Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Windows 7 boot hangs after aswbidsha.sys (corrupted Avast startup file

Started by stallada , Dec 28 2017 05:12 AM

avast windows boot aswbisha

Please log in to reply

#1
stallada

Posted 28 December 2017 - 05:12 AM

Member

Member
29 posts

Hello! A few weeks ago, upon restarting my computer, I ran into a Windows boot-looping issue. When I would try to start in safe mode, I noticed it would hang after loading aswbidsha.sys before eventually rebooting itself.

I've since built a bootable USB; the Startup Repair completed 'successfully', but I'm still unable to reboot. However, now when I try to boot it up, I get a black screen and cursor and no interactivity, while safemode still hangs after aswbidsha.sys, but eventually loads to the same black screen and cursor (albeit larger and low-resolution, as expected for safe mode). So, as a summary, I'm entirely unable to access any files or functionality past the repair disk.

A quick google shows this is a frustratingly widespread issue, likely related to Avast. I posted on the Avast messageboards, and unfortunately got no response. I've seen similar threads get resolved here, so I've got my fingers crossed I can get just as lucky! I've run a FRST scan via the steps in the parent comment here, except I've used my iso file since I'm using W7-N. Let me know if anything else would be needed for me.

Thanks so much in advance!!

#2
RKinner

Posted 28 December 2017 - 07:51 AM

Malware Expert

Expert
24,731 posts

Post your FRST scan.

