?
Solved

Windows restart loop .. urgent !

Posted on 2006-11-22
25
Medium Priority
?
523 Views
Last Modified: 2010-04-12
Hi guys ..

Urgent help needed. I downloaded a rar file with an exe inside which I double clicked [its almost def a virus] and it IMMEDIATELY restarted my machine. Then when windows restarted it just rebooted my machine again and again. I can only get in on safe mode!

PLEASE HELP!
0
Comment
Question by:Eternal_Student
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 11
25 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 17995394
Get in safe mode, click Start->Run->MSConfig
Locate the offending program from the startup tab and deselect it (otherwise deselect everything).
Reboot and run an online scan from www.antivirus.com
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995683
I tried that but it didnt solve anything .. still just restarts before windows fully loads.

Any other suggestions or should I try a system restore?
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995705
Actual system restore isnt even an option, I didnt have that enabled.

OoOps. HELP
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 67

Expert Comment

by:sirbounty
ID: 17995777
Try the msconfig route again, this time, check the Hide MS services and deselect all remaining.

You might also try this script:
http://www.silentrunners.org/Silent%20Runners.vbs

As well as downloading www.hijackthis.de
Download it, save it, then run it - post your log to the same site and have it evaluate it for you.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995903
Will hijack this be effective in safe mode?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17995926
sure
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995958
I will try the other things you mentioned first and then try hijack this but it seems to be something nasty running on start up.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996089
The only possibly nasty hijack this entry was this one:

         O17 - HKLM\System\CCS\Services\Tcpip\..\{4FFEA1EE-DDD8-4199-B65C-306E0B3F61D3}: NameServer = 217.169.46.215,217.169.46.208

Does that look like it could be the culprit?

Nothing else seemed to work!
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996161
No, that's probably your DNS settings.
Can you post the link to your logfile (not the logfile please)
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996173
The vb script produced a log but the only thing that stands out [in my humble understanding] was this:


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Would that have anything to do with it?

thanks.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996214
No, that just enables the Shutdown button on your logon screen...
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996242
hummm, im actually at my work station, so im unable to work at the minute!

If worse comes to worse I will have to get our support guy here but I was hoping to save the embarassment and fix it myself!

Any ideas?

Thanks for your time sirbounty.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996262
Give me a few to look at your log file...
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996273
Good man, MUCH appreciated .. I also have the silent runners log file if you need that ?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996303
You can post it for ha-has if you want to...
0
 
LVL 67

Accepted Solution

by:
sirbounty earned 2000 total points
ID: 17996325
Hmm - I'm not sure that Last Known Good would help here either...
Try going back into MSConfig and clear all startup items and all non-MS services (remember to check the box below).
Reboot - can you get in that way?

If that doesn't work, I'd be likely to suspect a rootkit, and that's not a good thing...
Although there are 'rootkit revealers' out there, I belive it might be left to a support person:

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
http://www.sysinternals.com/utilities/RootkitRevealer.html

You can try running it to see, but don't remove anything without being 100% certain.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996339
oh ok, I wont bother, I just thought you may be able to gague some information from that. What a nightmare!
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996419
Hi Sirbounty,

I tried to log in after going through the MSConfig settings but it just rebooted so I tried last know good and IM IN !!!!

It said windows has recovered from a serious error about 5 times and seemed to be running slow.

What can I do to make sure my machine is clean from this virus?

many thanks.

IM IN THO !!
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996456
Search for the EXE/RAR and DELETE IT!  Other than that, it should not have made any permanent damage...
You can repeat the steps above to be sure.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996466
I deleted it in safe mode!

Wow, seems like I have been lucky then.

Do you want me to post hijack this link again now?

Your the man
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996475
Sure, can't hurt... :^)
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996815
The only one I don't recognize is
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE

Could be 'work' related, though...?
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996878
Yea, I think that is a remote access tool used to gain access to my computer from another machine.
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question