Solved

Windows restart loop .. urgent !

Posted on 2006-11-22
25
522 Views
Last Modified: 2010-04-12
Hi guys ..

Urgent help needed. I downloaded a rar file with an exe inside which I double clicked [its almost def a virus] and it IMMEDIATELY restarted my machine. Then when windows restarted it just rebooted my machine again and again. I can only get in on safe mode!

PLEASE HELP!
0
Comment
Question by:Eternal_Student
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 11
25 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 17995394
Get in safe mode, click Start->Run->MSConfig
Locate the offending program from the startup tab and deselect it (otherwise deselect everything).
Reboot and run an online scan from www.antivirus.com
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995683
I tried that but it didnt solve anything .. still just restarts before windows fully loads.

Any other suggestions or should I try a system restore?
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995705
Actual system restore isnt even an option, I didnt have that enabled.

OoOps. HELP
0
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

 
LVL 67

Expert Comment

by:sirbounty
ID: 17995777
Try the msconfig route again, this time, check the Hide MS services and deselect all remaining.

You might also try this script:
http://www.silentrunners.org/Silent%20Runners.vbs

As well as downloading www.hijackthis.de
Download it, save it, then run it - post your log to the same site and have it evaluate it for you.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995903
Will hijack this be effective in safe mode?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17995926
sure
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995958
I will try the other things you mentioned first and then try hijack this but it seems to be something nasty running on start up.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996089
The only possibly nasty hijack this entry was this one:

         O17 - HKLM\System\CCS\Services\Tcpip\..\{4FFEA1EE-DDD8-4199-B65C-306E0B3F61D3}: NameServer = 217.169.46.215,217.169.46.208

Does that look like it could be the culprit?

Nothing else seemed to work!
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996161
No, that's probably your DNS settings.
Can you post the link to your logfile (not the logfile please)
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996173
The vb script produced a log but the only thing that stands out [in my humble understanding] was this:


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Would that have anything to do with it?

thanks.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996214
No, that just enables the Shutdown button on your logon screen...
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996242
hummm, im actually at my work station, so im unable to work at the minute!

If worse comes to worse I will have to get our support guy here but I was hoping to save the embarassment and fix it myself!

Any ideas?

Thanks for your time sirbounty.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996262
Give me a few to look at your log file...
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996273
Good man, MUCH appreciated .. I also have the silent runners log file if you need that ?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996303
You can post it for ha-has if you want to...
0
 
LVL 67

Accepted Solution

by:
sirbounty earned 500 total points
ID: 17996325
Hmm - I'm not sure that Last Known Good would help here either...
Try going back into MSConfig and clear all startup items and all non-MS services (remember to check the box below).
Reboot - can you get in that way?

If that doesn't work, I'd be likely to suspect a rootkit, and that's not a good thing...
Although there are 'rootkit revealers' out there, I belive it might be left to a support person:

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
http://www.sysinternals.com/utilities/RootkitRevealer.html

You can try running it to see, but don't remove anything without being 100% certain.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996339
oh ok, I wont bother, I just thought you may be able to gague some information from that. What a nightmare!
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996419
Hi Sirbounty,

I tried to log in after going through the MSConfig settings but it just rebooted so I tried last know good and IM IN !!!!

It said windows has recovered from a serious error about 5 times and seemed to be running slow.

What can I do to make sure my machine is clean from this virus?

many thanks.

IM IN THO !!
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996456
Search for the EXE/RAR and DELETE IT!  Other than that, it should not have made any permanent damage...
You can repeat the steps above to be sure.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996466
I deleted it in safe mode!

Wow, seems like I have been lucky then.

Do you want me to post hijack this link again now?

Your the man
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996475
Sure, can't hurt... :^)
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996815
The only one I don't recognize is
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE

Could be 'work' related, though...?
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996878
Yea, I think that is a remote access tool used to gain access to my computer from another machine.
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about achieving the basic levels of HRIS security in the workplace.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question