W7 Ultimate x64 Black Screen after Windows Logo

I recently encountered some computer troubles... and my current situation is similar to other threads of this nature, EXCEPT: All the other threads mention having control of the mouse cursor or keyboard control at their black screens... and I have neither.

The background story:

One Thursday night I was highly intoxicated (alcohol + computing = bad idea...) and somehow managed to give myself a virus. It was the Win 2012 Anti-Virus (syntax might be a little different), which marks all your files and folders as hidden... well, I removed that, but then I was unable to boot up due to the black screen issue... so I tried system repair and system restore, neither of which worked. I rebuilt my MBR just in case it was that, but since I can see the Windows logo screen, I don't think it's the boot record.

I kept digging, and eventually got to a point where I was looking at the partitions in the Windows partition manager, and I saw a new, unlabeled partition that was only a few MB in size on the problematic HDD. I thought "that must be the source of the problem, or where the virus embedded itself at some point", so I deleted it and then tried to boot up again, but unfortunately I'm still stuck.

A friend mentioned that this issue might mean that my User Account is corrupted and that there's no way to fix it... but I'm hopeful that it's a registry error or something that is repairable.

- Tyler

P.S. I have scanned the entire drive (in succession, not all running at the same time) with various programs... Spybot S&D, MBAM, Super Anti-Spyware, NOD32, and Windows Defender to the point where there are no issues detected.

 

I'm not sure how much the virus is effecting things.

Since you are getting the Windows logo your MBR should be fine.

So you used F8 and Repair your Computer option and got to the screen with the 5 repair tools. I would do that again and try startup repair one more time and see if any change.

If no change go back note the drive letter of the Win7 partition on this screen

and then at the options list choose command prompt and try running chkdsk. Substitute the drive letter you saw on the above screen if it is different.

chkdsk c: /r

***
Just want to make sure: you ran a Windows System Restore and it completed but made no change to the black screen problem?

 

The problem you describe is a result of being infected with a TDL4 modification. It creates the small partition at the end of the physical drive and marks this as the active partition. As you have deleted this partition, you now have no active/boot partition.

Hopefully you have access to another computer. If so follow the instuctions from thisisu in regards to using GParted to fix the problem - post #7 in this thread.

Once you can boot back into Windows, it would be worth following the READ & RUN ME FIRST and posting in the Malware Removal forum to make sure there's no other malware remaining.

 

I'll follow both of these suggestions respectively, but _nullptr, when I deleted the small partition, the main(and now only) partition on the affected drive is labeled System, Active, Primary Partition) when I look at it in Disk Management. Did Windows attempt and fail at making it the active/boot partition but mistakenly think that it succeeded?

 

If you are seeing the Windows logo when trying to boot the partition then it is indeed Active. If you had no Active partition then you would see "Insert System Disc" or "No OS Found" message from BIOS when trying to boot from the HD.

It appears to me that it is starting to boot Win7 and failing. You see the Windows logo and then do you have a cursor? Is it arrow shaped or just a line?

***
It sounds like you have the drive attached to another computer, you can run chkdsk on it from there. Computer>right-click the drive and select Properties then Tools tab and error checking. Keep the first box checked and Start/OK.

 

sach2: I see the Windows logo and then I do *not* have a cursor, either arrow-shaped or a line.

 

Have you run chkdsk? I would do that. Then maybe run the Startup Repair again from the list of 5 Recovery options. (I'm assuming this is where you tried Startup Repair and System Restore previously and can get there.)

You can't go to the malware forum until you can at least run in Safe Mode.

Just curious if you hit the left shift key repeatedly at the black screen does a sticky key box come up?

 

Just to be sure you have tried F8 and Last Known Good Configuration--or does that go to the black screen?

 

I had sticky keys turned off because I often press shift multiple times while playing games, so I don't think trying that would work (I can try anyway, though). I ran chkdsk /r (Edit: I just realized I left out the drive letter here... time to go back and make sure I do that part correctly) and then Startup Repair a few times. I have also tried to run it in the Last Known Good Configuration with no success.

I am curious about a few things:

1. When running Startup Repair, it lists at the top C:\... but the disk I am trying to repair is labeled D:\ in actuality. Does that mean it's trying to repair the C:\ drive (the one I'm currently on now, typing this message) and failing because there's nothing wrong with this one?

