Win7 Home 64-bit safe mode hangs on aswrvrt.sys

Current problem:
I can’t boot in to safe mode, safe mode with networking, safe mode with command prompt. All 3 hang on aswrvrt.sys.

History of troubleshooting (trying to fix a PC for a friend):

  1. I was initially able to boot regularly, but getting windows defender alarms, saying I needed to update it online. When I attempted to do so, about 80% of the way through, Windows bluescreened.

  2. I made a bootable USB drive of windows defender offline and ran it, which found and removed one trojan.

  3. Attempting to boot, I got the aswrvrt.sys problem. I found a similar thread here:

https://forum.avast.com/index.php?topic=120531

I have run the FBRT64.exe tool from the recovery console, and didn’t want to proceed further without asking for help. Here is the output:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 10-09-2014
Ran by SYSTEM on MININT-BGTVK54 on 10-09-2014 23:15:36
Running from J:
Platform: Windows 7 Home Premium (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM.…\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10060832 2010-02-08] (Realtek Semiconductor)
HKLM.…\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
HKLM-x32.…\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32.…\RunOnce: [“C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe”] => C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe [559616 2012-07-07] (Dell)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM.…\Policies\Explorer: [NoFolderOptions] 0
HKLM.…\Policies\Explorer: [NoViewOnDrive] 0
HKLM.…\Policies\Explorer: [NoControlPanel] 0
HKLM.…\Policies\Explorer: [DisableLocalMachineRun] 0
HKLM.…\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKLM.…\Policies\Explorer: [DisableCurrentUserRun] 0
HKLM.…\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKLM.…\Policies\Explorer: [NoViewContextMenu] 0
HKLM.…\Policies\Explorer: [NoShellSearchButton] 0
HKLM.…\Policies\Explorer: [NoFind] 0
HKLM.…\Policies\Explorer: [NoFile] 0
HKLM.…\Policies\Explorer: [HideClock] 0
HKLM.…\Policies\Explorer: [NoTrayContextMenu] 0
HKLM.…\Policies\Explorer: [NoTrayItemsDisplay] 0
HKLM.…\Policies\Explorer: [NoSetFolders] 0
HKLM.…\Policies\Explorer: [NoDevMgrUpdate] 0
HKLM.…\Policies\Explorer: [NoSetTaskbar] 0
HKLM.…\Policies\Explorer: [NoDeletePrinter] 0
HKLM.…\Policies\Explorer: [NoDFSTab] 0
HKLM.…\Policies\Explorer: [NoChangeStartMenu] 0
HKLM.…\Policies\Explorer: [NoLogoff] 0
HKLM.…\Policies\Explorer: [NoWindowsUpdate] 0
HKLM.…\Policies\Explorer: [NoEncryptOnMove] 0
HKLM.…\Policies\Explorer: [NoRunasInstallPrompt] 0
HKLM.…\Policies\Explorer: [NoResolveSearch] 0
HKLM.…\Policies\Explorer: [NoSaveSettings] 0
HKLM.…\Policies\Explorer: [NoHardwareTab] 0
HKLM.…\Policies\Explorer: [NoStartMenuSubFolders] 0
HKLM.…\Policies\Explorer: [NoDesktop] 0
HKU\Brenda.…\Run: [Google Update] => C:\Users\Brenda\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-10-18] (Google Inc.)
HKU\Brenda.…\Run: [Wmdics Update] => regsvr32.exe C:\Users\Brenda\AppData\Local\Wmdics\ljkbiv.dll
HKU\Brenda.…\Policies\system: [DisableCMD] 0
HKU\Brenda.…\Policies\system: [NoDispAppearancePage] 0
HKU\Brenda.…\Policies\system: [NoDispBackgroundPage] 0
HKU\Brenda.…\Policies\system: [NoDispSettingsPage] 0
HKU\Brenda.…\Policies\Explorer: [NoFolderOptions] 0
HKU\Brenda.…\Policies\Explorer: [NoViewOnDrive] 0
HKU\Brenda.…\Policies\Explorer: [NoControlPanel] 0
HKU\Brenda.…\Policies\Explorer: [DisableLocalMachineRun] 0
HKU\Brenda.…\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKU\Brenda.…\Policies\Explorer: [DisableCurrentUserRun] 0
HKU\Brenda.…\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKU\Brenda.…\Policies\Explorer: [NoViewContextMenu] 0
HKU\Brenda.…\Policies\Explorer: [NoShellSearchButton] 0
HKU\Brenda.…\Policies\Explorer: [NoFind] 0
HKU\Brenda.…\Policies\Explorer: [NoFile] 0
HKU\Brenda.…\Policies\Explorer: [HideClock] 0
HKU\Brenda.…\Policies\Explorer: [NoTrayContextMenu] 0
HKU\Brenda.…\Policies\Explorer: [NoTrayItemsDisplay] 0
HKU\Brenda.…\Policies\Explorer: [NoSetFolders] 0
HKU\Brenda.…\Policies\Explorer: [NoDevMgrUpdate] 0
HKU\Brenda.…\Policies\Explorer: [NoSetTaskbar] 0
HKU\Brenda.…\Policies\Explorer: [NoDeletePrinter] 0
HKU\Brenda.…\Policies\Explorer: [NoDFSTab] 0
HKU\Brenda.…\Policies\Explorer: [NoChangeStartMenu] 0
HKU\Brenda.…\Policies\Explorer: [NoLogoff] 0
HKU\Brenda.…\Policies\Explorer: [NoWindowsUpdate] 0
HKU\Brenda.…\Policies\Explorer: [NoEncryptOnMove] 0
HKU\Brenda.…\Policies\Explorer: [NoRunasInstallPrompt] 0
HKU\Brenda.…\Policies\Explorer: [NoResolveSearch] 0
HKU\Brenda.…\Policies\Explorer: [NoSaveSettings] 0
HKU\Brenda.…\Policies\Explorer: [NoHardwareTab] 0
HKU\Brenda.…\Policies\Explorer: [NoStartMenuSubFolders] 0
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Startup: C:\Users\Brenda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Calendar 2000.lnk
ShortcutTarget: Calendar 2000.lnk → C:\Program Files (x86)\Software by Design\Calendar.exe (Gregory Braun – Software Design)
Startup: C:\Users\Brenda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk → C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk → C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk → C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk → C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk → C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-06-01] (AVAST Software)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [241456 2013-02-19] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [218760 2013-02-19] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)
S2 MyWebSearchService; C:\PROGRA~2\MYWEBS~1\bar\2.bin\mwssvc.exe

