Black screen malware "runonce.exe"

[Jon Doetest]

So I got the same problem as this person had previously
SOLVED - Black Screen and 2 instances of RunOnce.exe on Windows 7

This guy got excellent help so I wanted to see if you guys can help me out here.

Problem started when this malware/virus was installing itself through another program. Now its taken over my PC completely. At first though, I noticed Russian and Chinese programs on my PC which constantly opened and it took over my control. Such as web browsers opening in Chinese etc. But once I restarted the PC, I could never get into Windows. Because as Windows was done booting and it was loading my user, then the entire screen went all black. Literally couldn't see anything but my mouse. Nothing was clickable, alt+tab was not working, nor was Windows+R or any other way to get action.

But CTRL ALT DEL was working and brought up the standard menu. Now I could see normal again. But if I click on Task manager, the screen instantly goes back to black again. So I can't access the taskbar. By reading here on the previous guys post he mentioned something called runonce.exe basically blocking the view. And just a minute ago I was able to actually do the CTRL ALT DEL taskbar and remove this process. This meant that I could see normal desktop again! However, the malware is still there because I can see all the odd processes. So I went to run a malwarebyte scan with rootscan enabled. After a minute it found something and prompted me to restart, which I did.

Alas, now I am back to square one of not being able to use CTRL ALT DEL to remove this process. I've also tried to boot in safe mode but for some reason it won't let me through BIOS and/or the boot manager before booting from the hard drive.

Any help is very much appreciated!

 

[Jon Doetest]

Update: Seems patience did it. While I was typing this I had already clicked CTRL ALT DEL and opened task manager, even if I couldn't see anything. When I returned to the other PC it "magically" showed me task manager. Now I am in the process of running a full malwarebyte scan. That should do it. If not, I'll post back.

 

[Jon Doetest]

Update 2: I can Malwarebytes three times with rootscans included. It seems most of the malware is removed, including the one which made the entire screen black.

But! Now I have a new problem. My PC runs extremely slow and even just loading all the desktop icons takes minutes. Loading all the programs in "uninstall programs" takes about 5 minutes. Opening a program takes minutes. I am 99.9% Certain its a malware which "drags" all performance from the computer. Because when I open task manager (when it finally loads!) what I see is 99 % CPU and 100 % disk. There is only one process which seem to drag the PC down. It's called "Malwarebytes Service" and it has no icon next to it, like the other "Malwarebytes (32 bit)" process has. So I am almost certain this is the malware.

But I need help to actually remove this one, because it doens't show up on scans.

 

[Ink]

Thread moved for MRA.

Please wait for @TwinHeadedEagle to respond.

 

[Jon Doetest]

Thread moved for MRA.

Please wait for @TwinHeadedEagle to respond.

Roger that.

Update 3: Meanwhile things have taken a turn for the worse. Literally all my desktop icons have the same black square which partially covers each one of them. Besides, there are new, blank and white desktop icons with no name. And my taskbar icons at the bottom of the screen (next to start button) says "Can't open this item. It might have been moved, renamed, or deleted. Do you want to remove this item?. I click no every time, but I never did any of this.

 

[Jon Doetest]

Roger that.

Update 3: Meanwhile things have taken a turn for the worse. Literally all my desktop icons have the same black square which partially covers each one of them. Besides, there are new, blank and white desktop icons with no name. And my taskbar icons at the bottom of the screen (next to start button) says "Can't open this item. It might have been moved, renamed, or deleted. Do you want to remove this item?. I click no every time, but I never did any of this.

In fact, I can't even open any of my desktop icons! Nor can I search for microsoft security essentials to try to scan with the windows defender application. It seems as if WIndows Security Essentials AND Malwarebytes were deactivated and I am not sure I can activate either of them. However I did try to activate MSE by going into regedit and deleting the string to deactivate it. But I am not sure its working since I can't open the program! Neither can I search for it (or anything else), nor can I manually open any program which is not part of the "hidden programs" in the bottom right corner.

 

[Jon Doetest]

Update 4: Was able to get Windows Defender back on running and I discovered something interesting (before scanning). Apparently there was a quarantined file named "Selfdel.b," a trojan. And there was also an allowed item called "Neobar," a web browser modifier. Will delete both of these, then scan again (Win Defender is up to date).

 

[Jon Doetest]

Update 4: Was able to get Windows Defender back on running and I discovered something interesting (before scanning). Apparently there was a quarantined file named "Selfdel.b," a trojan. And there was also an allowed item called "Neobar," a web browser modifier. Will delete both of these, then scan again (Win Defender is up to date).

