Black screen with mouse cursor

Discussion in 'Prevx Releases' started by Biscuit, May 26, 2011.

Thread Status:
Not open for further replies.
  1. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    I have a stream of customers who have had a Prevx malware warning that after reboot has ended them with a black screen with mouse cursor. Any idea what is happening?
     
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Sorry it could be this issue: https://www.wilderssecurity.com/showthread.php?p=1878379#post1878379

    See if they can Boot into safe mode with networking and go into Prevx and get them to try to restore the files that were removed and reboot into normal mode! PrevxHelp will see this and comment as usual!

    HTH,

    TH
     
  3. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    Am I correct to assume from the link that Prevx will fix this itself? Can I have an ETA for this please? I am getting a flood of calls about this now.
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It would be worth looking through the quarantine and restoring any files. If you could send a scan log to report@prevxresearch.com, I'll be able to check what precisely was happening on the affected systems.

    Thanks!
     
  5. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    Joe, this is end users - currently about 14 of them.
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I recommend writing into our support directly so that they can look at your license keys. The FPs are fixed now so you shouldn't see anything coming in.
     
  7. HenrivdB

    HenrivdB Registered Member

    Joined:
    Sep 13, 2007
    Posts:
    4
    Location:
    Beuningen, Netherlands
    Today I have a customer with the same problem. It won't boot in safemode.
    Where can i find the quarantine location on the disk? Maybe I am able to discover what file is deleted.

    Thanks
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Booting into safemode may be the easiest way - the log files from C:\ProgramData\PrevxCSI should show some information as to what was cleaned but the quarantine is held in a database locally. I also recommend writing into our support inbox so that we can help you from our end which should be a bit easier.
     
  9. HenrivdB

    HenrivdB Registered Member

    Joined:
    Sep 13, 2007
    Posts:
    4
    Location:
    Beuningen, Netherlands
    You saved my day. The CSICleanuplog revealed that gdiplus.dll for winxs was removed. Ik could get it back with recuva.

    The system is working properly again.

    Thanks
     
  10. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    That's good. Will the non-booting computers fix themselves or is there an easy generalised fix I can SMS to my end users?
     
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It could be related to gdiplus.dll as referenced by HenrivdB but it's hard to say without seeing further details (our support staff will be able to help you with that, though :))
     
  12. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    Some feedback on the support inbox. They are advising my clients to find someone locally to repair the computer. Hmm.
     
  13. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    I have advised several customer to boot into safe mode with networking. The feedback I have got from all of them is that Safe mode does not work & they still have the black screen with cursor. Prevx helpdesk won't help, this was caused by Prevx so what can I tell my end users that Prevx is going to do about it? Both Prevx & myself have already lost several customers over this.
     
  14. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    This is the Myprevx reported errors that I have found so far.

    GDIPLUS.DLL
    %windir%\distribution\

    How do we fix this?
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I strongly suggest continuing with our tech support via our support inbox - I am standing from the outside looking in at the problem and do not have all of the details. If they can boot into safemode, then they should be able to copy the file over. If they can't even boot into safemode, then I suggest using a recovery CD to access the file.
     
  16. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    Recovery CD to access which file, Joe?

    I assumed that you must have been having this support issue thousands of times? So that you have some sort of automated recovery for the damage done by Prevx. It's affected about 10% of my end users now.

    If a computer won't boot even into safe mode & the end user does not have a 2nd computer, then they have no way of contacting support.
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I did a search for it and found no other cases so I don't think we're seeing this anywhere else. You should be able to expand gdiplus.dll from the recovery CD but the exact instructions would depend on which OS the user is using.
     
  18. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    You mean no support cases, or no occasions of Prevx deleting essential files?
     
  19. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    No cases involving essential files or gdiplus.dll
     
  20. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    Which means either that it can't be happening, or that Prevx has trashed people's computers & they have to buy a new one?

    I have a customer's Vista computer on my workbench right now - trashed by Prevx. No safe mode, no system restore points & I'm scratching my head to figure out what to do next.

    I cleaned 3 Prevx crashed computers earlier today by using System restore.
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Don't you have the Windows DVDs? Can't you repair Windows using the Recovery Environment (Windows RE)? Try using the sfc /scannow command.

    Check this little guide here -http://www.winhelponline.com/blog/run-sfc-offline-windows-7-vista/

    It may be worth trying this...

    -edit-

    Next time, a good practice, you may want to configure any antimalware app only to alert for an infection, but not automatically clean it. Problems are to be expected. Or, have a backup in place, at least.
     
  22. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    I tried sfc /scannow which seemed to do nothing. I ran it from a boot cd, so I will try some other method.

    The computer is a Dell with a "reinstallation" cd.
     
  23. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    Thanks for the advice, this is a customer's pc & it's Vista.
     
  24. hogndog

    hogndog Registered Member

    Joined:
    Jun 9, 2007
    Posts:
    628
    Location:
    In His Service
    Please inform me when its fixed, my forum is waiting..

    Many thanks

    Hogndog
     
  25. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    Good grief!

    Evidence?

    (ACTIVE) c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll [PX5: E9AB560400405080B0061A456948FB0056281D71] Malware Group: Medium Risk Malware
     
Thread Status:
Not open for further replies.