Windows 7 start-up White Screen in regular & safe mode - help needed

[Paolo26]

My friend has a Windows 7 Started based netbook. He has asked me to help but I can't seem to find where the problem is. 

Each time I try to boot the PC, the log in screen appears, I provide the credentials, and then the white screen appears and nothing can be seen. Only ctrl+alt+del works, bringing up a blocking screen.

 

If I try to boot up in safe mode, the PC, after asking for credentials, reboots within 10-15 seconds.

 

Can't seem to figure out what to do.

 

Please, could you help me?

[MrCharlie]

Welcome to the forum, here's how we deal with that malware:

• Please download Farbar Recovery Scan Tool and save it to a flash drive.

  Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  Plug the flash drive into the infected PC.

• If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

  If you are using Vista or Windows 7 enter System Recovery Options.

  To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

  To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

  To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
• On the System Recovery Options menu you will get the following options:

  • • Startup Repair

      System Restore

      Windows Complete PC Restore

      Windows Memory Diagnostic Tool

      Command Prompt

      Select Command Prompt

      Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

[Paolo26]

Here is the log

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-08-2013

Ran by SYSTEM on 10-08-2013 12:37:27

Running from G:\

Windows 7 Starter (X86) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

 

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [iAAnotif] - C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-10-13] (Intel Corporation)

HKLM\...\Run: [sysTrayApp] - C:\Program Files\IDT\WDM\sttray.exe [495708 2010-06-09] (IDT, Inc.)

HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1791272 2010-06-03] (Synaptics Incorporated)

HKLM\...\Run: [HP Quick Launch] - C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [602680 2010-07-02] (Hewlett-Packard Company)

HKLM\...\Run: [ZumoDrive] - C:\Program Files\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk [2038 2010-08-15] ()

HKLM\...\Run: [HPWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-06-18] (Hewlett-Packard Company)

HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [249064 2010-10-29] (Sun Microsystems, Inc.)

HKLM\...\Run: [babylonToolbar] - C:\Program Files\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarsrv.exe [286720 2010-11-07] (Babylon Ltd.)

HKLM\...\Run: [YouCam Mirage] - C:\Program Files\CyberLink\YouCam\YCMMirage.exe [136488 2010-08-20] (CyberLink)

HKLM\...\Run: [YouCam Tray] - C:\Program Files\CyberLink\YouCam\YouCamTray.exe [162912 2010-08-20] (CyberLink Corp.)

HKLM\...\Run: [] -  [x]

HKLM\...\Run: [ApnUpdater] - C:\Program Files\Ask.com\Updater\Updater.exe [1557160 2012-04-09] (Ask)

HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-04-03] (Adobe Systems Incorporated)

HKLM\...\Run: [facemoods] - C:\Program Files\facemoods.com\facemoods\1.4.17.9\facemoodssrv.exe [329432 2011-05-23] (facemoods.com)

HKLM\...\Run: [AVG_TRAY] - C:\Program Files\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)

HKLM\...\Run: [vProt] - C:\Program Files\AVG Secure Search\vprot.exe [1226928 2013-05-20] (AVG Secure Search)

HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)

HKLM\...\Run: [TkBellExe] - C:\Program Files\Real\RealPlayer\Update\realsched.exe [296056 2012-04-21] (RealNetworks, Inc.)

HKLM\...\Run: [Zune Launcher] - C:\Program Files\Zune\ZuneLauncher.exe [159456 2011-08-05] (Microsoft Corporation)

HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-05-15] (Apple Inc.)

HKLM\...\Run: [offerbox] - C:\Program Files\OfferBox\OfferBox.exe [8627008 2013-06-20] (Aedge Performance BCN SL)

HKLM\...\Run: [iminent] - C:\Program Files\Iminent\Iminent.exe [1074736 2013-05-21] (Iminent)

HKLM\...\Run: [iminentMessenger] - C:\Program Files\Iminent\Iminent.Messengers.exe [884784 2013-05-21] (Iminent)

HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [262656 2010-11-20] (Microsoft Corporation)

HKU\Federico\...\Run: [Google Update] - C:\Users\Federico\AppData\Local\Google\Update\GoogleUpdate.exe [ 2011-02-03] (Google Inc.)

HKU\Federico\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2011-02-03] (Google Inc.)

