Following our most recent post last night we believe there may still be confusion related to the Windows Black Screen issue. Following the issue of our fix, which continues to receive significant downloads, we believe that this problem is still affecting a very large number of users in a very diverse range of windows environments. There have been more than 50,000 downloads of the free fix tool since we made it available 5 days ago.

Referring back to the original post where the issue was first highlighted, we stated that there ‘appear’ to be many causes to the black screen issue. In addition, that customers who had experienced the problem in the past two weeks, after the last Windows update (or after running a security programme), our fix will have a high probability of working. We subsequently posted an update stating that following further tests the conditions under which the actual black screen is triggered are spasmodic. Moreover, we stated that some test systems always trigger the condition, others are less consistent and also highlighted two windows patches that seemed common to the issue.

As you will see, at no time have we categorically stated that these patches are the cause of the Black Screen problem. We shared our initial findings around the two patches with Microsoft, conducted further tests and have confirmed that these specific updates are not the root cause.

The emergence of this issue coincided with the recent set of Windows updates, therefore our investigations were focused on identifying if any of these could have been the cause of the problem. We have covered this further in the previous blog.

Regrettably, it is clear that our original blog post has been taken out of context and may have caused an inconvenience for Microsoft. This was never our intention and we have already apologised to Microsoft. Microsoft is a valued partner and our fix was developed to ensure its customers were able to quickly resolve the Black Screen issue without having to reinstall Windows as some users indicated.

We've been working with Microsoft to get to the bottom of the specific black screen issues in our earlier blog. We have made some significant progress in determining specific triggers of the black screen event.

The issue appears to be related to a characteristic of the Windows Registry related to the storage of string data. In parsing the Shell value in the registry, Windows requires a null terminated "REG_SZ" string. However, if malware or indeed any other program modifies the shell entry to not include null terminating characters, the shell will no longer load properly, resulting in the infamous Black Screen with the PC showing only the My Computer folder.

SysInternals was one of the first companies to discover this characteristic of the registry a number of years ago in their utility: RegHide http://technet.microsoft.com/en-us/sysinternals/bb897446.aspx which modifies registry entries to prevent them from being accessible within the operating system. This technique is frequently used by malware authors which is why it is recommended to first query the length of a registry value, and then read it into a buffer, forcing the null termination of strings whether or not null terminated by their content.

Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches including KB976098 and KB915597 as referred to in our previous blog. Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor.

We have not analyzed further whether a change occurred in the OS interpretation of this or other registry values. In any case, we believe there are significant benefits in the OS using the length of the value as recommended by the SysInternals article.

We have always strongly recommended keeping Windows and all other software up-to-date to reduce the window for exploitation by new threats. We'll keep you updated with further progress if we find anything new.

We apologize to Microsoft for any inconvenience our blog may have caused. This has been a challenging issue to identify. Users who have the black screen issue referred to can still safely use our free fix tool to restore their desktop icons and task bar.

Prevx offers a free fix for Windows Black Screen

Firstly, there appears to be many causes of the black screen issue. The symptoms are very distinctive and troublesome. After starting your Windows 7, Vista, XP, NT, W2K, W2K3 or W2K8 PC or server the system appears normal. However, after logging on there is no desktop, task bar, system tray or side bar. Instead you are left with a totally black screen and a single My Computer Explorer window. Even this window might be minimized making it hard to see.

If you have these symptoms you can safely try our free Black Screen Fix. It will fix the most common cause we have seen of this issue. Running the fix program is easy under normal circumstances, simply download with your browser using the link above and run the program. However, if you are trying to do this from the PC which has the black screen it is a bit more tricky. In these circumstances follow the procedure below:

1) Restart your PC

2) Logon and wait for the black screen to appear

3) Make sure your PC should be able to connect to the internet (black screen does not appear to affect this)

4) Press the CTRL, ALT and DEL keys simultaneously

5) When prompted, Click Start Task Manager

6) In Task Manager Click on the Application Tab

7) Next Click New Task

8) Now enter the command:

"C:\Program Files\Internet Explorer\iexplore.exe" "http://info.prevx.com/download.asp?GRAB=BLACKSCREENFIX"

Note this command assumes that you are using internet explorer as your browser, if not substitute your browser path and file details for those of iexplore.exe or use the Browser option of Task manager to locate it.

9) Click OK and your browser should start up and begin the download process

10) When prompted for the download Click run, the black screen fix program will download and run to automatically fix the issue.

11) Now restart your PC and the black screen problem will hopefully be gone.

I must stress that this tool will not fix all black screen issues. There can be many causes. But if your black screen woes began in the last 2 weeks after a Windows update or after running any security program (including Prevx) to remove malware during this time then this fix will have a high probability of working.

If you Google Black Screen then you will find a whopping 80Million plus results, mostly dominated by people searching for a fix to this problem. Thousands of users have resorted to reloading Windows as a last ditch effort to fix the problem, avoid that at all cost. We hope we can help a good many of you avoid the need to reload.

By the way - the cause of this recent crop of Black Screen appears to be a change in the Windows Operating Systems lock down of registry keys. This change has the effect of invalidating several key registry entries if they are updated without consideration of the new ACL rules being applied. For reference the rule change does not appear to have been publicised adequately, if at all, with the recent Windows updates.

In researching this issue we have identified at least 10 different scenarios which will trigger the same black screen conditions. These appear to have been around for years now. But our advice is try our tool first. If it works great. If it doesn't you are no worse off.

Good luck.

