So I'm very familiar with the Windows Vista black screen + white cursor issue and have documented many ways of resolving it on my end, but this one I cannot. This post revolves around a Windows Vista w/SP2 x86 system with all the latest updates and patches after a number of trojans were removed like zero access, Zbot, etc., and lots of toolbars and savings junk removed properly through Programs and Features.
Booted system up and it spawned numerous COM Surrogates in task manager using up all the memory. This lead me to run a number of malware removal applications / scans which found a few sneaky trojans which other applications would not find and after removing them, the system worked great.
In fact, the system does work great, I can run Windows updates, the system performs as well as it should... except for one problem.
If I run sfc /scannow it will state that rpcss.dll hash is off and will replace it with a proper version. Once rpcss.dll is fixed, I get the Vista black screen w/white cursor.
Avira Antivir (antivirus)
Hijackthis (everything normal now)
Junkware Removal Tool (JRT) (shows "ERROR: Access is denied" after 'Checking Registry' but does complete)
Norton Power Eraser
I also checked the MBR and it's clean.
So at this point we're at a fully operational post-cleaning situation where everything seems to be working great with one exception - replacing rpcss.dll with a proper file will break the system.
- Checked to make sure that RpcSs is running as NT AUTHORITY\NetworkService
- SFC /scannow (which causes the issue)
- chkdsk /f
- winlogon registry keys are as they should be
- last known good configuration won't resolve this
Rkill 2.6.1 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
Program started at: 03/03/2014 02:52:59 PM in x86 mode.
Windows Version: Windows Vista Home Premium Service Pack 2
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* No issues found.
Checking Windows Service Integrity:
* DFSR [Missing Service]
Searching for Missing Digital Signatures:
* C:\Windows\System32\rpcss.dll : 551,936 : 04/11/2009 01:28 AM : 18ed8bf2719e33c7c9ca19ab0f833702 [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.16830_none_67c4315e40d1bb6c\rpcss.dll : 549,888 : 03/02/2009 11:19 PM : 7b981222a257d076885bffb66f19b7ce [Pos Repl]
+-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.21023_none_685b771559e4be8c\rpcss.dll : 550,400 : 03/02/2009 11:17 PM : b1bb45e24717a7f790b4411c4446ef5e [Pos Repl]
+-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18000_none_69cadbfc3ddffe3c\rpcss.dll : 547,328 : 01/20/2008 09:24 PM : 33fb1f0193ee2051067441492d56113c [Pos Repl]
+-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18226_none_69bb41ac3deac876\rpcss.dll : 551,424 : 03/02/2009 11:39 PM : 301ae00e12408650baddc04dbc832830 [Pos Repl]
+-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.22389_none_6a06ffcd57365beb\rpcss.dll : 551,424 : 03/02/2009 11:32 PM : 4dfcbdef3ccaa98f99038ded78945253 [Pos Repl]
+-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988\rpcss.dll : 550,400 : 04/11/2009 01:28 AM : 3b5b4d53fec14f7476ca29a20cc31ac9 [Pos Repl]
Checking HOSTS File:
* HOSTS file entries found:
Program finished at: 03/03/2014 02:54:35 PM
Execution time: 0 hours(s), 1 minute(s), and 36 seconds(s)