Windows cannot find boot.exe

Welcome to Major Geeks!

You're logs are all clean! (you do need to uninstall all the old Sun Java versions and update as requested in step 6 of the READ ME, but this had nothing to do with your problem).

While it is true that boot.exe can be a Trojan (like Troj/Puppet-A ), it could also be a valid program and perhaps you needed this to access your portable hard disk. You may just need to reinstall the software/drivers for your portable hard disk.

Once valid type of boot.exe was used to reads and write Boot Sectors and Master Boot Records directly from the command line.

 

Not from what I see in your logs. But they are only reporting your C drive.

In addition, I see no signs of the trojan form of boot.exe. Perhaps your antivirus or antispyware programs removed something you need. Did they report anything about boot.exe recently? Do you have anything saved in a quarantine (like AVG's Vault)? Perhaps it deleted the file!

On your portable hardrive, is there a file named autorun.inf in the root folder? If so, rename it to autorun.old? Does that change anything?

Do the same check for autorun.inf in the root of your E: drive partition.

Also look on both your portable drive and your E: drive for a file named bootman.exe and let me know what you find.

 

And did you notice there was an e:\boot.exe in there? You should try to get the file out of the Vault and run it thru the below online scanning tool to see if it is truly infected with Brontok. Note te Jotti.org site can be very busy so your request may get queued up for a while:

http://virusscan.jotti.org/

You can also try the below site (which also gets busy):

http://www.virustotal.com/en/virustotalf.html


I also recommend you do the below.

• Download Registry Search (see the link titled RegSearch Download Link )
• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Copy & paste the following string boot.exe in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
• Attach this file to your next reply.

 

• When you had AVG disabled and extracted the file, what was the size of the boot.exe file?
• And where did you extract it to?
• Is it still there?
• If so and if it is 0 bytes in size, shut down AVG again and extract it.
• Put a copy in the root of drive E and in the root of drive I.
• Can you get to those drive without a problem now?

This does not appear to be a malware problem. It is still looking like a file you need for some reason.


A while back I asked you to look for autorun.inf and you said you could not find it. But you never did step 2 of the READ ME correctly and cannot view all file extensions. Thus it would only show as autorun. You should do step 2 properly and then check again for autorun.inf.

 

• Where did it restore it to? Did you need to put copies on drive E and G.

At this point I really suspect this is more of a software or hardware issues than it is malware. I'm not exactly sure what the problem is but it really does not appear to be malware. It sounds almost like a problem with Mapped Network drives and access permissions now.

No I meant to just use Windows Explorer to goto the drives and look for the files. I thought from your message in the software forum that you could right click the drives to get access.

 

You never got the boot.exe file scanned by Jotti. Can you do that? Turn off your firewall and AV if necessary while doing it. Also put a copy of boot.exe into a ZIP file and attach the ZIP file here.

Yes, I may soon be sending you to the Software Forum, but first please run the below.

Now please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

 

Can you get a copy of it into a ZIP file after booting in safe mode and also shutting down your AV and firewall?

 

Well that sounds good since you now can access your drives! But see below.

Your link does not appear to work but here is what I got

View attachment VTscan.doc

This obviously does not look good. You may want to backup important data while you can. However if you have a boot sector virus, as I mention below, the media you write to could become infected. See: http://support.microsoft.com/kb/82923


Perhaps you need to see if you can do a system restore to a point in time before this occurred to see if it helps (it probably will not).

You next step may need to be a repartition and format of the affected drives. I'm not really sure how this causing your problems. Although the above scans all point to it being a problem, none of those trojans really seem to mention a boot.exe file. It's possible that it is a boot sector virus of some form and these can be a challenge to remove.

See: http://www.wikihow.com/Remove-a-Boot-Sector-Virus

 

Download the current version of GetRunKey from the link in the READ & RUN ME.

Then attach new logs from GetRunKey and HJT.

 

You are not running HijackThis properly! Please run it as you did in your first message and then attach a new log! Delete the ZIP file you just ran it from so that you do not make the same mistake again.

You previous logs did not show "MessengerPlus3". Now I see it in your GetRunKey log. Did someone just install this? I strongly recommend uninstalling this and never using it. It may well have been the cause of your new infection. Yes the image you posted about the taskmgr.exe in Documents and Settings is new. It was not in your previous logs.

You should also attach a new log from ShowNew since this new infection may have placed other files on your PC.

 

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 11
Java 2 Runtime Environment, SE v1.4.2_07
Java 2 SDK, SE v1.4.2_07

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

If you need the Sun Java Development kit you can get it here: http://java.sun.com/javase/downloads/index.jsp



Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now reboot in normal mode

Now locate the below folder and delete it if found:
C:\Program Files\MessengerPlus! 3


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Are you sure it is still occurring after another reboot? Part of the fixME.reg patch had the below in it:

This was the cause of the popup and according to your GetRunKey log, it was fixed by the registry patch.

 

Boot into safe mode and get logs from GetRunKey and from HJT. Then reboot into normal mode and attach the two logs here.


Also please download Silent Runner's

• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and attach it to your next message.

NOTE: If you receive any warning messages from your antivirus or antispyware programs about a script trying to be run , please choose to allow the script to run.

 

Okay please download the current version of GetRunKey from here: Using GetRunKey
It was just updated and I think it may show what we are looking for.

Attach a new log!

 

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

How are things looking now?

 

Back in message # 16 you said

I thought this meant you had no more problems after restoring the file eevn though the scans indicate possible infections in the file.


Download the attached getmount.zip file and extract the getmount.bat file from it. Double click on the getmount.bat file to run it. This will create two files:

c:\mount1.txt
c:\mount2.txt

Attach these two files to your next message.

 

Is the boot.exe file still there in normal mode or did your antivirus remove it again.

Let's try the below!

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Did that change anything for the better?

 

Are you referring to the message about Taskmgr.exe ?

I believe the malware you have is described in this link: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_VB.BXS&VSect=T

Do you see the C:\Windows\Screen Task.scr file? If so, delete it.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Much earlier I asked you about the AUTORUN.INF file existing and you said it did not! Are you 100% sure about that?


Deleting AUTORUN.INF

1. Right-click Start then click Search
2. In the Named input box, type:
   AUTORUN.INF
3. In the Look In drop-down list, select My Computer
4. Once located, select the file then open with Notepad. Check if it contains the following strings:
   shellexecute=Boot.exe
5. If the said strings are found, close Notepad, select the file then press Delete.

Please download and install this ExplorerXP Try using it instead of Windows Explorer to access the drives. Does it work?

Note: You may be look at a reinstall to resolve this problems! This appears to have affected you at a hardware level. However back in message # 17 I had suggested a possible use of system restore to a point in time before this problem occurred. Have you thought about trying that?

 

Well we have sort of being doing some of it already.

This is why I asked about this much earlier and you said it did not exist. This is important information. Load the autorun.inf file into notepad and delete the two lines with boot.exe on it. Make sure you check ALL drives and do the same on all drives. Save the edited file and then reboot.

What happens now?

Okay that would at least be a work around if you had problems accessing them.

Totally incorrect. As you can see now, if you had a restore point, you could have used it to eliminate your problem.

 

You're welcome.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!