Inactive Black Screen After Desktop Loads

[bblanco]

Hi everyone,

I could really use some help. I have spent the past 6 hours dealing with this very annoying problem. A couple of days ago I got a virus/spyware that would redirect some of my Google searches while using Firefox. I ran scans with McAfee, Malwarebytes, Spybot S&D, Ad-Aware, Hitman, CC Cleaner, Windows Defender, and probably a couple more. I found a bunch of problems and had them fixed, but the search hijacking continued. However, it did seem to happen a lot less frequently.

Today, I tried a System Restore in order to try to squash the problem once and for all. After it was completed, my desktop loaded for maybe 30 seconds (while startup programs were still initializing) and then the screen went black. This is the problem I have been dealing with for the past 6 hours. I have already tried undoing the System Restore, and when that failed, I Restored back to an even earlier date--both to no avail.

I can load my computer in Safe Boot without problem (although getting it to Safe Boot sometimes doesn't work). However, whenever I try to load it normally, I log on, my desktop loads, and then the screen goes black over it. I have no cursor or anything. It is important to note though that the screen is a digital black--when I turn the computer off manually, the screen goes black as in it is off. Yet when it "goes black" after loading, it is more of a grayish than the turned-off black.

Any suggestions?

I would really appreciate any advice or help--I have come very close to hurling my laptop (Toshiba with Windows XP, btw) across the room or at the wall.

 

[Broni]

First of all, you need to know, that system restore will never cure any infection.
In extreme infection cases, it may bring back some stability, but that's about it.

If you can start computer with Safe Mode withe networking....

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.[/LIST]

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

=======================================================================

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE. If Combofix asks you to install Recovery Console, please allow it.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator

 

[bblanco]

Broni,

Thank you so much for your time.

I booted my computer in Safe Mode for all of your instructions, because my computer won't start in normal mode. I wasn't sure if I was supposed to be able to get into normal mode at any point.

First I ran Rkill, then exeHelper, then GMER. I ran ComboFix, however it said that McAfee was not disabled. I opened McAfee up and disabled every part of it, but ComboFix still said McAfee was enabled. I ran ComboFix anyway--hopefully it didn't interfere or at least not too badly.

ComboFix also told me that I do not have the Recovery Console installed, though I am unsure what this means.

Finally, I downloaded HijackThis but was unable to run it. My computer said that "The System Administrator has set policies to prevent this installation."

I have attached all of the logs.

What next?

Once again, thank you so much for taking the time to help.

 

[Broni]

See, if you can restart in normal mode now.

 

[bblanco]

No I am not able to log in via normal mode. As soon as I log into my windows user name, it freezes (the logging-in sound freezes and loops) and the screen goes black.

 

[Broni]

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[bblanco]

I tried posting the results as text like you asked for, but the forum said the posting was too long, so I have once again attached the files.

 

[Broni]

I don't really see much there, but give this a try...

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Stopped] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
  SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Stopped] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
  O4 - HKLM..\Run: [NDSTray.exe]  File not found
  O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab (Reg Error: Key error.)
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
  O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab (Reg Error: Key error.)
  O20 - Winlogon\Notify\WRNotifier: DllName - WRLogonNTF.dll -  File not found
  @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ECE4A64B
  @Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[bblanco]

I ran the fix and the computer automatically rebooted. Since it didn't boot into safe mode, I had the same problem where it froze with the black screen. I restarted and went into safe mode and then I reopened OTL and the first thing that came up was the first text file I have posted.

Then I ran a quick scan and have posted that log as well.

I was thinking that before I sought out your help, I read something on Windows.com that told me if I killed explorer.exe while in safe mode and it restarted automatically, it was okay. I killed it using CTRL+ALT+DEL but it didn't restart automatically. Then the start up problem got worse--it used to start loading the desktop but since it goes black immediately after logging in.

 

[Broni]

Judging from your logs, I don't think, we're dealing with an infection anymore.
I suspect, previous infection and using system restore later might have messed up some system files.
Try repair installation: http://www.geekstogo.com/forum/How-to-repair-Windows-XP-t138.html

 

[bblanco]

Okay I will look into that. Thanks once again for helping me--I'm very grateful for your time. Hopefully this will work.

 

[Broni]

You're very welcome
Keep me posted...

 

[bblanco]

Hmm...well I can't get to Step 4 on the instructions you sent me. I have a Toshiba, so I changed the Boot order in the BIOS menu. It loads "Loading RAMDISK image" and then when it is done and the the blue screen is supposed to pop up for Step 4, my screen turns black, the CD drive stops running and then it just reboots the computer as if I had turned it off. This continues in a seemingly unending loop (I just watched it happen 3 or four times). Any suggestions?

 

[Broni]

Some Toshibas may need little bit different steps. See here: http://www.csd.toshiba.com/cgi-bin/tais/support/jsp/bulletin.jsp?soid=403623

 

[bblanco]

Thanks once again. I was following these instructions but to the same result. I even called Toshiba and after spending some time on the phone with the technician, they recommended I bring it in somewhere.

Anyway, thanks so much for helping--it really is incredible to me that complete strangers are willing to help out with computer problems, I guess there are genuinely nice people in the world!

 

[Broni]

You're very welcome

If I were you, I'd probably back up your data and go for clean install.

I even called Toshiba and after spending some time on the phone with the technician

Is the computer still under warranty?

 

[bblanco]

Yeah I definitely backed up all my data, before even trying to fix Windows XP. Unfortunately, I'm not under warranty anymore, but the computer is almost 4 years old (is that old for a computer?). The computer was one of the cheaper models so if the repair is too expensive I guess I'll just get a new one if it's cheaper.

What is a clean install? Can I do it on my own? At this point I wouldn't mind wiping it clean and starting from scratch, if that's possible.

 

[bblanco]

my computer turned on in normal mode!!! i have no idea why--i didn't do anything i was just messing around with it. i inserted the Toshiba CD and am wiping it--it will go back to the factory default. i hope this works!

 

[bblanco]

well no luck, still stuck in that Loading RAMDISK image loop, oh well.

 

[Broni]

i inserted the Toshiba CD and am wiping it--it will go back to the factory default. i hope this works!

Keep me posted and good luck