Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Continious boots because of virus


  • This topic is locked This topic is locked
4 replies to this topic

#1 Someone0001

Someone0001

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 29 June 2011 - 08:10 PM

Hello. I'm sorry if the virus forumpart was better, but this seemed better in this case as the most important thing here is not getting rid of the virus, but getting the PC to start again.

I'll start at the beginning: I suddenly got the message that my HD's corrupted. I've had that before, due to Windows Restore. Weird I got it again as I'm always careful with what sites to visit etc (perhaps a left-over from that time? I was on google when it happened this time, it was previously on Wikipedia). I knew what to do this time. Instead of restarting, I immediately let AVG scan, let Windows show hidden folders, checked Hijackthis and deleted an obvious Windows Restore entry (a new entry, being almost exactly as before, only differently named but still just as random), went into the Application Folder and deleted the same-named exe there, and then I wanted to go and download Malware Bytes to find the rest, but it seems Windows Restore forces a reboot when you don't yourself.

This time however, I didn't get back to the desktop. When it's in the Windows XP loading screen, it immediately reboots in an infinite loop. Safe Mode or starting with last known working configuration doesn't work either. I've tried a repair install (not repair at where you'd open the console, but the next repair), but when it wants to reboot to finish setup it's the same problem again.

What would be the best thing to do here? Especially considering that virus might've affected important system files this time or something and even if my PC would work again it might do the same thing again.

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:49 AM

Posted 29 June 2011 - 10:05 PM

Hi, :welcome:

Lets give it a try.

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Someone0001

Someone0001
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 01 July 2011 - 09:38 AM

Sorry for the late reply. Thank you very much for the instructions. Though, ashamed to say, one of my friends suggested this would be a nice time to upgrade to Windows 7 64-bit (I have a 64-bit system after all, but used a 32-bit OS all the time), which sounded good to me, so I got myself a new HD to set Windows 7 on, and my plans are to connect the other 2 HDs, move the files I want to keep to an external one, then whipe the 2 and re-use them.

That does leave me with 1 question though: will I be at risk from getting infected again even when I make sure to not move infected files ("moving" from my other HD(s) to my HD with Windows 7 on it, or just affecting it)? And if it does, what can I do to protect myself from it (seeing as AVG never picked it up. I now have Avast though as I heard good things about it)?

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:49 AM

Posted 01 July 2011 - 12:55 PM

Thanks for the feedback.

I would recommend AVAST over AVG. The rest is all part of good practices while on the internet. Keep away from unknown downloads and unknown e-mail senders.

You are never 100% safe as there is no defense against new variants. Also the Professional Edition of Malwarebytes is quite effective keeping you from questionable sites.

Best of luck with your new system. :hello:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:49 AM

Posted 12 September 2011 - 12:04 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users