Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Black screen + cursor (caused by malware)


  • This topic is locked This topic is locked
11 replies to this topic

#1 shadowghost0

shadowghost0

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 01 October 2014 - 12:51 PM

Hello! This is my very first topic on Bleeping computer, and, beforehand, I would like to thank this community for be out there aiding all users on a very helpful way.

 

This said, let's down to business. A client gave me one notebook (Samsung ATIV book 4 NP470R4E-KD1BR). She said that her mom was using it and probably clicked on something and then it was not booting no more.

With the notebook on hand, I saw that it did boot, but after the splash screen the computer stays forever on a black screen with only a moveable cursor. I let this black screen for two hours and nothing happened. Task manager does not appear (Ctrl+alt+del or ctrl+shift+esc), ditto GUI elements. All advanced boot options are useless. The output is the same. As for Windows Repair Environment, startup repair can't identify a problem, system restore "do not found any restoration point", there's no image for a complete restore, memory diagnostic it's way not the thing here (since I highly doubt it's a RAM problem) and on CMD I tried already a chkdsk /f /r, /fixboot /fixmbr, see if shell is okay, and on some crazy internet advise, change permissions (which I could not complete due to "No mapping between account names and security IDs was done").

 

I had to use Hiren's boot CD (so to speak, since this notebook doesn't have a CD/DVD driver lol) to access few important files for my client (only .docx and PDFs). I know I should not do it, but I ran Roguekiller from this environment (scan only) and it notified me there was a rootkit and needed to restart. Which is pointless, since the environment would be gone, as it is a live cd.

 

I tried pretty much what I know on this scenario... still the only thing changed was that the black screen no more stays forever, but instead, the notebook reboots, go to black screen again, stay there aprox. two minutes, then reboots again on an endless loop.

 

Since I'm out of ideas, and I don't want to format the whole thing, I am asking for your help. Go soft on me, please hahaha. I'm not familiar with the log tools used here, so any guidance is not an exaggeration. Keep in mind too that the only bootable device (except the HDD) it's a flash drive.

 

Thanks, one more time, and cheers!



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:49 PM

Posted 06 October 2014 - 06:28 AM

Hi shadowghost0 and welcome to Bleepingcomputer! :)

Lets see if we can get a scan done from a PE environment to find out a bit more about the state of the computer.
  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flashdrive into the infected PC.
    :spacer:
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt
    :spacer:
  • Once in the Command Prompt:
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 shadowghost0

shadowghost0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 06 October 2014 - 11:41 AM

First, thanks for you assistance and reply.

I did what you instructed. I accessed the Farbar through the repair environment (F8 boot option) and here's the log file:

 

Spoiler



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:49 PM

Posted 06 October 2014 - 12:47 PM

Can you please rerun FRST and type services.exe in the search box? Click Search and post me the resulting log.

 

It looks like services.exe is patched or corrupt, which also explained the problems you are experiencing. Replacing the file should fix the problem.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 shadowghost0

shadowghost0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 06 October 2014 - 01:12 PM

Thanks again. Here's the log for services.exe:

 

Farbar Recovery Scan Tool (x64) Version: 06-10-2014
Ran by SISTEMA at 2014-10-06 15:06:51
Running from F:\
Boot Mode: Recovery

================== Search Files: "services.exe" =============

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 20:19][2009-07-13 22:39] 0328704 ____A (Microsoft Corporation) 5D500C33F254545C1EE6D19EB817F10F

C:\Windows\System32\services.exe
[2009-07-13 20:19][2009-07-13 22:39] 0328704 ____A (Microsoft Corporation) 5D500C33F254545C1EE6D19EB817F10F

X:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 20:19][2009-07-13 22:39] 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

X:\Windows\System32\services.exe
[2009-07-13 20:19][2009-07-13 22:39] 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:49 PM

Posted 06 October 2014 - 02:00 PM

Please press Windows key + R, type notepad and press enter.

Copy/paste the following text into Notepad and save it as fixlist.txt in the same location as frst64.exe (very important!) on your usb drive.

replace: X:\Windows\System32\services.exe C:\Windows\System32\services.exe

Restart the computer in the recovery environment and run FRST64.exe. Click the Fix button. When done restart the computer and let me know if it boots successfully now.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 shadowghost0

shadowghost0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 06 October 2014 - 02:52 PM

It worked!

It booted normally (although it took a lot to boot after the fix) and persists in booting accordingly after I restart it. Many thanks, Ms./Mrs.!

 

However, I would like to know, if possible, what made you believe that services.exe was corrupted or patched? Was it the line "S2 WindowsMangerProtect; C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [528896 2014-08-18] (Fuyu LIMITED)"?



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:49 PM

Posted 06 October 2014 - 03:37 PM

What pointed me to the problem was the md5 hash of the services.exe file in the first FRST log. If you google that, you see zero hits. That is very suspicious because services.exe is a well-known Microsoft file, so the md5 hash should easily have a few thousand hits.

 

As for wprotectmanager.exe, this is a questionable file/program, but not outright malicious. If you'd like to investigate further (possible) problems, please rerun FRST in normal mode, check the box for addition.txt and run a new scan.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 shadowghost0

shadowghost0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 06 October 2014 - 06:36 PM

Geez, I totally overlooked the [absence of] MD5 hash for services.exe. I'm glad you noticed. Hahahaha

As for the questionable program... it was a rogue security "antivirus". I don't know if that was the cause or the effect of the problem. It was easily uninstalled and after that, I ran adwcleaner too. (It did detected and removed a couple of entries.)

 

 

Anyway, I can't thank you more for this troubleshooting.It been of great help!


Edited by shadowghost0, 06 October 2014 - 06:37 PM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:49 PM

Posted 07 October 2014 - 02:37 AM

You're welcome, if you don't need any further help, here is some general prevention advice. :)

Please read the following advice on how to prevent reinfecting your PC:
  • Install and update the following programs regularly:
  • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
    A comprehensive tutorial and a list of possible firewalls can be found here.
  • an AntiVirus Software
    It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
    Some more links you might find of interest:Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 shadowghost0

shadowghost0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 07 October 2014 - 09:34 AM

Thanks. I took note of the tips and I'll handle them to my client too. (osalt is extremely useful hahahaha.)

Yes, my client's notebook is all good now. One more time, big thanks!



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:49 PM

Posted 07 October 2014 - 10:00 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users