#3
stallada

Posted 28 December 2017 - 11:34 AM

Member

Topic Starter
Member
29 posts

Ah - I'd selected it, but didn't hit the "Attach" button. Here it is.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 26-12-2017
Ran by SYSTEM on MININT-E67F81B (28-12-2017 04:38:24)
Running from E:\
Platform: Windows 7 Professional N Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [286704 2013-04-30] (Intel Corporation)
HKLM\...\Run: [Nvtmru] => "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13662936 2013-10-24] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2352072 2014-05-29] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [Esprit 2.1] => C:\Program Files\Bruker\Esprit 2.1\Communication\RTCommunication.exe [2891016 2016-07-19] (Bruker Nano GmbH)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [253344 2017-11-16] (AVAST Software)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-07-16] (Intel Corporation)
HKLM-x32\...\Run: [hpqSRMon] => C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [${_APP_NAME}] => C:\Program Files (x86)\WellWeWeb\CheVolume\CheVolume.exe [691200 2016-01-21] (WellWeWeb)
HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [1223168 2016-12-09] (Cisco Systems, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-07-21] (Oracle Corporation)
HKU\Guest\...\Run: [Spotify Web Helper] => C:\Users\Guest\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1431664 2016-11-19] (Spotify Ltd)
HKU\Guest\...\Run: [Spotify] => C:\Users\Guest\AppData\Roaming\Spotify\Spotify.exe [6987376 2016-11-19] (Spotify Ltd)
HKU\Guest\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2009-07-13] (Microsoft Corporation)
HKU\Rebecca\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [3102496 2017-10-30] (Valve Corporation)
HKU\Rebecca\...\Run: [AudioBox VSL] => C:\Program Files\PreSonus\AudioBox\AudioBox.exe [7593984 2014-07-16] ()
HKU\Stalla\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [3102496 2017-10-30] (Valve Corporation)
HKU\Stalla\...\Run: [AudioBox VSL] => C:\Program Files\PreSonus\AudioBox\AudioBox.exe [7593984 2014-07-16] ()
HKU\Stalla\...\Run: [Google Update] => C:\Users\Stalla\AppData\Local\Google\Update\1.3.33.7\GoogleUpdateCore.exe [601680 2017-11-13] (Google Inc.)
HKU\Stalla\...\Run: [Amazon Music] => C:\Users\Stalla\AppData\Local\Amazon Music\Amazon Music Helper.exe [5908968 2016-06-16] ()
HKU\Stalla\...\Run: [Dropbox Update] => C:\Users\Stalla\AppData\Local\Dropbox\Update\DropboxUpdate.exe [143144 2016-11-04] (Dropbox, Inc.)
HKU\Stalla\...\Run: [AirDroid 3] => C:\Program Files (x86)\AirDroid\AirDroid.exe /start
HKU\Stalla\...\RunOnce: [Application Restart #1] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1592664 2017-12-05] (Google Inc.)
Startup: C:\Users\Stalla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2017-12-06]
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\Stalla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win7AudioSwitcher_x86_release.exe [2013-08-15] (Nick_AgN)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 ASGT; C:\Windows\SysWOW64\ASGT.exe [55296 2012-01-17] ()
S3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7549928 2017-11-16] (AVAST Software)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [281416 2017-11-16] (AVAST Software)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3058416 2017-09-05] (Microsoft Corporation)
S2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15344 2013-04-30] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [820184 2013-02-13] (Intel® Corporation)
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-03-12] (Intel Corporation)
S2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [182248 2013-03-14] ()
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [177376 2016-08-12] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-03-12] (Intel Corporation)
S2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1631008 2014-05-29] (NVIDIA Corporation)
S2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [21055432 2014-05-29] (NVIDIA Corporation)
S2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [66872 2015-12-19] ()
S2 PnkBstrB; C:\Windows\SysWOW64\PnkBstrB.exe [107832 2015-12-19] ()
S2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10803952 2017-11-09] (TeamViewer GmbH)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 asahci64; C:\Windows\System32\DRIVERS\asahci64.sys [49048 2012-07-18] (Asmedia Technology)
S1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [183584 2017-11-16] (AVAST Software)
S1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdrivera.sys [321032 2017-11-16] (AVAST Software s.r.o.)
S0 aswbidsh; C:\Windows\System32\drivers\aswbidsha.sys [198968 2017-11-16] (AVAST Software s.r.o.)
S0 aswblog; C:\Windows\System32\drivers\aswbloga.sys [343288 2017-11-16] (AVAST Software s.r.o.)
S0 aswbuniv; C:\Windows\System32\drivers\aswbuniva.sys [57728 2017-11-16] (AVAST Software s.r.o.)
S3 aswHwid; C:\Windows\System32\drivers\aswHwid.sys [47008 2017-11-16] (AVAST Software)
S1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [41832 2017-09-06] (AVAST Software)
S2 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [148288 2017-11-16] (AVAST Software)
S1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [110376 2017-11-16] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [84416 2017-11-16] (AVAST Software)
S1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [1026232 2017-11-16] (AVAST Software)
S1 aswSP; C:\Windows\System32\drivers\aswSP.sys [455376 2017-11-16] (AVAST Software)
S2 aswStm; C:\Windows\System32\drivers\aswStm.sys [203976 2017-11-16] (AVAST Software)
S0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [364464 2017-11-16] (AVAST Software)
S3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [496400 2013-07-16] (Intel Corporation)
S3 e1rexpress; C:\Windows\System32\DRIVERS\e1r62x64.sys [488784 2013-07-16] (Intel Corporation)
S3 HtcVCom32; C:\Windows\System32\DRIVERS\HtcVComV64.sys [121800 2010-03-08] (QUALCOMM Incorporated)
S0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28656 2013-04-30] (Intel Corporation)
S3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [21048 2013-03-14] ()
S3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [21048 2013-03-14] ()
S3 IOMap; C:\Windows\system32\drivers\IOMap64.sys [23680 2010-02-23] (ASUSTeK Computer Inc.)
S3 ISCT; C:\Windows\System32\DRIVERS\ISCTD64.sys [46568 2013-03-14] ()
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [20256 2014-05-29] (NVIDIA Corporation)
S3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [40392 2014-03-31] (NVIDIA Corporation)
S3 paeusbaudio; C:\Windows\System32\DRIVERS\paeusbaudio_x64.sys [260096 2014-04-16] ()
S3 paeusbaudiodsp; C:\Windows\System32\DRIVERS\paeusbaudiodsp_x64.sys [62464 2014-07-16] ()
S3 paeusbaudioks; C:\Windows\System32\DRIVERS\paeusbaudioks_x64.sys [46080 2014-04-16] ()
S3 vpnva; C:\Windows\System32\DRIVERS\vpnva64-6.sys [52592 2015-11-26] (Cisco Systems, Inc.)
S3 WPRO_41_2001; C:\Windows\System32\drivers\WPRO_41_2001.sys [34752 2017-12-28] ()
S3 cpuz136; \??\C:\Users\Stalla\AppData\Local\Temp\cpuz136\cpuz136_x64.sys [X] <==== ATTENTION

