White screen after Windows has loaded

[Exmortis66]

This seems to be a persistant problem. Previous computer had the same issue, the laptop has had the same issue with the "AFD" Scamware, but never have I encountered this "White screen" before.

It seems that there are a few programs that may have carried this Malware into the system. some internet games, that children have inadvertadly "Run.exe'd" without realising it, but I cannot be specific on what files.

Any help would be greatly appreciated at this time.
Kind regards
Exmortis66

 

[kuttus]

Which Operating system you are using?

 

[Exmortis66]

Which Operating system you are using?

Windows 7 32 Non-Genuine. Around a year old now.

 

[Exmortis66]

Have just now, got Reatogo working on the infected Computer, am about to run AV and MW scans.

 

[kuttus]

Can you please try to run a scan with Farbar Recovery Scan Tool. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tooland save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Click on Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

 

[Exmortis66]

I am currently Running a FRST scan.

I have tried multiple times to use F8 during self diagnostics of the computer, I am unable to access any of those options.

 

[kuttus]

Is it working now?

 

[Exmortis66]

FRST SCAN RESULTS

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-10-2013
Ran by SYSTEM on REATOGO on 12-10-2013 18:51:07
Running from D:\
Windows 7 Ultimate (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [10828392 2011-08-26] (Realtek Semiconductor)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [Launch LCore] - C:\Program Files\Logitech Gaming Software\LCore.exe [5115192 2012-07-23] (Logitech Inc.)
HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [StartCCC] - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642728 2012-09-28] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-03] (Adobe Systems Incorporated)
HKLM\...\Run: [SwitchBoard] - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS6ServiceManager] - C:\Program Files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM\...\Run: [AVG_UI] - C:\Program Files\AVG\AVG2013\avgui.exe [4411440 2013-08-14] (AVG Technologies CZ, s.r.o.)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess?
HKU\Midgley\...\Run: [Facebook Update] - C:\Users\Midgley\AppData\Local\Facebook\Update\FacebookUpdate.exe [ 2012-12-07] (Facebook Inc.)
HKU\Midgley\...\Run: [Steam] - C:\Program Files\Steam\Steam.exe [ 2013-10-08] (Valve Corporation)
HKU\Midgley\...\Run: [Google Update] - [x]
HKU\Midgley\...\Run: [Internet Security] - C:\ProgramData\msprotection.exe
HKU\Midgley\...\Winlogon: [Shell] explorer.exe,C:\Users\Midgley\AppData\Roaming\data.dat [ 2012-04-15] () <==== ATTENTION

========================== Services (Whitelisted) =================

S2 AdobeActiveFileMonitor11.0; C:\Program Files\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe [171600 2012-09-22] (Adobe Systems Incorporated)
S2 avgfws; C:\Program Files\AVG\AVG2013\avgfws.exe [1432080 2013-09-03] (AVG Technologies CZ, s.r.o.)
S2 AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [4939312 2013-07-04] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [283136 2013-07-23] (AVG Technologies CZ, s.r.o.)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-26] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-26] ()
S2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] ()
S2 ADExchange; C:\Program Files\Common Files\ArcSoft\esinter\Bin\eservutil.exe [x]
S3 WPFFontCache_v0400; C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [x]
S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{a7247bf5-ea67-3c3a-b114-53fdaa26f79e}\ \...\???\{a7247bf5-ea67-3c3a-b114-53fdaa26f79e}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