HKU\Federico\...\Run: [msnmsgr] - C:\Program Files\Windows Live\Messenger\msnmsgr.exe [ 2012-03-08] (Microsoft Corporation)

HKU\Federico\...\Run: [syncables] - C:\Program Files\Hewlett-Packard\HP QuickSync\QuickSync.exe [ 2010-05-18] (Hewlett-Packard)

HKU\Federico\...\Run: [bitTorrent] - C:\Program Files\BitTorrent\BitTorrent.exe [ 2011-08-12] (BitTorrent, Inc.)

HKU\Federico\...\Run: [ooVoo.exe] - C:\Program Files\ooVoo\oovoo.exe [ 2012-05-29] (ooVoo LLC)

HKU\Federico\...\Run: [Facebook Update] - C:\Users\Federico\AppData\Local\Facebook\Update\FacebookUpdate.exe [ 2012-07-11] (Facebook Inc.)

HKU\Federico\...\Run: [Akamai NetSession Interface] - C:\Users\Federico\AppData\Local\Akamai\netsession_win.exe [ 2013-01-25] (Akamai Technologies, Inc.)

HKU\Federico\...\Run: [Optimizer Pro] - C:\Program Files\Optimizer Pro\OptProLauncher.exe [ 2012-10-30] (PC Utilities Pro)

HKU\Federico\...\Winlogon: [shell] explorer.exe,C:\Users\Federico\AppData\Roaming\skype.dat [ 2013-06-21] () <==== ATTENTION 

BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart

 

========================== Services (Whitelisted) =================

 

S2 Akamai; c:\program files\common files\akamai/netsession_win_ca0e279.dll [4561152 2013-03-22] (Akamai Technologies, Inc.)

S3 AVG Security Toolbar Service; C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()

S2 AVGIDSAgent; C:\Program Files\AVG\AVG2012\avgidsagent.exe [5174392 2012-11-01] (AVG Technologies CZ, s.r.o.)

S2 avgwd; C:\Program Files\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-13] (AVG Technologies CZ, s.r.o.)

S2 DvmMDES; C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe [338168 2010-07-20] (DeviceVM, Inc.)

S3 GameConsoleService; C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe [246520 2010-04-03] (WildTangent, Inc.)

S2 HP Wireless Assistant Service; C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [103992 2010-06-18] (Hewlett-Packard Company)

S2 HPWMISVC; C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [27192 2010-07-02] ()

S2 IBUpdaterService; C:\Windows\system32\dmwu.exe [1156400 2013-04-07] ()

S3 McAfee ScanAndRepair Svc; C:\Program Files\McAfeeScanAndRepair\McAfeeScanRepairSvc.exe [695640 2012-01-12] (McAfee, Inc.)

S2 OfferBox update service; C:\Program Files\OfferBox\OfferBoxUpdateService.exe [336704 2013-06-20] (Aedge Performance BCN SL)

S2 SProtection; C:\Program Files\Common Files\Umbrella\umbrella.exe [2839592 2013-05-21] (Iminent)

S2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [237650 2010-06-09] (IDT, Inc.)

S2 vToolbarUpdater15.2.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [1015984 2013-05-20] (AVG Secure Search)

S2 Web Assistant Updater; C:\Program Files\Web Assistant\ExtensionUpdaterService.exe [188760 2013-01-29] ()

 

==================== Drivers (Whitelisted) ====================

 

S3 1394hub; C:\Windows\System32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)

S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [142176 2012-12-09] (AVG Technologies CZ, s.r.o. )

S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfilterx.sys [24144 2011-12-23] (AVG Technologies CZ, s.r.o. )

S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [24896 2012-04-18] (AVG Technologies CZ, s.r.o. )

S3 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [17232 2011-12-23] (AVG Technologies CZ, s.r.o. )

S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [250080 2012-11-07] (AVG Technologies CZ, s.r.o.)

S1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.)

S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [31952 2012-01-30] (AVG Technologies CZ, s.r.o.)

S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [302368 2013-04-10] (AVG Technologies CZ, s.r.o.)

S1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [37664 2013-05-20] (AVG Technologies)

S1 DVMIO; C:\Windows\System32\DRIVERS\dvmio.sys [18136 2009-11-11] (DeviceVM, Inc.)

