIR%\TEMP\*.* /F /S /Q
End

[*] Save it to your USB flashdrive as fixlist.txt
[/list]

Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt on your USB flashdrive.

Exit out of Recovery Environment and post me the log please.


= > Try to load Windows in normal mode. If you fail, create the next FixList …


Step#2

Create another FixList.txt for running FRST via Script;

Open notepad.

[*]Click Start
[*] Type notepad.exe in the search programs and files box and click Enter.
[] A blank Notepad page should open.
[
] Copy/Paste the contents of the code box below into Notepad.


Start
HKLM-x32\...\Run: [AvastUI.exe] - C:\Program Files\AVAST Software\Avast\AvastUI.exe [3567800 2013-10-29] (AVAST Software)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2013-10-28] (AVAST Software)
S2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [179088 2013-10-28] (AVAST Software)
S2 aswFsBlk; C:\windows\system32\drivers\aswFsBlk.sys [38984 2013-10-28] (AVAST Software)
S2 aswMonFlt; C:\windows\system32\drivers\aswMonFlt.sys [84328 2013-10-28] (AVAST Software)
S1 aswRdr; C:\windows\system32\drivers\aswRdr2.sys [92544 2013-10-28] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2013-10-28] ()
S1 aswSnx; C:\windows\system32\drivers\aswSnx.sys [1032416 2013-10-28] (AVAST Software)
S1 aswSP; C:\windows\system32\drivers\aswSP.sys [409832 2013-11-08] (AVAST Software)
S1 aswTdi; C:\windows\system32\drivers\aswTdi.sys [65264 2013-10-28] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [205320 2013-10-28] ()
S1 aswKbd; \??\C:\windows\system32\drivers\aswKbd.sys [x]
C:\Program Files\AVAST Software
C:\windows\system32\drivers\aswFsBlk.sys
C:\windows\system32\drivers\aswMonFlt.sys
C:\windows\system32\drivers\aswRdr2.sys
C:\Windows\System32\Drivers\aswRvrt.sys
C:\windows\system32\drivers\aswSnx.sys
C:\windows\system32\drivers\aswSP.sys
C:\windows\system32\drivers\aswTdi.sys
C:\Windows\System32\Drivers\aswVmm.sys
C:\windows\system32\drivers\aswKbd.sys
End

[*] Save it to your USB flashdrive as fixlist.txt

Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt on your USB flashdrive.

Exit out of Recovery Environment and post me the log please.


= > Try to load Windows in normal mode. If you fail, create the next FixList …


Step#3

Create another FixList.txt for running FRST via Script;

Open notepad.
[list]
[*]Click Start
[*] Type notepad.exe in the search programs and files box and click Enter.
[] A blank Notepad page should open.
[
] Copy/Paste the contents of the code box below into Notepad.


Start
CMD: bootrec /FixMbr
CMD: bootrec /fixBoot 
LastRegBack: 2014-01-11 12:05
End

[*] Save it to your USB flashdrive as fixlist.txt

Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt on your USB flashdrive.

Exit out of Recovery Environment and post me the log please.

Well, I used the three scripts, but it didn’t work… Now, after the third check, I also launched in Safe Mode and the file that now seems to be problematic is CLASSPNP.SYS; now it doesn’t even get to the black screen in safe mode, it stays blocked on the loaded files list…
Attached to this message are also the three logs (namely Fixlog1, 2 and 3, in the order you gave them to me).

Thanks again for taking your time with my case,
-Gankachi

Hi,

Uh, the last script for FRST was our strongest and best chance to recover your system. Post me fresh FRST.txt logreport to see the current system situation.

Hum… That sounds very strange. I hope something didn’t completely mess up… Anyway, the file you asked for is attached to this message…

Try this FixList.

Start
HKLM\...\Run: [IntelTBRunOnce] - C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs [4526 2010-11-29] ()
HKLM\...\Run: [] - [x]
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [AvastUI.exe] - "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
HKU\Kévin\...\Run: [Clownfish] - [x]
S0 aswRvrt; No ImagePath
S0 aswVmm; No ImagePath
S2 aswFsBlk; \??\C:\windows\system32\drivers\aswFsBlk.sys [x]
S1 aswKbd; \??\C:\windows\system32\drivers\aswKbd.sys [x]
S2 aswMonFlt; \??\C:\windows\system32\drivers\aswMonFlt.sys [x]
S1 aswRdr; \??\C:\windows\system32\drivers\aswRdr2.sys [x]
S1 aswSnx; \??\C:\windows\system32\drivers\aswSnx.sys [x]
S1 aswSP; \??\C:\windows\system32\drivers\aswSP.sys [x]
S1 aswTdi; \??\C:\windows\system32\drivers\aswTdi.sys [x]
C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs
C:\Program Files\AVAST Software
End

After execution, try o boot Windows in normal mode. If you fail, then Widnows System Repair should done the job as I can’t do nothing else, unfortunately.
You’re need the Windows instalation CD for that. See tutorial ( start watching video from ~ 4:15 => )

http://www.youtube.com/watch?v=RC_5eb9wTfk

Well, this didn’t work either. Actually, it didn’t change anything; when I booted in Safe mode later, it still blocked at CLASSPNP.SYS… Now, there’s one thing that’s confusing me… The video you linked me to precises that the technique doesn’t work in Boot to a CD… Should I start my CD from Linux then?
P.S: Attached to the message is the log of the fix.

it still blocked at CLASSPNP.SYS...

Just so you know, when Windows attempts to load it’s drivers, in which file it gets stuck, it does not matter. Tomorrow may be a different file.

I do not see the cause of boot problem, you have no restore point therefore Windows Repair is the safest solution.