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-06-01] ()
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-06-01] (AVAST Software)
S1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-06-01] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-06-01] ()
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1039096 2014-06-01] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [423240 2014-06-01] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [85328 2014-06-01] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [208416 2014-06-01] ()
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)
S1 MpKsl21b74f90; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates{5CCD4367-8FEB-49A9-A95F-B0F4291F32EF}\MpKsl21b74f90.sys [45352 2014-09-10] (Microsoft Corporation)
S1 MpKsl82410a7f; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates{5CCD4367-8FEB-49A9-A95F-B0F4291F32EF}\MpKsl82410a7f.sys [45352 2014-06-25] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
S1 pwipf6; system32\DRIVERS\pwipf6.sys

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-10 23:14 - 2014-09-10 23:15 - 00000000 ____D () C:\FRST
2014-09-10 15:40 - 2014-09-10 15:40 - 00000000 ____D () C:\SUPERDelete
2014-09-10 15:39 - 2014-09-10 21:15 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-09-10 15:39 - 2014-09-10 15:39 - 00000000 ____D () C:\Users\Brenda\AppData\Roaming\SUPERAntiSpyware.com
2014-09-10 15:39 - 2014-09-10 15:39 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2014-09-10 15:28 - 2014-09-10 21:15 - 00000000 ____D () C:\50526aed1d0a509763
2014-09-10 15:16 - 2014-09-11 01:46 - 00000000 ____D () C:\d49d9cd613b5a690949217a938
2014-09-10 15:16 - 2014-09-10 15:14 - 00913408 _____ (Microsoft Corporation) C:\Users\Brenda\Desktop\mssstool64.exe
2014-09-10 15:07 - 2014-09-10 15:07 - 558541667 _____ () C:\Windows\MEMORY.DMP
2014-09-10 15:07 - 2014-09-10 15:07 - 00262144 _____ () C:\Windows\Minidump\091014-27346-01.dmp