S1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6x.sys [50296 2012-09-03] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208184 2013-07-19] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [60216 2013-07-19] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22328 2013-09-09] (AVG Technologies CZ, s.r.o.)
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [171320 2013-07-19] (AVG Technologies CZ, s.r.o.)
S0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [246072 2013-07-19] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [96568 2013-06-30] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [39224 2013-09-04] (AVG Technologies CZ, s.r.o.)
S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [182072 2013-03-20] (AVG Technologies CZ, s.r.o.)
S3 BVRPMPR5; C:\Windows\system32\drivers\BVRPMPR5.SYS [49904 2009-03-02] (Avanquest Software)
S0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-13] (Microsoft Corporation)
S3 gdrv; C:\Windows\gdrv.sys [17488 2012-05-21] (Windows (R) 2000 DDK provider)
S3 LGBusEnum; C:\Windows\System32\drivers\LGBusEnum.sys [19720 2009-11-23] (Logitech Inc.)
S3 LGVirHid; C:\Windows\System32\drivers\LGVirHid.sys [14856 2009-11-23] (Logitech Inc.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [657408 2009-07-13] (Ralink Technology Corp.)
S0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [46096 2012-08-09] (Corel Corporation)
S3 RTHDMIAzAudService; C:\Windows\System32\drivers\RtHDMIV.sys [328552 2011-07-06] (Realtek Semiconductor Corp.)
S1 twtrroqn; \??\C:\Windows\system32\drivers\twtrroqn.sys [x]
S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-10-12 18:35 - 2013-10-12 18:35 - 00000000 ____D C:\FRST
2013-10-05 12:20 - 2013-10-12 05:24 - 00000004 _____ C:\Users\Midgley\AppData\Roaming\settings.ini
2013-09-26 02:34 - 2013-09-26 02:34 - 00001496 _____ C:\Windows\PFRO.log
2013-09-23 00:33 - 2013-09-23 00:33 - 00000000 ____D C:\Users\Midgley\AppData\Local\Unity
2013-09-12 21:41 - 2013-09-12 21:41 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software
2013-09-12 21:41 - 2013-09-12 21:41 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software

==================== One Month Modified Files and Folders =======

2013-10-12 18:35 - 2013-10-12 18:35 - 00000000 ____D C:\FRST
2013-10-12 18:35 - 2012-05-24 06:32 - 00000000 ____D C:\users\Midgley
2013-10-12 05:24 - 2013-10-05 12:20 - 00000004 _____ C:\Users\Midgley\AppData\Roaming\settings.ini
2013-10-12 05:24 - 2013-05-17 01:59 - 00000000 ____D C:\Program Files\Steam
2013-10-12 05:24 - 2012-05-24 06:27 - 00005872 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-12 05:24 - 2012-05-24 06:27 - 00005872 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-12 05:23 - 2013-08-15 18:32 - 02481624 _____ C:\Windows\setupact.log
2013-10-12 04:21 - 2012-05-24 06:59 - 01867250 _____ C:\Windows\WindowsUpdate.log
2013-10-12 02:43 - 2012-05-20 04:31 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-10-04 21:05 - 2006-11-02 06:23 - 00000206 _____ C:\Windows\win.ini
2013-10-02 06:26 - 2013-04-12 09:27 - 00001104 _____ C:\Users\Midgley\Desktop\ROBLOX Studio 2013.lnk
2013-10-02 06:26 - 2013-04-12 08:51 - 00001285 _____ C:\Users\Midgley\Desktop\ROBLOX Player.lnk
2013-10-02 05:31 - 2013-01-09 04:35 - 00000000 ____D C:\Users\Midgley\AppData\Roaming\TS3Client
2013-10-01 02:08 - 2013-08-15 10:05 - 00000000 ____D C:\Windows\System32\appmgmt
2013-09-30 22:38 - 2012-01-16 04:27 - 00000000 ____D C:\Users\Midgley\AppData\Local\Ubisoft Game Launcher
2013-09-30 22:33 - 2013-04-06 00:40 - 00000000 ____D C:\Users\Midgley\AppData\Roaming\.minecraft
2013-09-28 01:57 - 2012-10-10 05:14 - 00001200 _____ C:\Users\Midgley\Desktop\settings.dat
2013-09-26 02:34 - 2013-09-26 02:34 - 00001496 _____ C:\Windows\PFRO.log
2013-09-23 00:33 - 2013-09-23 00:33 - 00000000 ____D C:\Users\Midgley\AppData\Local\Unity
2013-09-13 06:46 - 2013-01-09 04:34 - 00000000 ____D C:\Program Files\TeamSpeak 3 Client
2013-09-13 01:11 - 2011-12-08 02:28 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-09-12 21:41 - 2013-09-12 21:41 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software
2013-09-12 21:41 - 2013-09-12 21:41 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software
2013-09-12 21:41 - 2013-08-15 12:54 - 00000935 _____ C:\Users\Public\Desktop\AVG 2013.lnk

