Solved

Windows restart loop .. urgent !

Posted on 2006-11-22
25
517 Views
Last Modified: 2010-04-12
Hi guys ..

Urgent help needed. I downloaded a rar file with an exe inside which I double clicked [its almost def a virus] and it IMMEDIATELY restarted my machine. Then when windows restarted it just rebooted my machine again and again. I can only get in on safe mode!

PLEASE HELP!
0
Comment
Question by:Eternal_Student
  • 14
  • 11
25 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 17995394
Get in safe mode, click Start->Run->MSConfig
Locate the offending program from the startup tab and deselect it (otherwise deselect everything).
Reboot and run an online scan from www.antivirus.com
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995683
I tried that but it didnt solve anything .. still just restarts before windows fully loads.

Any other suggestions or should I try a system restore?
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995705
Actual system restore isnt even an option, I didnt have that enabled.

OoOps. HELP
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17995777
Try the msconfig route again, this time, check the Hide MS services and deselect all remaining.

You might also try this script:
http://www.silentrunners.org/Silent%20Runners.vbs

As well as downloading www.hijackthis.de
Download it, save it, then run it - post your log to the same site and have it evaluate it for you.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995903
Will hijack this be effective in safe mode?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17995926
sure
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995958
I will try the other things you mentioned first and then try hijack this but it seems to be something nasty running on start up.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996089
The only possibly nasty hijack this entry was this one:

         O17 - HKLM\System\CCS\Services\Tcpip\..\{4FFEA1EE-DDD8-4199-B65C-306E0B3F61D3}: NameServer = 217.169.46.215,217.169.46.208

Does that look like it could be the culprit?

Nothing else seemed to work!
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996161
No, that's probably your DNS settings.
Can you post the link to your logfile (not the logfile please)
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996173
The vb script produced a log but the only thing that stands out [in my humble understanding] was this:


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Would that have anything to do with it?

thanks.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996194
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996214
No, that just enables the Shutdown button on your logon screen...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996242
hummm, im actually at my work station, so im unable to work at the minute!

If worse comes to worse I will have to get our support guy here but I was hoping to save the embarassment and fix it myself!

Any ideas?

Thanks for your time sirbounty.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996262
Give me a few to look at your log file...
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996273
Good man, MUCH appreciated .. I also have the silent runners log file if you need that ?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996303
You can post it for ha-has if you want to...
0
 
LVL 67

Accepted Solution

by:
sirbounty earned 500 total points
ID: 17996325
Hmm - I'm not sure that Last Known Good would help here either...
Try going back into MSConfig and clear all startup items and all non-MS services (remember to check the box below).
Reboot - can you get in that way?

If that doesn't work, I'd be likely to suspect a rootkit, and that's not a good thing...
Although there are 'rootkit revealers' out there, I belive it might be left to a support person:

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
http://www.sysinternals.com/utilities/RootkitRevealer.html

You can try running it to see, but don't remove anything without being 100% certain.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996339
oh ok, I wont bother, I just thought you may be able to gague some information from that. What a nightmare!
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996419
Hi Sirbounty,

I tried to log in after going through the MSConfig settings but it just rebooted so I tried last know good and IM IN !!!!

It said windows has recovered from a serious error about 5 times and seemed to be running slow.

What can I do to make sure my machine is clean from this virus?

many thanks.

IM IN THO !!
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996456
Search for the EXE/RAR and DELETE IT!  Other than that, it should not have made any permanent damage...
You can repeat the steps above to be sure.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996466
I deleted it in safe mode!

Wow, seems like I have been lucky then.

Do you want me to post hijack this link again now?

Your the man
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996475
Sure, can't hurt... :^)
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996510
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996815
The only one I don't recognize is
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE

Could be 'work' related, though...?
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996878
Yea, I think that is a remote access tool used to gain access to my computer from another machine.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The month of August was another action packed month for hackers and a security nightmare for many retailers and restaurant establishments. Some of the more notable data breach victims this past month included supermarket giants SUPERVALU and Alberts…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now