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-11 01:46 - 2014-09-10 15:16 - 00000000 ____D () C:\d49d9cd613b5a690949217a938
2014-09-11 01:46 - 2013-12-17 17:14 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-09-11 01:46 - 2010-11-01 14:49 - 00000000 ____D () C:\users\Brenda
2014-09-11 01:46 - 2010-09-16 11:55 - 00000000 ____D () C:\Windows\SysWOW64\Macromed
2014-09-11 01:46 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\registration
2014-09-11 01:45 - 2010-09-16 12:00 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-09-10 23:15 - 2014-09-10 23:14 - 00000000 ____D () C:\FRST
2014-09-10 21:15 - 2014-09-10 15:39 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-09-10 21:15 - 2014-09-10 15:28 - 00000000 ____D () C:\50526aed1d0a509763
2014-09-10 15:40 - 2014-09-10 15:40 - 00000000 ____D () C:\SUPERDelete
2014-09-10 15:39 - 2014-09-10 15:39 - 00000000 ____D () C:\Users\Brenda\AppData\Roaming\SUPERAntiSpyware.com
2014-09-10 15:39 - 2014-09-10 15:39 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2014-09-10 15:31 - 2010-09-16 12:20 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2014-09-10 15:31 - 2010-09-16 12:20 - 00000000 ____D () C:\Users\Default User\AppData\Local\SoftThinks
2014-09-10 15:17 - 2009-07-14 00:13 - 00786598 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-09-10 15:17 - 2009-07-14 00:10 - 01574630 _____ () C:\Windows\WindowsUpdate.log
2014-09-10 15:17 - 2009-07-13 23:45 - 00014240 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-10 15:17 - 2009-07-13 23:45 - 00014240 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-10 15:15 - 2014-06-25 07:20 - 00000940 _____ () C:\Windows\setupact.log
2014-09-10 15:14 - 2014-09-10 15:16 - 00913408 _____ (Microsoft Corporation) C:\Users\Brenda\Desktop\mssstool64.exe
2014-09-10 15:10 - 2012-10-23 09:05 - 00000000 ____D () C:\Users\Brenda\AppData\Local\Facebook
2014-09-10 15:07 - 2014-09-10 15:07 - 558541667 _____ () C:\Windows\MEMORY.DMP
2014-09-10 15:07 - 2014-09-10 15:07 - 00262144 _____ () C:\Windows\Minidump\091014-27346-01.dmp
2014-09-10 15:07 - 2011-01-08 22:25 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-09-10 15:07 - 2010-11-04 18:28 - 00000000 ____D () C:\Windows\Minidump
2014-09-10 15:07 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== Restore Points =========================

Restore point made on: 2014-06-05 06:00:22
Restore point made on: 2014-06-06 06:22:13
Restore point made on: 2014-06-07 06:33:00
Restore point made on: 2014-06-08 07:10:57
Restore point made on: 2014-06-09 04:23:44
Restore point made on: 2014-06-10 05:51:51
Restore point made on: 2014-06-11 05:16:00
Restore point made on: 2014-06-12 07:44:21
Restore point made on: 2014-06-13 07:45:24
Restore point made on: 2014-06-14 07:33:50
Restore point made on: 2014-06-15 07:53:56
Restore point made on: 2014-06-18 03:33:39
Restore point made on: 2014-06-19 07:02:03
Restore point made on: 2014-06-23 06:48:30
Restore point made on: 2014-06-24 06:26:22
Restore point made on: 2014-06-24 06:31:05
Restore point made on: 2014-06-24 07:23:37
Restore point made on: 2014-09-10 15:17:45

