White screen virus

Hi !

A few days ago my computer was infected with a virus. Approximately 5 out of 6 times whenever I turn on my computer I get a weird white screen. Ive tried pushing f8 to get safe mode but it doesnt work. The same white screen appears also when I try to re awaken the computer after the screen saver has kicked in.

I’ve ran both avast and Malwarebytes plenty of times. The first time I ran malwarebytes after the infection, it found loads of things but didnt solve the problem experienced. Now whenever I run both avast and malwarebytes nothing is found. I’ve also ran a boot time scan with avast but before the scan is over the white screen has taken over.

Thanks in advance for your help !

Read this topic, and attach the logs
http://forum.avast.com/index.php?topic=53253.0

Heres the OTL log and the latest Malawarebytes log:

Thanks !

I just realized I didnt do it right…

Ill do it over again.

@GuiboMTL
Posted OTL log showd me enough, there is no need to repeat that.

  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

Ok heres the aswMBR log and the combofix log.

Uh…we need to run mighty anti-rootkit scan first …

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop and MBAR will start.

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

Next …

Open notepad and copy/paste the text present inside the code box below:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

ClearJavaCache::

Folder::
c:\program files\WebSearch

Firefox::
FF - ProfilePath - c:\documents and settings\Guillaume\Application Data\Mozilla\Firefox\Profiles\zkp965b0.default-1376345753671\
FF - prefs.js: browser.search.defaulturl - hxxp://websearch.searchguru.info/?pid=34&r=epp4wWoacZiOvrpnik5GLSs9qjqQQjqL&hid=4143462727663460919&lg=EN&cc=CA&unqvl=43&l=1&q=
FF - prefs.js: browser.search.selectedEngine - WebSearch
FF - prefs.js: browser.startup.homepage - hxxp://websearch.searchguru.info/?pid=34&r=NE5VPIwp577+yLFHwyk6ixZOekp+4aQo&hid=4143462727663460919&lg=EN&cc=CA&unqvl=43
FF - prefs.js: keyword.URL - hxxp://websearch.searchguru.info/?pid=34&r=epp4wWoacZiOvrpnik5GLSs9qjqQQjqL&hid=4143462727663460919&lg=EN&cc=CA&unqvl=43&l=1&q=


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Ok here are the logs. I ran both programs twice because I had left the avast shield running the first time around. The logs here are from the second scans.

I ran both programs twice because I had left the avast shield running the first time around.

You were not supposed to do that, you have disrupted the logs. But system-log.txt tells me that MBAR did it’s job.

Now re-run aswMBR and post me fresh aswMBR.txt logreport.

Here you go

I shall need to run one more ARK scan …

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*]Click on Change parametres.
[*]Under Additional options check the boxes next to:
- Verify Driver Digital Signature;
- Detect TDLFS file system
- Use KSN to scan objects
[*]Click OK, and then click Start Scan button.
[*]If an infected file is detected, the default action will be Cure, click on Continue.
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
[*]Click the Report button and attach the contents of it into your next reply
Note:It will also create a log in the [b]C:[/b] directory.

Alright so I’m running the TDSSKiller and after having found one threat and potential threat im getting this message:

''Cant’t cure MBR. Write standard boot code ? If you have installed custom bootloader (eg Acronis, Grub, Lilo) you will need to reinstall them after the treatment. ‘’

Should I say yes or no ?

Press no and stop TDSSK.

Re run ComboFix via CFScript. Thereafter, run aswMBR again and post me fresh aswMBR.txt report.

Open notepad and copy/paste the text present inside the code box below:

KillAll::

SkipFix::

MBR::

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

ok. got it.

While running the combo fix scan windows shut down and rebooted on its own. Also the scan started at stage 49 instead of ging through all the stages.

By the way, thanks for your help !

Damn …still not good.

Please re-run TDSSKiller as you did before with all it’s settings mentioned above.

If you get this messages:
''Cant’t cure MBR. Write standard boot code ? If you have installed custom bootloader (eg Acronis, Grub, Lilo) you will need to reinstall them after the treatment. ‘’

Allow TDSSKiller to re-write the defaults MBR. Press Yes, follow wizard and allow TDSSKiller to complete his fix.

Thereafter, again please re-run aswMBR and post me fresh aswMBR logs.

Heres the aswMBR log.

Can you post all TDSSKiller logreports?

Looks like we shall need to use Recovery Console to fix MBR. Before that, let’s see what will RogueKiller do …

Follow instructions for running and posting RogueKiller reprots.

http://forum.avast.com/index.php?topic=53253.0

Here are the RogueKiller logs

Heres all the tdsskiller logs: