Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Boot Disk Virus


  • Please log in to reply
21 replies to this topic

#1 gattaca13

gattaca13

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 02 September 2008 - 11:54 AM

I am in desparate need of help on this issue. I somehow have gotten a Boot Disk Virus.
How did I come to this conclusion? Well, here are my symptoms:

When I first boot, after the windows screen comes up, a black screen just stays up with my mouse able to move around. It will either stay there and not boot, or it will take a few minutes and eventually boot normally.
When I run AVG scan on my computer, the first thing that it points out is that there is a problem in my Boot Sector.
Also, everytime I boot, new Trojan viruses get loaded onto my computer.

I can boot into Safe Mode, but even if I boot into Safe Mode, Trojans are still inserted onto my system.

I'm not the most computer saavy person when it comes to fixing virus problems. I usually go to my mom, but she got evacuated from Louisiana. So help from anyone here would be much appreciated.


I'm currently running Windows XP service pack 2. Anything else you need to know about my computer to help fix the problem, lemme know. :thumbsup:

Thanks alot! :flowers:

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:53 AM

Posted 02 September 2008 - 12:22 PM

Hi and welcome to BC. I'm going to move your topic from XP to the Am I Infected forum.

If you cannot connect to the internet to download and install these,you will need access to another computer. Then copy or save these files to a CD,usb,jump drive etc... and transfer them to th infected pC.


Download Attribune's ATF Cleanerand then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 gattaca13

gattaca13
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 11 September 2008 - 07:01 PM

Sorry for the delay. Here's what I got in the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/08/2008 at 08:16 PM

Application Version : 4.21.1004

Core Rules Database Version : 3555
Trace Rules Database Version: 1543

Scan type : Complete Scan
Total Scan Time : 01:47:27

Memory items scanned : 168
Memory threats detected : 0
Registry items scanned : 5407
Registry threats detected : 49
File items scanned : 24573
File threats detected : 5

Trojan.Unclassified/QALKFXOR
HKLM\Software\Classes\CLSID\{EB5B47E9-140B-4E4B-B9EF-A0D5BF1DA2AD}
HKCR\CLSID\{EB5B47E9-140B-4E4B-B9EF-A0D5BF1DA2AD}
HKCR\CLSID\{EB5B47E9-140B-4E4B-B9EF-A0D5BF1DA2AD}
HKCR\CLSID\{EB5B47E9-140B-4E4B-B9EF-A0D5BF1DA2AD}\InprocServer32
HKCR\CLSID\{EB5B47E9-140B-4E4B-B9EF-A0D5BF1DA2AD}\InprocServer32#ThreadingModel
HKCR\CLSID\{EB5B47E9-140B-4E4B-B9EF-A0D5BF1DA2AD}\ProgID
HKCR\CLSID\{EB5B47E9-140B-4E4B-B9EF-A0D5BF1DA2AD}\Programmable
HKCR\CLSID\{EB5B47E9-140B-4E4B-B9EF-A0D5BF1DA2AD}\TypeLib
HKCR\CLSID\{EB5B47E9-140B-4E4B-B9EF-A0D5BF1DA2AD}\VersionIndependentProgID
HKCR\qalkfxor.1
HKCR\qalkfxor
HKCR\TypeLib\{3AEEDFDA-C26F-4F18-A897-630E3A5A46A6}
HKCR\TypeLib\{3AEEDFDA-C26F-4F18-A897-630E3A5A46A6}\1.0
HKCR\TypeLib\{3AEEDFDA-C26F-4F18-A897-630E3A5A46A6}\1.0\0
HKCR\TypeLib\{3AEEDFDA-C26F-4F18-A897-630E3A5A46A6}\1.0\0\win32
HKCR\TypeLib\{3AEEDFDA-C26F-4F18-A897-630E3A5A46A6}\1.0\FLAGS
HKCR\TypeLib\{3AEEDFDA-C26F-4F18-A897-630E3A5A46A6}\1.0\HELPDIR
C:\WINDOWS\QALKFXOR.DLL
HKCR\Interface\{BBB87B58-22D6-4BB9-9575-3EE05720CCAF}
HKCR\Interface\{BBB87B58-22D6-4BB9-9575-3EE05720CCAF}\ProxyStubClsid
HKCR\Interface\{BBB87B58-22D6-4BB9-9575-3EE05720CCAF}\ProxyStubClsid32
HKCR\Interface\{BBB87B58-22D6-4BB9-9575-3EE05720CCAF}\TypeLib
HKCR\Interface\{BBB87B58-22D6-4BB9-9575-3EE05720CCAF}\TypeLib#Version

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{F85920DB-0233-4BFA-8780-6E9F2E19E93A}
HKCR\CLSID\{F85920DB-0233-4BFA-8780-6E9F2E19E93A}
HKCR\CLSID\{F85920DB-0233-4BFA-8780-6E9F2E19E93A}
HKCR\CLSID\{F85920DB-0233-4BFA-8780-6E9F2E19E93A}\InprocServer32
HKCR\CLSID\{F85920DB-0233-4BFA-8780-6E9F2E19E93A}\InprocServer32#ThreadingModel
HKCR\CLSID\{F85920DB-0233-4BFA-8780-6E9F2E19E93A}\ProgID
HKCR\CLSID\{F85920DB-0233-4BFA-8780-6E9F2E19E93A}\Programmable
HKCR\CLSID\{F85920DB-0233-4BFA-8780-6E9F2E19E93A}\TypeLib
HKCR\CLSID\{F85920DB-0233-4BFA-8780-6E9F2E19E93A}\VersionIndependentProgID
HKCR\QXK.Olive
HKCR\TypeLib\{20F805A7-D665-4A68-83D1-344F8F10EE34}
HKCR\TypeLib\{20F805A7-D665-4A68-83D1-344F8F10EE34}\1.0
HKCR\TypeLib\{20F805A7-D665-4A68-83D1-344F8F10EE34}\1.0\0
HKCR\TypeLib\{20F805A7-D665-4A68-83D1-344F8F10EE34}\1.0\0\win32
HKCR\TypeLib\{20F805A7-D665-4A68-83D1-344F8F10EE34}\1.0\FLAGS
HKCR\TypeLib\{20F805A7-D665-4A68-83D1-344F8F10EE34}\1.0\HELPDIR
C:\WINDOWS\RODQGPVLDLR.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F85920DB-0233-4BFA-8780-6E9F2E19E93A}
HKCR\Interface\{111AE552-9255-4C78-8385-3FD32EA1E2B9}
HKCR\Interface\{111AE552-9255-4C78-8385-3FD32EA1E2B9}\ProxyStubClsid
HKCR\Interface\{111AE552-9255-4C78-8385-3FD32EA1E2B9}\ProxyStubClsid32
HKCR\Interface\{111AE552-9255-4C78-8385-3FD32EA1E2B9}\TypeLib
HKCR\Interface\{111AE552-9255-4C78-8385-3FD32EA1E2B9}\TypeLib#Version
HKCR\Interface\{D6E6D6E2-CF73-4313-B914-455A7F3A256C}
HKCR\Interface\{D6E6D6E2-CF73-4313-B914-455A7F3A256C}\ProxyStubClsid
HKCR\Interface\{D6E6D6E2-CF73-4313-B914-455A7F3A256C}\ProxyStubClsid32
HKCR\Interface\{D6E6D6E2-CF73-4313-B914-455A7F3A256C}\TypeLib
HKCR\Interface\{D6E6D6E2-CF73-4313-B914-455A7F3A256C}\TypeLib#Version

Trojan.Downloader-SmartLoader
C:\DOCUMENTS AND SETTINGS\ME\MY DOCUMENTS\INSTALLERS\OFFICE\MICROSOFT OFFICE 2003 PROFESSIONAL\KEYGEN\KEYGEN.EXE

Adware.Vundo-Variant/J
C:\WINDOWS\RQBMVPSO.DLL

Trojan.Dropper/Gen
C:\WINDOWS\RVOELBXT.EXE







And yes.....my computer is still not working. It's incredibly sluggish and. whenever I boot into windows normally I get an error that says that it can't find shell.exe. When I do a search for it, it says it's not found.

Any idea on how to get the shell.exe back?

Thanks again!!

#4 gattaca13

gattaca13
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 11 September 2008 - 07:29 PM

When I do a scan with Malwarebytes' Anti-Malware software, it always finds the same virus called "Hi-jack Shell."

I'm assuming that this is why my shell.exe is missing.

No idea what to do about this.

Any ideas?

Thanks!

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:53 AM

Posted 11 September 2008 - 08:33 PM

I'm assuming that this is why my shell.exe is missing.


that's a rogue hijacker not a boot sector virus
Chewy

No. Try not. Do... or do not. There is no try.

#6 buddy215

buddy215

  • Moderator
  • 13,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:53 PM

Posted 11 September 2008 - 08:55 PM

shell.exe = W32/Mytob-CA worm. http://www.bleepingcomputer.com/startups/shell.exe-9019.html

From what you describe in regards to the error message, the file is probably an orphaned entry related to this malware that was set to run at startup. Windows is trying to load this file but cannot locate it since the file may have been removed during an anti-virus scan, the uninstall of a program or use of a specialized fix tool. However, an associated registry entry remains and is telling Windows to load the file when you boot up.

When Windows loads, it looks for any files associated with registry entries for programs that are set to run at startup. If the file was removed but not the registry entry, Windows will display an error message indicating that the file was not found. You need to remove this registry entry so Windows stops searching for the program when it loads.

To resolve this download and run Autoruns, search for the related entry and then delete it.
http://www.microsoft.com/technet/sysintern...s/Autoruns.mspx

* Create a new folder on your hard drive called AutoRuns and extract (unzip) the file there. (click this link if your not sure how to do this.) http://www.bleepingcomputer.com/tutorials/extract-zip-files-in-windows-me-xp-2003/
* Open the folder and double-click on autoruns.exe to launch it.
* Please be patient as it scans and populates the entries.
* When done scanning, it will say Ready at the bottom.
* Scroll through the list and look for a startup entry related to the file you need to remove.
* Right-click on the file and choose delete.
* Reboot your computer and see if the startup error returns.

IF YOU ARE NOT SURE WHICH FILE TO REMOVE FROM STARTUP AFTER RUNNING AUTORUNS---ASK
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 gattaca13

gattaca13
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 14 September 2008 - 04:35 PM

I got the program and did what you said. I got a lot of files that say "shell" which one do I need to remove?

Also, I installed Firefox 3 hoping I could assess the web better. And I can't get to bleeping computer through that brower, and I also can not find my control panel to uninstall the program. I went to look for it in the start menu and looked for it in windows explorer.

Hopefully you can help me with this. It's getting crazy. :thumbsup:

Thanks again!

#8 gattaca13

gattaca13
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 14 September 2008 - 04:49 PM

And yes, I tried going to the start menu properties and going through the list to enable it. It's not on that list. :thumbsup:

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:53 AM

Posted 14 September 2008 - 05:40 PM

:\DOCUMENTS AND SETTINGS\ME\MY DOCUMENTS\INSTALLERS\OFFICE\MICROSOFT OFFICE 2003 PROFESSIONAL\KEYGEN\KEYGEN.EXE


these files usually contain a rootkit component and trojan backdoor and can be very hard to remove

print up the directions for SDFix

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/
Chewy

No. Try not. Do... or do not. There is no try.

#10 buddy215

buddy215

  • Moderator
  • 13,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:53 PM

Posted 14 September 2008 - 07:54 PM

If after following DaChew's instruction the "shell.exe" is still there, see if this will help you to find the "shell.exe" startup entry.
After opening Autoruns, click on the options button and one option will be to hide the Microsoft entries. Select that and it will make your list much shorter. Then look for shell entries with missing file.

EDIT: Once you have selected "hide Microsoft entries" just click on the refresh button and they will be removed. If you are still unsure you can post the shortened list here by selecting "export" after clicking on "file", open the exported file with notepad or firefox and copy and paste into your post here.

Edited by buddy215, 14 September 2008 - 09:16 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#11 gattaca13

gattaca13
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 16 September 2008 - 02:31 PM

So....I got taht software that Chewy recommended. I was going through the process, and got it installed, then tried to reboot into Safe Mode.

I can't reboot into Safe Mode. :thumbsup: I mean....I "can"....sort of. I reboots I get it going to into Safe mode. And then it just loads up a black screen with my mouse cursor and the Safe Mode words in the corners and stays there. It doesn't go past that point.

I've tried rebooting numerous times to the same results.

Is there a way around this?

Thanks!

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:53 AM

Posted 16 September 2008 - 03:42 PM

Can you choose safe mode with a command prompt?
Chewy

No. Try not. Do... or do not. There is no try.

#13 gattaca13

gattaca13
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 17 September 2008 - 10:36 AM

Booting using the safe mode command prompt gives me the same results. Black screen with safe mode in the corners and my mouse cursor visible. :/

#14 gattaca13

gattaca13
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 17 September 2008 - 02:05 PM

WOOT!!!

I had to keep restarting but I eventually got it to kick over into Safe Mode. I ran the SDFIX software with no problems and now my control panel is back! :D It found 16 Trojans which is just excessive. o.O

Before I go any further with any changes on my computer I have a couple of questions.

My Spybot Search & Destroy popped up and is telling me that:
Category: Winlogon
Change: Value Changed
Entry: Shell
Old Data: Explorer.exe C:\WINDOWS\shell.exe
New Data: Explorer.exe

Do I accept or deny this?


Also Scotty the watch dog also popped up and says:

Scotty has detected a change in the following monitored file.
Filename: HOSTS
Location: c:\windows\system32\drivers\etc\hosts

Do I accept or deny this?


I'm really afraid of messing this up again so I wanted to ask before I did anything wrong.

Are there any checks that I should do now that everthing SEEMS to be in working order?


Thanks again!!

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:53 AM

Posted 17 September 2008 - 02:17 PM

No wonder we are so messed up, teatimer and winpatrol are like having 2 girlfriends cook you dinner in the same kitchen at the same time

Basically use programs like this to allow changes when doing something good and disallow changes when something bad is going on
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users