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3128840225-35159620-4175650948-1000\$a7247bf5ea673c3ab11453fdaa26f79e

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$a7247bf5ea673c3ab11453fdaa26f79e

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

Files to move or delete:
====================
C:\Users\Midgley\AppData\Roaming\data.dat
C:\Users\Midgley\AppData\Roaming\settings.ini
ZeroAccess:
C:\Users\Midgley\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install
C:\Users\Midgley\acrobat.exe
C:\Users\Midgley\acrobatreader.exe
C:\Users\Midgley\jagex_cl_runescape_LIVE.dat
C:\Users\Midgley\opera.exe
C:\Users\Midgley\random.dat
C:\Users\Midgley\AppData\Roaming\i.ini


Some content of TEMP:
====================
C:\Users\Midgley\AppData\Local\Temp\cnngjmcejyprpydbuci.bfg


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

2
Restore point made on: 2013-10-01 12:00:04
Restore point made on: 2013-10-09 12:00:11

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 3326.23 MB
Available physical RAM: 2954.27 MB
Total Pagefile: 3149.36 MB
Available Pagefile: 3042.58 MB
Total Virtual: 2047.88 MB
Available Virtual: 1988.18 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: () (Fixed) (Total:931.51 GB) (Free:715.08 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: () (Removable) (Total:7.45 GB) (Free:7.42 GB) FAT32
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 556D2232)
Partition 1: (Active) - (Size=932 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)


LastRegBack: 2012-12-05 09:21

==================== End Of Log ============================

 

[kuttus]

Now please download this file and save it to your Flash Drive.

[attachment=5902]

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Then attempt to boot to normal mode.

 

[Exmortis66]

Running through REATOGO (as its the only thing I can do without the white screen} It's come up wityh "Looks like you don't know what to do!" *Sigh*.

Will attempt to run in normal mode.

 

[Exmortis66]

Nothing, other then the white screen in normal mode still.

 

[kuttus]

Do you Run the Fix? Please send me the Log of that one..

 

[Exmortis66]

When I ran the fix using REATOGO it said "Looks like you don't know what you're doing" and closed the program.

 

[kuttus]

Please do all those steps once again.

 

[Exmortis66]

For some unknown reason, I was able to get into Start-up Repair, and its now allowing me to do a System Restore.

If this works, fingers crossed, I will attempt a MW scan and an AV scan

 

[kuttus]

Okay. . Let me know the status..... If that one is not working...


Lets create a bootable HitmanPro Rescue Disk and run a scan:
STEP 1: Create a HitmanPro.Kickstart USB flash drive
<ol>
<li>While you are using a "clean" (non-infected) computer, <>download HitmanPro</> from the below link.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Insert your USB flash drive into your computer and then follow the instructions from the below video:
<iframe src="http://www.youtube.com/embed/aBS902Qr0oc?rel=0" frameborder="0" width="640" height="360"></iframe></li>
</ol>
STEP 2: Remove infection with HitmanPro.Kickstart
<ol>
<li>After you have create the HitmanPro.Kickstart USB flash drive, you can <>insert this USB drive into the infected machine</> and start your computer</li>
<li>Once the computer starts <>repeatedly tap the F11 key </>(on some machines its <em>F10</em> or <em>F2</em>),which should bring up the Boot Menu, from there you can select to boot from your USB.
Next,you'll need to <>perform a system scan with HitmanPro</> as see in the below video:
<iframe src="http://www.youtube.com/embed/lUNHidkYsDQ?rel=0" frameborder="0" width="640" height="360"></iframe></li>
</ol>

<hr />

 

[Exmortis66]

Even after a system restore, I am still getting that damn white screen! I still cant get into safe mode using F8 either. Will boot with REATOGO IMGBURN and attempt another FRST Fix. Is there anything else I can do if the Fix doesn't work again?

 

[Exmortis66]

Alright, will try Hitman Pro and see what happens

 

[kuttus]

Okay