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-12-28 04:37 - 2017-12-28 04:38 - 000000000 ____D C:\FRST
2017-12-28 00:55 - 2017-12-28 02:34 - 000094656 _____ (CACE Technologies) C:\Windows\System32\WPRO_41_2001woem.tmp
2017-12-10 12:11 - 2017-12-10 12:11 - 000000000 __SHD C:\found.000
2017-12-10 11:17 - 2017-12-10 11:33 - 000360646 _____ C:\Windows\ntbtlog.txt
2017-12-07 23:15 - 2017-12-07 23:15 - 000000000 ____D C:\ProgramData\SWCUTemp
2017-12-06 16:11 - 2017-12-06 16:11 - 000000000 ____D C:\Windows\System32\Tasks\Avast Software
2017-12-06 16:11 - 2017-12-06 16:11 - 000000000 ____D C:\Program Files\Common Files\Avast Software
2017-12-03 21:30 - 2017-12-03 21:30 - 000043379 _____ C:\Users\Stalla\42nm
2017-12-02 11:16 - 2017-12-02 11:18 - 089245255 _____ C:\Users\Stalla\Downloads\dtsa2_jupiter.jar

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-12-28 02:34 - 2017-04-03 04:44 - 000034752 _____ C:\Windows\System32\Drivers\WPRO_41_2001.sys
2017-12-28 02:34 - 2013-07-16 15:33 - 000000000 ____D C:\ProgramData\NVIDIA
2017-12-08 02:21 - 2009-07-13 21:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-12-08 02:19 - 2009-07-13 21:12 - 000800854 _____ C:\Windows\System32\PerfStringBackup.INI
2017-12-08 02:19 - 2009-07-13 20:50 - 000020144 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-12-08 02:19 - 2009-07-13 20:50 - 000020144 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-12-08 02:19 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\inf
2017-12-08 00:49 - 2013-09-30 18:08 - 000000000 ____D C:\Users\Stalla\AppData\Roaming\NetSpeedMonitor
2017-12-08 00:23 - 2015-06-15 18:54 - 000000922 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1353541947-1487197825-3567861493-1000UA.job
2017-12-08 00:23 - 2015-06-15 18:54 - 000000870 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1353541947-1487197825-3567861493-1000Core.job
2017-12-07 23:47 - 2013-07-16 15:38 - 000000000 ____D C:\Program Files (x86)\Steam
2017-12-07 23:15 - 2013-07-18 11:27 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-12-07 23:14 - 2016-11-22 07:57 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-12-07 23:14 - 2013-07-28 22:39 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-12-07 23:14 - 2013-07-18 11:26 - 000000000 ____D C:\Program Files\Microsoft Office 15
2017-12-06 11:49 - 2013-07-29 07:46 - 000000000 ____D C:\Users\Stalla\AppData\Roaming\Dropbox
2017-12-06 07:21 - 2015-01-20 21:58 - 000000000 ____D C:\Users\Stalla\AppData\Roaming\TeamViewer
2017-12-06 03:17 - 2015-01-20 21:07 - 000000000 ____D C:\Program Files (x86)\TeamViewer
2017-12-05 01:41 - 2017-06-11 22:09 - 000004172 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2017-12-03 21:30 - 2013-07-16 14:49 - 000000000 ____D C:\users\Stalla
2017-12-02 11:19 - 2017-04-18 21:25 - 000000000 ____D C:\Users\Stalla\Documents\NIST DTSA-II Reports
2017-12-02 11:18 - 2017-04-18 21:16 - 000000000 ____D C:\Users\Stalla\AppData\Local\NIST
2017-12-02 00:36 - 2016-11-28 22:06 - 000000000 ____D C:\Users\Stalla\AppData\LocalLow\Mozilla
2017-11-29 23:41 - 2013-08-31 15:14 - 000000000 ____D C:\Users\Stalla\AppData\Local\CrashDumps
2017-11-28 22:52 - 2013-07-30 20:26 - 000000000 ____D C:\Users\Stalla\AppData\Roaming\Azureus

