1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Black screen after logging in, cursor and task manager available.

Discussion in 'Virus & Other Malware Removal' started by tolagali, Dec 18, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. tolagali

    tolagali Thread Starter

    Joined:
    Dec 18, 2011
    Messages:
    2
    Hello,

    Background:

    Yesterday I caught a piece of malware, a trojan named Kryptik.XXX (I do not remember the three letters, they seemed to vary with time.) My antivirus also detected a rootkit in a file called cdrom.sys.

    What it did: Folders with seemingly randomized names appeared in C:\Windows\TEMP\, the folders contained a file named "setup.exe". This is the files in which the antivirus detected the "Kryptik" trojan. Meanwhile, "ping.exe" constantly ran itself without my consent, not only that, but it used ~80% of the available cpu.

    I was able to kill the ping.exe process when it appeared, but everything kept repeating itself: New folders with new names popped up in TEMP, and ping.exe kept running itself. I was able to put a stop to it all by doing several scans with Spybot - S&D, Malwarebytes', NOD32 and Hitman Pro.

    Everything seemed to be alright, until I noticed that the Web Access Protection in NOD32 had been made unavailable, it was set to non-functioning, and I couldn't turn it back on. After several attempts to re-install the program, I found that a service called "Basic Filtering Engine" had disappeared. I could successfully re-install NOD32 after getting back the service.

    Current problem:
    Every time I log on to Windows, my cursor and a cpu-power-saver-thingy process (it came with the motherboard, I've no idea what it really does, but it always runs and I doubt that it is related to the problem.) appears.

    Pressing ctrl-alt-del allows me to log off, open the task manager, etc. etc. The task manager allows me to navigate through my computer, explorer.exe is running and everything works except the desktop background and the start menu; it's just black. Oh, and most programs that usually run at start up do not start, Catalyst Control Center and OpenOffice for example. It is as if the whole start up process is frozen or stuck. However, the programs that have successfully started are working perfectly, and I am able to open a web browser and surf like usual.

    Temporary solutions:
    It can be remedied by using ctrl-alt-del to log off and then back in again, this makes all processes load as they should. I don't like this though, since there is obviously something fishy going on.

    I've searched the web for solutions, and one that I've come across is the following: Simply open the task manager, run a web browser and download a fix called shellfix.exe, released by Prevx (http://info.prevx.com/download.asp?GRAB=BLACKSCREENFIX). After running shellfix.exe which "resets the Windows Shell", reboot and everything is fine on the first login. Unfortunately, it is only temporary, and the next reboot will yield a black screen once again, and I will have to either re-log into Windows, or run the shellfix again.

    I suppose doing a "repair install" of Windows might fix the problem, but I would very much like to know what is causing this to happen.

    edit: I should add that the System File Checker (sfc /verifyonly in cmd) comes up with nothing out of the ordinary.
     
  2. Rumblefish

    Rumblefish

    Joined:
    May 7, 2009
    Messages:
    33
    Unauthorized content removed.
     
  3. tolagali

    tolagali Thread Starter

    Joined:
    Dec 18, 2011
    Messages:
    2
    Well I did detect and quarantine the thing, and the most notable symptoms have ceased. As far as I understand, the problem with the Windows Shell or black screen is not being directly caused by the quarantined trojan, but by the damage that the trojan did while it was still active.

    As for my AV software, it's under my Computer Specs, Antivirus: ESET NOD32 Antivirus 5.0, Updated and Enabled. Other than that, I've been using both the demo version of Hitman Pro as you suggested, as well as Spybot - Search & Destroy and Malwarebytes' Anti-Malware.

    Hitman Pro detected the rootkit, NOD32 detected the Kryptik trojan and Malwarebytes' detected a second trojan called "Trojan.Email". They've all been quarantined. I've ran several subsequent scans and they've turned up with nothing.

    I'll look into MSE and a re-installation of my VGA drivers.

    edit:
    I forgot to mention that the black screen problem does not occur when booting in Safe Mode.

    edit2/update:
    I've re-installed my VGA drivers and the problem still persists. I've also confirmed that booting Windows in Safe Mode solves/hides the problem.

    When I logged on just a few minutes ago, I tried something new: During the black screen, I brought forth the task manager through ctrl-shift-esc and decided to kill the explorer.exe process. After doing this, I attempted to run explorer.exe again, as if restarting it. This sort of worked, I was able to see the start menu and the desktop background. However, the remaining processes that usually start on a normal start up did not start. I had to log off and on again in order for everything to work correctly. (By logging off and on, I am referring to the use of the Log off option rather than the Restart or Shut down ones.)
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,815
    First Name:
    Karen
    Rumblefish,

    I've deleted the content of your post as you are not authorized for malware removal. Please refer to the site rules.
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,815
    First Name:
    Karen
    Please download DDS by sUBs to your desktop from one of the following locations:

    http://download.bleepingcomputer.com/sUBs/dds.scr
    http://www.forospyware.com/sUBs/dds

    Double-click the DDS.scr to run the tool.

    When DDS has finished scanning, it will open two logs named as follows:

    DDS.txt
    Attach.txt

    Save them both to your desktop. Copy and paste the contents of the DDS.txt and Attach.txt files in your reply please.


    If your system is 64-bit then do NOT run GMER and just post the DDS logs:

    Please download GMER from: http://gmer.net/index.php

    Click on the "Download EXE" button and save the randomly named .exe file to your desktop.

    Note: You must uninstall any CD Emulation programs that you have before running GMER as they can cause conflicts and give false results.

    Double click the GMER .exe file on your desktop to run the tool and it will automatically do a quick scan.

    If the tool warns of rootkit activity and asks if you want to run a full scan, click on No and make sure the following are unchecked on the right-hand side:

    IAT/EAT
    Any drive letter other than the primary system drive (which is generally C).

    Click the Scan button and when the scan is finished, click Save and save the log in Notepad with the name ark.txt to your desktop.

    Note: It's important that all other windows be closed and that you don't touch the mouse or do anything with the computer during the scan as it may cause it to freeze. You should disable your screen saver as if it comes on it may cause the program to freeze.

    Open the ark.txt file and copy and paste the contents of the log here please.
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1031744

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice