Jump to content

Black Screen and Cursor after Logon


Recommended Posts

Hi,

One account on my machine seems to be infected. From Task Mgr I can not start regedit in either regular nor safe mode. When Trouble Shooting with command prompt, I see a modified Winlogon Shell =cmd /k start cmd. Changing it to Explorer.exe does not last, reboot will reset it.

I can't run malwarebytes under that user, and under another user no threat was found.

 

I did run the Farbar scan, result is attached.

 

Thanks for any help in Advance!

Gerald

FRST.txt 

Link to post
Share on other sites

Hello Gerald and welcome to Malwarebytes,

Are you able to run FRST with your system in Normal mode, if so post both logs from FRST.

Also run the following command from an elevated command prompt:

DISM /Online /Cleanup-Image /CheckHealth

Let me know those findings...

Thank you,

Kevin...

Link to post
Share on other sites

Hi Kevin,

My version of FRSt64  does not offer the options shown in your description, no Advanced checkbox there. I have attched everything I was able to get.

I can't run anything in normal Mode, except Task Manager. I can't start any tasks though, nothing happens if I try to do regedit or explorer.

When I run a command prompt through trouble shooting, the system starts with an x: drive.

If I try the Dism command, I get an Error 50, Dism does not support Windows-PE.

Sorry to be unable to get you better information so far. Any other idea?

 

Gerald

 

Link to post
Share on other sites

Hello again Gerald,

You metion earlier running Malwarebytes from another account, can you still boot normally from that account? If so I want you to initiate the hidden admin account from there....

As follows....

Select Windows key and X key together, from the list select "Command Prompt (Admin)"

At the prompt type or copy paste net user administrator /active:yes select enter.

Close out and reboot, you will see a new account "Administartor" select it and follow the prompts through.

When that account is set see if you can run Malwarebytes scan, kill anything found, then run FRST and post both produced logs...

Thank you,

Kevin...

 

Link to post
Share on other sites

I did the net use steps and it succeeded, but upon Restart no Administrator account showed. I have elevated Sophie's account to Administrator, but I could still not start regedit or Explorer there. My (Gerald) account alwasys was admin and still works.

Link to post
Share on other sites

Hiya Gerald,

Never had any dealings with a Mac, if the problem we have is with windows we should still be able to cure that without causing issues to IOS....

Please run the Farbar Recovery Scan Tool. Enter CreateExplorerShellUnelevatedTask.job in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

Thank you,

Kevin.

Link to post
Share on other sites
Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next.

Can you rename FRST64.exe to ENGLISHgazork.exe then continue:

Run renamed FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image
 
Let me see those logs in your reply...
 
Also can you post a screenshot of the winlogon key from Normal mode..
 
Thank you,
Kevin...

fixlist.txt

Link to post
Share on other sites

What is the current status of your system..?

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

FRST should reboot your system, if not please do so yourself. When restarted there should be two reg keys saved to your desktop. Winlogon and Winlogon1. Please zip those up and attach to your next reply.

Fixlist.txt

Link to post
Share on other sites
Right click on D:\FRST64.exe, rename to uninstall.exe Right click on the renamed value and select "Run as Administrator" your system should reboot, if not do that yourself...

Avast does not seem to be active on your system, if that is correct you should really remove it:

https://www.avast.com/uninstall-utility,

Next

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.