Some files in TEMP:
====================
2014-07-11 13:12 - 2014-07-11 13:12 - 000918952 _____ (Oracle Corporation) C:\Users\Rebecca\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe
2017-09-08 08:27 - 2017-11-28 22:52 - 000035224 _____ () C:\Users\Stalla\AppData\Local\Temp\i4jdel0.exe
2017-12-02 18:58 - 2017-12-02 18:58 - 000116997 ____N () C:\Users\Stalla\AppData\Local\Temp\jffi1946859141492095320.dll
2017-12-03 00:38 - 2017-12-03 00:38 - 000116997 ____N () C:\Users\Stalla\AppData\Local\Temp\jffi3801698767538822105.dll
2017-12-02 11:19 - 2017-12-02 11:19 - 000116997 ____N () C:\Users\Stalla\AppData\Local\Temp\jffi3904515420630150603.dll
2017-12-03 00:15 - 2017-12-03 00:15 - 000116997 ____N () C:\Users\Stalla\AppData\Local\Temp\jffi492139364021687271.dll
2017-12-02 19:02 - 2017-12-02 19:02 - 000116997 ____N () C:\Users\Stalla\AppData\Local\Temp\jffi5769846003097770497.dll
2017-12-03 00:57 - 2017-12-03 00:57 - 000116997 ____N () C:\Users\Stalla\AppData\Local\Temp\jffi7558709329576133460.dll
2017-12-03 01:14 - 2017-12-03 01:14 - 000116997 ____N () C:\Users\Stalla\AppData\Local\Temp\jffi7587560577985393067.dll
2017-12-03 13:21 - 2017-12-03 13:21 - 000116997 ____N () C:\Users\Stalla\AppData\Local\Temp\jffi7878322056127341115.dll
2017-07-30 02:18 - 2017-07-30 02:18 - 000740416 _____ (Oracle Corporation) C:\Users\Stalla\AppData\Local\Temp\jre-8u144-windows-au.exe

==================== Known DLLs (Whitelisted) =========================

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Association (Whitelisted) =============

==================== Restore Points =========================

==================== BCD ================================

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=Y:
path                    \bootmgr
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {aaa61851-ee82-11e2-9340-dc17e2ad12e2}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {default}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
osdevice                partition=C:
systemroot              \Windows
resumeobject            {aaa61851-ee82-11e2-9340-dc17e2ad12e2}
nx                      OptIn

Windows Boot Loader
-------------------
identifier              {aaa61853-ee82-11e2-9340-dc17e2ad12e2}
device                  ramdisk=[C:]\Recovery\aaa61853-ee82-11e2-9340-dc17e2ad12e2\Winre.wim,{aaa61854-ee82-11e2-9340-dc17e2ad12e2}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment (recovered)
locale
osdevice                ramdisk=[C:]\Recovery\aaa61853-ee82-11e2-9340-dc17e2ad12e2\Winre.wim,{aaa61854-ee82-11e2-9340-dc17e2ad12e2}
systemroot              \windows
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {aaa61851-ee82-11e2-9340-dc17e2ad12e2}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=Y:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {aaa61854-ee82-11e2-9340-dc17e2ad12e2}
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\aaa61853-ee82-11e2-9340-dc17e2ad12e2\boot.sdi

==================== Memory info ===========================

Percentage of memory in use: 7%
Total physical RAM: 16314.71 MB
Available physical RAM: 15158.27 MB
Total Virtual: 16312.91 MB
Available Virtual: 15156.38 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:238.37 GB) (Free:16.83 GB) NTFS
Drive e: (GSP1RMCNPRXFRER_EN_DVD) (Removable) (Total:7.51 GB) (Free:4.7 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 238.5 GB) (Disk ID: 1B2CCB94)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=238.4 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7.5 GB) (Disk ID: 0D5B3DBE)
Partition 1: (Active) - (Size=7.5 GB) - (Type=07 NTFS)

LastRegBack: 2017-11-29 01:51

==================== End of FRST.txt ============================

Attached Files

FRST.txt 20.2KB 871 downloads

#4
RKinner

Posted 28 December 2017 - 02:38 PM

Malware Expert

Expert
24,731 posts

No sign of malware. Avast hasn't been updated since 12/05 and aswbidsha.sys since 11/16 so it is unlikely to be at fault. Normally when it crashes during load the last driver you see is not at fault. It's the next one on the list, the one you don't see, that causes the crash. I do see

2017-12-10 12:11 - 2017-12-10 12:11 - 000000000 __SHD C:\found.000

which indicates that on 12/10 it ran check disk and found and sort of recovered some bad sectors so I expect it's a problem with the hard disk which caused the problem.