S3 nmwcdnsu; C:\Windows\System32\drivers\nmwcdnsu.sys [137600 2010-12-02] (Nokia)

S3 RSPCIESTOR; C:\Windows\System32\DRIVERS\RtsPStor.sys [230944 2010-05-07] (Realtek Semiconductor Corp.)

S3 EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys [x]

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2013-08-10 02:08 - 2013-08-10 02:08 - 00000000 ____D C:\Users\Federico\AppData\Local\{3C5650D3-F9C6-4F21-9289-200C7555F1A9}

 

==================== One Month Modified Files and Folders =======

 

2013-08-10 12:26 - 2011-12-10 02:37 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search

2013-08-10 12:26 - 2011-08-12 23:49 - 00000000 ____D C:\Users\Federico\AppData\Roaming\BitTorrent

2013-08-10 12:26 - 2011-02-03 09:06 - 00000000 ____D C:\Users\Federico\AppData\Roaming\ZumoDrive

2013-08-10 12:26 - 2011-02-03 08:45 - 00000000 ____D C:\users\Federico

2013-08-10 12:26 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\Offline Web Pages

2013-08-10 12:26 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp

2013-08-10 12:26 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\it-IT

2013-08-10 12:26 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache

2013-08-10 12:26 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat

2013-08-10 12:26 - 2009-07-13 18:37 - 00000000 ____D C:\Program Files\Common Files\microsoft shared

2013-08-10 12:25 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration

2013-08-10 12:24 - 2012-04-21 12:26 - 00000000 ____D C:\ProgramData\Real

2013-08-10 12:19 - 2012-11-16 19:52 - 00000000 ____D C:\ProgramData\Recovery

2013-08-10 02:17 - 2011-02-04 10:19 - 00000000 ____D C:\Users\Federico\Tracing

2013-08-10 02:08 - 2013-08-10 02:08 - 00000000 ____D C:\Users\Federico\AppData\Local\{3C5650D3-F9C6-4F21-9289-200C7555F1A9}

 

Files to move or delete:

====================

C:\Users\Federico\AppData\Roaming\skype.dat

C:\Users\Federico\AppData\Roaming\skype.ini

 

==================== Known DLLs (Whitelisted) ============

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

==================== EXE ASSOCIATION =====================

 

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

 

==================== Restore Points  =========================

 

Restore point made on: 2013-06-24 10:47:21

 

==================== Memory info =========================== 

 

Percentage of memory in use: 49%

Total physical RAM: 1011.9 MB

Available physical RAM: 505.98 MB

Total Pagefile: 1011.9 MB

Available Pagefile: 516.6 MB

Total Virtual: 2047.88 MB

Available Virtual: 1947.51 MB

 

==================== Drives ================================

 

Drive c: () (Fixed) (Total:132.06 GB) (Free:16.53 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Drive e: (RECOVERY) (Fixed) (Total:16.69 GB) (Free:2.41 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32

Drive g: (PENDRIVE) (Removable) (Total:0.97 GB) (Free:0.97 GB) FAT32

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[system with boot components (obtained from reading drive)]

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (Size: 149 GB) (Disk ID: CC483E40)

Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=132 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=17 GB) - (Type=07 NTFS)

Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)

 

========================================================

Disk: 1 (Size: 996 MB) (Disk ID: 0083F119)

Partition 1: (Active) - (Size=996 MB) - (Type=0B)

 

 

LastRegBack: 2013-06-24 11:59

 

==================== End Of Log ============================

[MrCharlie]

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

[Paolo26]

Thank you very much!

 

Everything seems to run very well now

mbar-log-2013-08-10 (18-22-40).txt

system-log.txt

[MrCharlie]

Good, I noticed a lot of adware on the system.....I think we should take a look:

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion method. It can be easily uninstalled using the "Uninstall" mode.

• Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
• Now click on the Search tab.
• Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Note:

Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

Please note that Antivir Webguard uses ASK Toolbar as part of its web security. If you remove ASK by using Adwcleaner, Antivir Webguard will no longer work properly. Therefore, if you use this program please use the instructions below to access the options screen where you should enable /DisableAskDetections before using AdwCleaner.

You can click on the question mark (?) in the upper left corner of the program and then click on Options. You will then be presented with a dialog where you can disable various detections. These options are described below:

/DisableAskDetection - This option disables Ask Toolbar detection.

MrC

[MrCharlie]

How are we doing??

Do you still need help or can I close this post??

MrC

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!