Additionally, some folders were apparently excluded from scan in the Windows Defender settings. These folders do seem extremely strange to exclude! But I can't remove the exclusion of these folders! I will list them below

C:\Program Files (x86)\Youtube AdBlock
C:\Program Files (x86)\Youtube AdBlockIE
C:\Program Files (x86)\Youtube AdBlockU
C:\Users\MyUserName\AppData\Local\Google\Chrome\User Data
C:\Users\MyUserName\AppData\LocalLow\Youtube AdBlock
C:\Users\MyUserName\AppData\Roaming\Opera Software\Opera Stablle
C:\Windows\temp
C:\Program files\c9a6c805cc11ae8ef70715d864a0b53b
C:\Windows\0d37513b5aec689b93f186d09d569b2.exe
C:\Windows\System32\drivers\bcb1dbe52721a5e4532675cd92...

Seems EXTREMELY strange that I would have Opera folders and AdBlock Youtube folders when I have NEVER used programs named that. Well, I have used AdBlock but not once a Youtube exclusive (does that even exist? doubt it).

For example when I enter the first folder there's only 1 file - a uninstall.exe - not someting I'd like to open at all!

 

[TwinHeadedEagle]

Hello,


Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
  
  
  
  
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

[Jon Doetest]

• 
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Hello and thanks for helping me.

Here's the files you want. Let me just say quickly two things.

First, I installed other AV and tried to scan, now I am using ad-aware.

Second, something I just noticed! In the default browser in FRSt.txt it says: Internet Explorer Version 11 (Default browser: "C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1")

This browser is completely not my supposed default, which is Google Chrome. To add to that, I just noticed that I have 2 "Google Chrome" shortcuts in my taskbar open at the same time - of course something which shouldn't happen! This browser is 100 % malware, and its named UC and then something in Chinese!

 

[TwinHeadedEagle]

Please download Zemana AntiMalware and save it to your Desktop.

• Install the program and once the installation is complete it will start automatically.
• Without changing any options, press Scan to begin.
• After the short scan is finished, if threats are detected press Next to remove them.

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.​

• Open Zemana AntiMalware again.
• Click on
  
  icon and double click the latest report.
• Now click File > Save As and choose your Desktop before pressing Save.
• The only left thing is to attach saved report in your next message.

 

[Jon Doetest]

• The only left thing is to attach saved report in your next message.

There you go!

 

[Jon Doetest]

An update to you @TwinHeadedEagle

Went back to Windows Defender (for now) and as I wrote in my post #8 on here, there's quite a few folders which is set up for exclusion. And I am almost certain that some of them contain viruses/malwares. Right now the malware just keeps deactivating Windows Defender constantly!

 

[Jon Doetest]

Latest update as of right now: The multitude of scans with different anti-virus/malware programs have filtered out many, but not all malware. The black screen when I turn on the computer is completely gone, at the very least!

Alas, there is still some malware left. And I can almost certainly tell you where its located, without being able to remove it myself. As I mentioned in post #8, some folders were excluded without me at any point excluding these folders. I will bold the folders which are still in the Windows Defender exclususions below, since some folders were actually deleted by malware.


C:\Program Files (x86)\Youtube AdBlockU
C:\Users\MyUserName\AppData\Roaming\Opera Software\Opera Stable
C:\Program files\c9a6c805cc11ae8ef70715d864a0b53b
C:\Windows\0d37513b5aec689b93f186d09d569b2.exe
C:\Windows\System32\drivers\bcb1dbe52721a5e4532675cd92...

When I manually go through these folders, I can not find the first one (maybe hidden?). Same goes for the second folder. And the third. However, the fourth 0d3....exe is a file which was last modified 12 hours before I got my big malware attack. And its a .exe file in a Windows folder. This file seems extremely suspicious because when I google the file name I don't even get a single result. As for the last folder, I can not find it either.

By the way, I've also done a complete clean reinstallion of Google Chrome. But I still have the "UC - Chinese sign" browser, because as I opened a weblink it asked me to choose default web browser, UCBrowser was one of the options.

 

[TwinHeadedEagle]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition.txt option is checked.
  
  
  
  
  
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please attach report into your next reply.

 

[Jon Doetest]

• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please attach report into your next reply.

Here.

 

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[Jon Doetest]

• When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

I did everything you said up to the point of running the fix and rebooting. Then after rebooting the PC and logging into my user, I get a totally black screen. This particular issue was actually completely gone before this, as the malwarescans must have fixed that. So now I can't even get into the PC at all. Even the CTRL ALT DEL into taskbar does nothing.

 

[Jon Doetest]

Edit: After about 10 minutes of black screen I got Windows desktop normally. Albeit it seemed to have an insane loading time right out of boot. Will upload the fixlist in a moment.

 

[Jon Doetest]

Fixlog here.