Dave Kennerley

Prevx Support

Update: In response to requests for Patch details:

The conditions under which the actual black screen is triggered are spasmodic. Some test systems always trigger the condition, others are less consistent. The windows patches which seem common to the issue arising are listed below:

KB915597 and KB976098

When the issue occurs the WinLogon Shell entry for Explorer.Exe becomes invalidated. The entry exists perfectly in the registry but is unusable/inaccessible and is therefore ignored by the OS resulting in the desktop and task bar not being loaded. This entry is frequently the target of malware so tightening access to it is probably a good thing. However, the black screen condition is the only sign of the problem, leaving non technical users with a major challenge.

Hope this helps you.

Prevx Support

Rootkit and Antirootkit developments have always been a cat-and-mouse game and it has become more widespread since rootkits have started being the right friend for trojans, backdoors and other nasty infections used to steal user credentials or to get access to infected PCs.

While writing trojans or backdoors is not bringing any new technique - all new samples we analyze are often just using old and known tricks - rootkit development is the real field where malware writers could show their skills, their potential, their fantasy.

While at the beginning writing rootkits was more a pure exercise and a way to show how the system could be easily compromised, now they are strongly playing along with trojans and backdoors to help them subverting user's systems.

Malware writers are now sending a "catch me, if you can" message to antivirus companies in a hide-and-seek game where rootkit techniques are always a step ahead to security countermeasures and they open wide the road to every other malware which don't mind using even old and known tricks - they are just invisible to everyone, they are free to do as they please. Key word is money.

Tdss rootkit 3rd variant is the last member of Tdss rootkit family that is quickly spreading around the world. While a number of rootkits are just developed as a proof of concept, this is not the case. Tdss rootkit is well known to antivirus companies because of its goal to get total control of the infected PCs and using them as zombies for its botnet.

During these years it has always shown a team of skilled people behind it, who always applied advanced techniques often able to bypass antirootkit softwares. Actually, this last variant could be easily named as the stealthiest rootkit in the wild.

This infection is bringing all together the best of MBR rootkit, the best of Rustock.C and the experience of old Tdss variants. Result is an infection that is quickly spreading on the net and it is undetected by almost every security software and 3rd party anti rootkit software.

The infection comes from the usual dropper spread by peer to peer networks or by crack and keygen websites, and it needs administrator privileges to run its payload. If UAC is disabled or the user voluntarily gives admin permissions, this infection can run even on Windows Vista and Windows 7. This is likely to be the usual scenario, where a user looks for specific cracks and don't mind if UAC warnings him, he gives admin privileges to the wanted crack.

When run, the infection is using a similar technique applied by MBR rootkit: all kernel mode and user mode components are stored to the last sectors of the hard drive, outside the file system. By doing so, they appear to be only raw bytes, bypassing every security check. Tdss rootkit bring this trick to a more advanced level, by encoding its components before they are written to the disk. Files are encoded and decoded on the fly.

Then, to be loaded at Windows startup, Tdss rootkit uses a technique we have seen applied by Rustock.C rootkit - and other rootkits like Neprodoor: infecting Windows system drivers. Tdss rootkit walks back the chain of drivers that handle hard drive I/O looking for last miniport driver object. When found, it infects driver's PE file by overwriting 824 bytes of the resource section. By doing so, it evades a simple check that some antirootkits usually use to detect hidden rootkits: file size cross check. Usually rootkits that infect files can hide their presence by showing the original file instead of the infected one. Antirootkits which are using raw disk reading techniques could read below the filter applied by these kind of rootkits and could cross check file sizes looking for discrepances.

This time is different, because of two evident reasons: currently no antirootkit is able to bypass disk filtering technique used by Tdss rootkit but, even if it was possible, this rootkit could not be detected by file size cross check because file size of the original and infected files are exactly the same.

When the infected driver runs, it executes the 824 bytes loader which then runs the kernel mode component of the infection. It creates a fake driver object, its relative device object, and hijacks every disk I/O communication at the level of drivers's chain where the infected driver was located (i.e. infected driver could be atapi.sys, or iastor.sys).

The rootkit intecepts every communication and filters out IRP_MJ_SCSI packets that have specific SRB flags set. By doing so, it hides patched driver on the disk and all disk sectors where its components are located. This is a really effective technique of disk hiding.

Tdss rootkit then sets up a Load Image notify routine to intercept every process that loads kernel32.dll library. When intercepted, it injects inside the specified process its user mode components of the infection, tdlwsp.dll, tdlcmd.dll. They are able to turn infected PC in a botnet's zombie. Config.ini, one of the components of the infection, contains settings of the botnet, commands to be executed, bot ID and C&C servers addresses. Communication with C&C servers is SSL encrypted, to evade HTTP filters.

Tdss rootkit is indeed a really worrying infection, it is in the wild and it's quickly spreading without being intercepted and detected by almost anyone. Some antiviruses may throw up a warning about the presence of tdlcmd.dll or tdlwsp.dll, without being able to do anything. Most of times users won't be warned at all, they just don't know their PC is part of a botnet and it is under the control of malware writers which can use their PC as they please.

We heartily recommend to not download and use cracks or keygens, they are often vector for very nasty infections.

Despite the complexity of the infection we are able to detect and clean the infection and we will update Prevx with appropriate detection and cleanup routines. In the meanwhile, every Prevx customer who has been affected by this infection can contact our technical support who will remove the infection by remote assistance.

I had the pleasure last night of seeing Jacques receive one of the most notable accolades in the IT industry when he was awarded the British Computer Society title of Young IT Professional Of The Year. It was the first time I have ever seen Jacques geniunely nervous and anxious as the list of finalists was read out. Having witnessed first hand Jacques' achievements I know how well deserving he is of the award.

Here's the link to the BCS announcement.