Sometimes if you look in the folder C:\found.000 you will see a list of files with question marks in their names so you can see what files were damaged but other times it's garbage.

From a command prompt you can type:

dir /a \found.000

and it should show you what files are in the folder.

Can you attach C:\Windows\ntbtlog.txt ? This is the boot log. It was last run 12/10 so it may show us what loads after aswbidsha.sys.

From a Command Prompt type:

copy C:\Windows\ntbtlog.txt e:

This should copy the log onto the same USB drive where FRST lives.

On my Win 7, the next file is amdkmpfd.sys which is the video driver and judging from your black screen it's probably your problem.

If you right click on your black screen do you see a menu? Does Control Alt Delete give you a menu?

#5
stallada

Posted 28 December 2017 - 03:56 PM

Member

Topic Starter
Member
29 posts

Thank you so much for your response! I've tried to do what you asked, but think I may be missing something ( Apologies if it's something obvious, I'm decently clueless when it comes to the OS side of things. As for the cursor, I've got no interactivity - it doesn't recognize any mouse movements or clicks, or any keyboard commands.

If dates help at all, I began experiencing the problems on 12/8 or 12/9, and started troubleshooting on 12/10. I very rarely reboot my PC, generally it's ~months in between, and I don't remember when the last restart prior to these dates.

#6
RKinner

Posted 28 December 2017 - 10:04 PM

Malware Expert

Expert
24,731 posts

OK. We can let FRST do it for us.

Download the attached fixlist.txt to the same location as FRST

Run FRST and press Fix
A fix log will be generated please post that
(It will be saved in the same folder that FRST runs from)

#7
stallada

Posted 28 December 2017 - 10:49 PM

Member

Topic Starter
Member
29 posts

Here's the Fixlog - it looks like your intuition (video driver) was pretty spot on!

Attached Files

Fixlog.txt 176.99KB 1030 downloads

#8
RKinner

Posted 29 December 2017 - 06:44 AM

Malware Expert

Expert
24,731 posts

Can you boot into Safe Mode with Command Prompt?

If so, once in, type:

chkdsk  /r

and hit Enter. It will probably want to reboot. Let it. The disk check should start and may take several hours to complete.

If it still won't boot then go back into Safe Mode with Command Prompt and type:

sfc  /scannow

and hit Enter.

if it still will not boot correctly then, in the safe mode menu click on enable boot logging and rerun the fixlist from the earlier post (you will have to redownload it)

#9
stallada

Posted 29 December 2017 - 11:18 AM

Member

Topic Starter
Member
29 posts

All three safe modes give the same result, unfortunately: black screen with a cursor and no interactivity. My only access is through the bootable USB - is this something I can do through that?

#10
stallada

Posted 29 December 2017 - 06:14 PM

Member

Topic Starter
Member
29 posts

I think I managed to run the checkdisk and filechecker from the recovery stick, I've attached the results. No change in booting behavior after either.

As for enabling boot logging, I don't have that option, only safe mode, with networking, and with command prompt (all of which still fail in the same fashion). In the name of being proactive, I ran the fixlist anyway and have attached the output.

Attached Files

chkdsk results.txt 1.54KB 806 downloads
sfc results.txt 122bytes 812 downloads
Fixlog.txt 517.81KB 806 downloads

#11
RKinner

Posted 29 December 2017 - 09:36 PM

Malware Expert

Expert
24,731 posts

Did sfc finish? What did it say? It should say one of these:

Windows did not find any integrity violations (a good thing)
Windows Resource Protection found corrupt files and repaired them (a good thing)
Windows Resource Protection found corrupt files but was unable to fix some (or all) of them (not a good thing)

When you get to the safe mode menu and click on Repair Your Computer do you get the menu shown at 3. on

https://eventlogxp.c...-recovery-mode/

If so you can try the System Restore option and see if there is an older image available. Also Command Prompt is the last option on that menu. Does it work? If it does try:

devmgmt.msc

Does that bring up Device Manager?