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 5943.12 MB
Available physical RAM: 5052.98 MB
Total Pagefile: 5941.27 MB
Available Pagefile: 5115.02 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:688.72 GB) (Free:600.03 GB) NTFS
Drive d: (GRMCENXVOL_EN_DVD) (CDROM) (Total:2.91 GB) (Free:0 GB) UDF
Drive i: (RECOVERY) (Fixed) (Total:9.88 GB) (Free:4.18 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive i: detected.
Drive j: (WDO_MEDIA64) (Removable) (Total:7.45 GB) (Free:7.17 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 698.6 GB) (Disk ID: 86C69001)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=9.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=688.7 GB) - (Type=07 NTFS)

========================================================
Disk: 5 (MBR Code: Windows 7 or 8) (Size: 7.5 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

LastRegBack: 2014-05-29 08:53

==================== End Of Log ============================

Any help is greatly appreciated!

Do you have multiple hard drives on this system.

I also see remnants of a TDSS infection. Additionally you are running both McAfee and Avast.

Initially I will remove the bad stuff and see if that enables a normal boot

Download the attached fixlist.txt to the same location as FRST
Run FRST as before and press Fix
On completion try a normal boot

There aren’t multiple hard drives, but there is front panel card reader and a DVD drive. Doesn’t look like multiple partitions.

Your fixlist.txt did indeed allow normal boot. Thanks!

Any other tips or advice for getting this system cleaned up?

Yes if you could now run FRST from normal mode

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

Alrighty, attached are the files as requested :slight_smile:

You will need to uninstall either McAfee or Avast, if you let me know which one is to go then I will link the removal tool

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM - {56256A51-B582-467e-B8D4-7786EDA79AE0} URL = SearchScopes: HKLM - {5d7e2ae3-de3b-4de0-8f15-014e8ecaf4ee} URL = SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKCU - {D3100F2B-B750-42DD-B051-8F0C5DE2022E} URL = BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File Toolbar: HKLM-x32 - My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files (x86)\MyWebSearch\bar\2.bin\MWSBAR.DLL No File Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File Toolbar: HKCU - No Name - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No File FF Plugin-x32: @mywebsearch.com/Plugin -> C:\Program Files (x86)\MyWebSearch\bar\2.bin\NPMyWebS.dll No File S2 MyWebSearchService; C:\PROGRA~2\MYWEBS~1\bar\2.bin\mwssvc.exe [X] 2014-09-11 10:59 - 2010-09-16 13:08 - 00000000 ____D () C:\ProgramData\Best Buy pc app HKU\.DEFAULT\Software\Classes\.exe: exefile => "%1" %* <===== ATTENTION! HKU\.DEFAULT\Software\Classes\exefile: "%1" %* <===== ATTENTION! HKU\S-1-5-19\Software\Classes\.exe: exefile => "%1" %* <===== ATTENTION! HKU\S-1-5-19\Software\Classes\exefile: "%1" %* <===== ATTENTION! HKU\S-1-5-20\Software\Classes\.exe: exefile => "%1" %* <===== ATTENTION! HKU\S-1-5-20\Software\Classes\exefile: "%1" %* <===== ATTENTION! HKU\S-1-5-21-1768878804-106617982-47227316-1000\Software\Classes\.exe: exefile => "%1" %* <===== ATTENTION! HKU\S-1-5-21-1768878804-106617982-47227316-1000\Software\Classes\exefile: "%1" %* <===== ATTENTION! EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

OK. I uninstalled avast with the avastclear.exe tool. Can you post the link to the McAfee removal tool also? I’d rather run avast in the long run.

I also ran the fixlist.txt, and have attached the new log file.

Please let me know when to proceed with AdwCleaner.

McAfee removal tool http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

Run AdwCleaner when ready :slight_smile:

I had to attach the log file as the contents wouldn’t fit in the body of this message.

That cleared a nice bit of junk… How is the computer now, any problems ?

Looks to be running fine, thanks! It’s a friend’s computer, so I don’t really know how it was running before. Do you recommend I do anything else before returning it to them?

Yep remove my junk :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: