• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Boot up error sound, missing file, previous virus

Whiplash

Unregistered
W
Joined
Mar 2, 2007
Messages
5,443
Hey all, I was hoping to get some advice from the knowledgeable people here. I've tried searching around on the net for answers but keep going in circles and end up at many different utilities that I have to buy to take full advantage of.

Short version of the story is I was infected by some nasty trojans a few weeks back. I managed to get rid of it mostly with free utilities. But there was one keylogger thing that kept loading and refreshing itself on bootup. I used Trojan Remover to manually remove the file.

Ever since then, my computer does an error "bonk" sound on the initial loading of the desktop. I assume this is because my system is still trying to load the offending file.

I'm just wondering if there is a good (preferably free) utility out there to go in and scan for problems like this and fix them. I've seen a number of good registry fixing tools, etc.. but again, most of them you have to pay for the full license.. I'm not against that, but I thought I'd seek any recommendations first.

Or perhaps someone can tell me how I can figure out to fix this on my own. My system is clean and fine otherwise. It's been thoroughly scanned numerous times over the last two weeks with several different virus/malware programs and online free virus scanners. I'm having no other issues. Just this annoying bootup error.

Thanks!
 
Last edited:
I personally go with MalwareBytes. It's a free tool you can use, but there's also a paid version. http://www.malwarebytes.org/ The free version will get rid of infections, too.

They also have forums for helping users get rid of more troublesome infections, too.
 
Ahh, yes, I do have that installed already. I have full scanned with it numerous times, including earlier today. It doesn't find anything wrong. The bad file is gone, it's more a case that my system bootup/registry/something is trying to still load the file when windows starts.

At least, that's what I think is happening. Because of the way it was removed (forcible deletion).

Thanks though!
 
Um, that is a tricky one, so the 'bonk' occurs during the start up, that means many things, is it during the windows boot, when either the screen is dark or the blue windows boot? I have the feeling that you mean after windows has started, so yes, you probably still have the hook somewhere, which is not a good thing.

The more knowledgeable will come along and tell you how to do it, I know where you can do it for the Windows boot, http://support.microsoft.com/kb/308427, and view the event log for startup.

Which may not be that useful, depends on how much you want to do yourself.

Now if you are sort of savvy but do not want to be more savvy you have two options, the most painful but easiest, back up your data files, use the OS disk and do a clean install, maybe even with a full format. Be sure to load your drivers on a flash drive before you start. That way you know you got whatever it is. Especially if you had a rootkit infection.

The second option takes more time and depends on your savvy level, many forums like the HJT (Hijack This), Major Geeks, Bleeping Computer have a place where they will take you through a process of cleaning your machine, you must do exactly as they tell you and not fool around however.

I recommend Major Geeks Read and Run Me First by ChasLang, it is very helpful and then if it does not resolve your issue then you have all the logs they need to help you in their help forum. But you must follow the steps as they give them and do it as they tell you. If you need their help, it takes time but they are very nice. As are HJT and Bleeping Computer.

ETA: What did the forcible delete remove?
 
Thank you David for the extensive response.

First, the "bonk" sound happens just as my desktop appears, and is instantly followed by the windows logon music/sound.

I'm aware I can reinstall. It's my usual response to such a thing. But doing so right now would be a monumental pain to get everything back the way it is, including things for my job. Hours and hours of work for a simple bootup error sound and no other apparent problem. I can live with it for now if that's the case.

On the file in question.. it's a long story and I don't remember for sure the filename. I know it was a variation on wship6.dll. Something like wship6s.dll or wship6y.dll or something. I could turn up no record of it's existence as a legitimate file. NOTE: Not wship6.dll itself, I know that is a legit file. It was that filename, with an extra letter on the end.

Now, at the time I was doing this cleanup.. only one program was identifying this file as a keylogger. It was with Prevx, which would not clean the file for free.

I was nervous to just delete it outright, but I searched extensively and found nothing about it that seemed legit. And also, the Prevx information listed showed that keylogger has having a different name variation (this will apply in a minute)..

The first time I deleted it, I backed it up first in case it was legit. And when I rebooted, the file was recreated. I deleted it again, and rebooted, and it was back again, but this time, the file name had changed. It's name was morphed into a combination of it's original name, and the alternate name of the virus on the PrevX info page.

So I became pretty sure it was a bad file and used Trojan Remover to delete it, which finally took. It never came back after that.. but I started getting the error beep right at that point.

Anyhow, I guess I will have to consider going to Major Geeks or somewhere to do the drill. I was just figuring there was probably an easy way (or tool) to identify where my os was trying to still load the (now deleted) file.

I haven't tried Rootkit Revealer yet, on a full system scan. I saw that recommended somewhere for someone with a similar issue.

Thanks again for your help. I am looking into the system log and trying to figure things out.
 
Last edited:
Well, you could try a 'repair install' that will restore the systems files but not remove any hooks.

Start OS install, go to the Windows install (not the recovery conscole) and select Repair.

That should replace the systems files and reset the registry.

The only issue with this is that if you have installed service pack three and IE7 and/or IE8 after the original OS then you want to uninstall them and reinstall them after you repair the system.
 
Last edited:
I had tried to boot my XP CD once to see what options I had in that regard.. and it asked me for an admin password, which I failed at three times and it rebooted.

Odd thing is, I am sure I never set an admin password. So I'm probably missing something obvious, like I just had to hit "enter" instead of trying passwords.

I wasn't patient enough to boot the CD again.

(I just checked in my user profiles, and I am the admin.. and my option there is "create a password" which leads me to believe there isn't one?)
 
Last edited:
Ahh.. now that is exactly what I was looking for. What an awesome utility. That has fixed the problem, and then some.. my computer goes much faster through initial systray loading of items and so forth.

I'm not entirely sure which item I remove it was that was the problem. There were several hidden scheduled tasks which I was able to get rid of. Also there were many drivers that were "file not found" on them, some of which had very odd garbage filenames..

I was cautious in checking things off and rebooting a couple of times. It seems it got best after I turned off the stuff in the drivers section. I also removed some entries to old software that didn't remove itself apparently.

Like I said, no more "bonk" error, and it boots a bit smoother. So .. awesome.

Thanks!
 
Err, take that back.. rebooted once more.. "bonk" returns..

Don't get it, not gonna mess with it more right now for fear of making anything worse. I'll have to consider doing a reinstall soon anyhow.

Thanks those that helped. Anyone else with any ideas, please feel free to submit them.
 
Hi there, msconfig is very useful and if Microsoft trusted their users more, they would give easier access to it. That said, I suspect you have a registry value that keeps adding that deleted virus to the startup.

So when you disable it from msconfig, it goes away, but then as time passes and probably as some dll turns on, it adds again the startup entry and there you have the boink again. Check if it is added a second time in msconfig.

If it is the case, you would have to delete the registry key thats keeps changing the startup. Usually those are in HKEY LOCAL MACHINE/Software/microsoft/windows/current version/Run, and the same in Run once, if you see the value of the dlll you mentioned was an infection, you should delete it (by the way, do you know how to make registry backups and are familiar with regedit?)

Just my two cents, I hope it helps
 
Thanks stup_id for your input as well. Yes, I'm very familiar with regedit and msconfig.

Tracking this down is turning out to be a pain that seems pointless.. I am now decided that I will buy Windows 7, as soon as possible. Certainly by the holidays..

So I will just live with it for now until I can do a fresh install.

Thanks everyone for helping!
 
Last edited:
You must log in or register to reply here.

Back
Top Bottom