#12
stallada

Posted 30 December 2017 - 06:11 AM

Member

Topic Starter
Member
29 posts

Whoops, seems I didn't save it correctly. Don't remember what it said exactly, but definitely not the "unable to fix" one. Ran it again, and it now says "no integrity violations".

Yes, everything I've done has been through the System Recovery panel from my bootable USB. Unfortunately, it seems I don't have any restore points or system images (was very surprised/disappointed in myself for the former). It appears that we're not able to pull up the device manager from this environment, although notepad and at least the registry editor are accessible.

Looking at the Adv. Boot Options in the link you shared made me dig deep and I figured out how to access it. I've subsequently selected Enable Boot Logging, restarted (failed), downloaded the new bootlog, and attached it here. If it helps, I've attached the SetupAPI log as well. If I'm interpreting these correctly, the last entries of each seem to possibly indicate errors with the cdrom and printer (spoolsv) drivers? If this is truly the case, I don't actually have either hardware on this machine nor any future plans for them.

Attached Files

ntbtlog.txt 1.96MB 915 downloads
setupapi.txt 2.14MB 1050 downloads

#13
RKinner

Posted 30 December 2017 - 07:07 AM

Malware Expert

Expert
24,731 posts

The cdrom.sys not loading is normal if you do not have a CD ROM. Actually your last boot log looks almost normal so you are making some progress. There are multiple boots shown so skip down to the last one and you will see that it loaded aswbidsha.sys without a problem, skipped cdrom.sys then continued. The NDProxy stuff is on all Win 7 boots so can be ignored.

However, looking at the log on my Win 7 it normally loads srv after srv2.

In a command prompt type:

sc query srv

on mine it says:

C:\Windows\system32>sc query srv

SERVICE_NAME: srv
        TYPE               : 2 FILE_SYSTEM_DRIVER
        STATE              : 4 RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Does yours say it is RUNNING?

If not type:

sc start srv

What does it say?

You can delete the current ntbtlog.txt file. That will make it easier to read the next time you try it.

#14
stallada

Posted 30 December 2017 - 07:22 AM

Member

Topic Starter
Member
29 posts

Mine actually reads:

D:\Windows\system32>sc query srv

[SC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

I get basically the same message when trying to start

Edited by stallada, 30 December 2017 - 07:24 AM.

#15
stallada

Posted 30 December 2017 - 07:40 AM

Member

Topic Starter
Member
29 posts

Actually, I suppose this might make some sense - I'm still not able to boot into my build of Windows at all (no change in boot behavior - it sticks at aswbidsha.sys, and kicks me to a black screen and cursor with no interactivity), so since I ran that from the recovery console, we probably shouldn't expect anything to be running?

Back to Computer Won't Boot - Malware Related · Next Unread Topic →

Also tagged with one or more of these keywords: avast, windows, boot, aswbisha

#linux Discussion → Off-Topic → Two different OS on two different drivers - recommended? Started by Killian Gharrah , 17 Sep 2023 #linux, #windows, #SSD, #HDD	1 reply 3,308 views	Killian Gharrah 17 Sep 2023
Operating Systems → All Other Operating Systems → Specific boot problem with Windows XP Started by SomeNewUser , 21 May 2023 Windows XP, boot	4 replies 2,651 views	peterm 30 May 2023
Software → Applications → Recommendation on program which can set alerts/reminders Started by Master T , 22 Nov 2022 alert, reminder, windows, android	3 replies 2,306 views	SpywareDr 25 Nov 2022
Security → Virus, Spyware, Malware Removal → Help w/FRST logs...NEWBIE [Closed] Started by stephspomer , 28 Sep 2021 farbar, frst, virus, malware and 2 more...	7 replies 4,419 views	DR M 04 Oct 2021
Operating Systems → Windows 8 and 8.1 → Noob question Started by kelly1 , 02 Aug 2021 windows 8.1	2 replies 3,793 views	Gary R 03 Aug 2021