Black screen malware "runonce.exe"

J

Jon Doetest

New Member
Thread author
Verified
Mar 20, 2017
20
Update: Remember the excluded folders I listed on post #8? If not, take a look. If you do, good, because its important. Some of those folders were automatically removed from running scans for malware with various programs. Now, there were only 4 folders left which were excluded from being scanned. I have recently scanned with Windows Defender, malwarescan, adwcleaner and Zemana. None of them found anything, even after running full scans over the course of multiple attempts.

But here's the part that is interesting. By manually looking through the folders I found that three of them were gone, and there was only 1 file in 1 folder left. This file I scanned with Zemana and guess what! It was an .exe file, but it was also malware. So now that particular malware is gone. Not sure whether or not I will have more issues, though. At least one less malware to deal with.

Currently the issue is that when I boot the PC, it takes around 5 minutes (on a good rig with SSD), to just load all the pictures of the icons on the desktop. Like something is draining 100 % CPU and disk performance, a malware. But the weird thing is after about 5 minutes, when the PC is fully loaded, the PC seems to run just fine! Haven't had any issues in gaming, not stability wise nor performance wise.

Here's an attached report of the scan in which I made a custom scan and removed a malware.
 

Attachments

  • 2017.03.23-20.57.21-i4-t2-d1.txt
    1.4 KB · Views: 1
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition.txt option is checked.

    2873ryc.png

  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please attach report into your next reply.
 
J

Jon Doetest

New Member
Thread author
Verified
Mar 20, 2017
20
TwinHeadedEagle said:
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please attach report into your next reply.
Click to expand...

There you go. Sometimes, very rarely though, Windows Defender shuts itself off. Seems to be something overriding it, probably a malware.
 

Attachments

  • FRST.txt
    47.5 KB · Views: 2
  • Addition.txt
    59.9 KB · Views: 2
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Your computer isn't infected.


Check Disk
  • Press the
    WindowsKey.png
    on your keyboard. Type cmd and right click >> Run as Administrator.
  • Copy/Enter the command below and press Enter:
  • Code: 
    chkdsk C: /r
  • You should get a message to schedule Check Disk at next system restart. Please type Y and press Enter.
  • All you should do now is to restart your PC and let the Check Disk process finish uninterrupted.
Check Disk report:
  • Press the
    WindowsKey.png
    + R on your keyboard at the same time. Type eventvwr and click OK.
  • In the left panel, expand Windows Logs and then click on Application.
  • Now, on the right side, click on Filter Current Log.
  • Under Event Sources, check only Wininit and click OK.
  • Now you'll be presented with one or multiple Wininit logs.
  • Click on an entry corresponding to the date and time of the disk check.
  • On the top main menu, click Action > Copy > Copy Details as Text.
  • Paste the contents into your next reply.
 
J

Jon Doetest

New Member
Thread author
Verified
Mar 20, 2017
20
TwinHeadedEagle said:
Your computer isn't infected.


Check Disk
  • Press the
    WindowsKey.png
    on your keyboard. Type cmd and right click >> Run as Administrator.
  • Copy/Enter the command below and press Enter:
  • Code: 
    chkdsk C: /r
  • You should get a message to schedule Check Disk at next system restart. Please type Y and press Enter.
  • All you should do now is to restart your PC and let the Check Disk process finish uninterrupted.
Check Disk report:
  • Press the
    WindowsKey.png
    + R on your keyboard at the same time. Type eventvwr and click OK.
  • In the left panel, expand Windows Logs and then click on Application.
  • Now, on the right side, click on Filter Current Log.
  • Under Event Sources, check only Wininit and click OK.
  • Now you'll be presented with one or multiple Wininit logs.
  • Click on an entry corresponding to the date and time of the disk check.
  • On the top main menu, click Action > Copy > Copy Details as Text.
  • Paste the contents into your next reply.
Click to expand...

I ran check disk and it got "stuck" at 27 %, but eventually it finished. So it must have changed or repaired something.

But in reality I have the same issue as before when I start my PC. Takes about 5 minutes to load everything. Anything I click (such as task manager) takes 5 minutes to open. It also takes about 5 minutes for the wireless to connect to my router.

Strangely there was no errors in the wininit. But I did see some other errors in event viewer. 15 critical errors in the last 14 days. 7 of those were Kernel Power Event #41 something about a clean shut down. Maybe that;s just Steam or some other apps not closing properly before shutting down. 4 errors were DriverFramework event ID #10110 and the last 4 errors were also something called DriverFramework but event ID #10116.

Here is the checkdisk event:

Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 3/25/2017 8:32:58 PM
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Viper
Description:


Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.