2. When booting I have to choose between this OS, Windows 7, or the affected OS, Windows 7 (Recovered). Does the (Recovered) bit mean anything pertinent to my problem?

3. When I get the black screen, it lasts for about a minute and thirty seconds, but right before my computer hard restarts, I see flashes of a Blue Screen, but only for a split second. I recorded it a few times on my phone to see if I could skip to the exact moment the Blue Screen flashed up, and it gives an error of something like:
STOP: C0000135 The program can't start because [...] Try reinstalling the program to fi[...].

At the only point *after* I got the virus that I was able to boot successfully on this HDD's OS install, I downloaded and installed AVG Free, and some googling has shown that about a year ago, Dec 2010, AVG had an issue that deleted some Windows .dll files or something, which required the affected users to run an AVG recover CD of some sort. Could this be the issue I'm experiencing, a year after the issue supposedly surfaced... and wouldn't Startup Repair run from a Windows 7 Install disk fix such an issue?

 

I seem to have misplaced the edit button, so forgive the double post... but in addition to #1 above, I don't see the screen shown in sach2's first reply in this thread (I don't have a screen to choose an OS and then hit next, I just see the screen with the five options)... does this mean Windows Recovery is not detecting the drive at all?

 

I'm not really sure about question 1.
2. The extra entry for recovered isn't important. Startup repair doesn't really fix any Windows files other than boot files which just tell Windows how to start. After it starts a missing dll would still be problematic.
3. Try Disable Restart on Error on the F8 screen to see if that allows you to read the blue screen and see if it mentions a specific file that is causing the fault.

If you have a Win7 installation disc you could try the Repair option from that and see if you get a choice of OS.

I have people over for dinner tonight but I will look for more specific answers when I get a chance later.

 

After you complete sach2's instructions you may want to try the below too for more details:

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst64 and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (How to attach)

 

thisisu: Attached is my FRST.txt log. In it I noticed a heretofore unknown drive labeled "x" and the only information was "boot" next to it... can a partition like that hide from Partition Manager?

sach2: The program it mentioned specifically was %hs and nothing else. The Google searches I did earlier mentioned this was part of the issues people had with the AVG update which made their computers unbootable.

 

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

Code:

start
SubSystems: [Windows] ==> ZeroAccess
2011-12-15 11:59 - 2011-12-15 12:22 - 0003910 __ASH C:\Users\Tyler\AppData\Local\5igl884cfpdfywnn5txkx674hb0c4
2011-12-15 11:59 - 2011-12-15 12:22 - 0003910 __ASH C:\ProgramData\5igl884cfpdfywnn5txkx674hb0c4
2011-12-08 09:20 - 2011-12-08 09:20 - 0000000 ____D C:\Windows\system64
cmd: md f:\bsodlogs
cmd: copy /y C:\Windows\Minidump\*.dmp f:\bsodlogs
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

This is the Windows Recovery Environment. Nothing to worry about

 

Attached is my Fixlog.txt

 

There was 1 thing I forgot to include in my initial fix. (The C:\Windows\system64 folder). I edited it before you created the fixlist.txt.

Regardless, can you boot now?

 

I am able to log-on to the affected user account now... I had to plug my keyboard into a different USB slot for some reason, but I am back on!

Many thanks to both thisisu and sach2.

On an unrelated note, do you know how to recover all the shortcuts on my Start Menu > All Programs list after the Win 2012 Anti-Virus virus is removed?

 

You're welcome

Now download unhide.exe by Grinler to your desktop.
Now run unhide.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
Did this restore the missing (hidden) shortcuts?

If you still have trouble with removing Win 2012 Anti-Virus, see this thread: READ & RUN ME FIRST Malware Removal

 

Excellent work guys

Thisisu, is there a link where I might get an idea what exactly you just did? I'm curious what was stopping the login.

 

http://triplescomputers.com/blog/?p=72

Whenever HaploTR mentioned he was getting STOP: C0000135 BSOD and mentioned was infected with Win 2012 Anti-Virus (sometimes comes bundled with Max++/Sirefef/ZeroAccess rootkit), figured that's what was causing the booting issues.

FRST just makes it easy to repair Props to Farbar for creating the tool. I'm sure he will be lurking here pretty soon :-D (/wave)

 

Unfortunately the unhide program didn't work (I think the virus had deleted the shortcuts in the all programs list so I will just have to re-add them all)

Thank you again for all the help!

 

Please help me. My frst.txt in attacht