Stage 1: Examining basic file system structure ...
Cleaning up instance tags for file 0x6bab.
Cleaning up instance tags for file 0x1a16c.
Cleaning up instance tags for file 0x2129c.
Cleaning up instance tags for file 0x26430.
Cleaning up instance tags for file 0x6cbd8.
870912 file records processed.

File verification completed.
11771 large file records processed.

0 bad file records processed.


Stage 2: Examining file name linkage ...
998894 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.


Stage 3: Examining security descriptors ...
Cleaning up 2875 unused index entries from index $SII of file 0x9.
Cleaning up 2875 unused index entries from index $SDH of file 0x9.
Cleaning up 2875 unused security descriptors.
Security descriptor verification completed.
63992 data files processed.

CHKDSK is verifying Usn Journal...
Usn Journal verification completed.

Stage 4: Looking for bad clusters in user file data ...
870896 files processed.

File data verification completed.

Stage 5: Looking for bad, free clusters ...
7545714 free clusters processed.

Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.

Windows has made corrections to the file system.
No further action is required.

243656703 KB total disk space.
212254332 KB in 575233 files.
269372 KB in 63993 indexes.
0 KB in bad sectors.
950139 KB in use by the system.
65536 KB occupied by the log file.
30182860 KB available on disk.

4096 bytes in each allocation unit.
60914175 total allocation units on disk.
7545715 allocation units available on disk.

Internal Info:
00 4a 0d 00 05 c1 09 00 be 8c 0e 00 00 00 00 00 .J..............
ff 96 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 ..../...........

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
<EventID Qualifiers="16384">1001</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-03-25T19:32:58.000000000Z" />
<EventRecordID>91286</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Viper</Computer>
<Security />
</System>
<EventData>
<Data>

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.

Stage 1: Examining basic file system structure ...
Cleaning up instance tags for file 0x6bab.
Cleaning up instance tags for file 0x1a16c.
Cleaning up instance tags for file 0x2129c.
Cleaning up instance tags for file 0x26430.
Cleaning up instance tags for file 0x6cbd8.
870912 file records processed.

File verification completed.
11771 large file records processed.

0 bad file records processed.


Stage 2: Examining file name linkage ...
998894 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.


Stage 3: Examining security descriptors ...
Cleaning up 2875 unused index entries from index $SII of file 0x9.
Cleaning up 2875 unused index entries from index $SDH of file 0x9.
Cleaning up 2875 unused security descriptors.
Security descriptor verification completed.
63992 data files processed.

CHKDSK is verifying Usn Journal...
Usn Journal verification completed.

Stage 4: Looking for bad clusters in user file data ...
870896 files processed.

File data verification completed.

Stage 5: Looking for bad, free clusters ...
7545714 free clusters processed.

Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.

Windows has made corrections to the file system.
No further action is required.

243656703 KB total disk space.
212254332 KB in 575233 files.
269372 KB in 63993 indexes.
0 KB in bad sectors.
950139 KB in use by the system.
65536 KB occupied by the log file.
30182860 KB available on disk.

4096 bytes in each allocation unit.
60914175 total allocation units on disk.
7545715 allocation units available on disk.

Internal Info:
00 4a 0d 00 05 c1 09 00 be 8c 0e 00 00 00 00 00 .J..............
ff 96 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 ..../...........

Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
</EventData>
</Event>
 
J

Jon Doetest

New Member
Thread author
Verified
Mar 20, 2017
20
TwinHeadedEagle said:
I have no idea what is the problem. There is no malware and you can probably check temperatures as the final step.
Click to expand...

Temperatures is not the problem. I have no issues after the initial slow start. Can run any PC game without any stability or performance issues.
 
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Let's try one more malware check just in case.

TDSSKiller_Kaspersky.png
Scan with TDSSKiller

Please download TDSSKiller by Kaspersky and save it to your desktop.

  • Right-click on
    TDSSKiller_Kaspersky.png
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
  • Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.
  • Your machine may appear very slow and unusable after that - it's normal.
  • TDSSKiller will run automaticaly. Click on Change parameters and click OK.
  • Click the Start Scan button and wait patiently.

If anything will be found follow this guidelines:
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    If Cure is not available, please choose Skip instead.
  • Do not choose Delete unless instructed!

A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt. Please include the contents of that file in your next post.
 

Similar threads

B
  • Question
Question VeraCrypt, Win11, Secure Desktop, ‘’black’’ screen
Replies
0
Views
336
Other security for Windows, Mac, Linux
beginner-mt
B
L
  • Locked
Waiting for reply I have my first virus
Replies
1
Views
151
Windows Malware Removal Help & Support
nasdaq
nasdaq
sheffieldyorky
    • Like
  • Locked
I thought that the end of the "alphabet" was "X Y Z" now I have found out otherwise please help
Replies
13
Views
606
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top