Solved

Windows restart loop .. urgent !

Posted on 2006-11-22
25
518 Views
Last Modified: 2010-04-12
Hi guys ..

Urgent help needed. I downloaded a rar file with an exe inside which I double clicked [its almost def a virus] and it IMMEDIATELY restarted my machine. Then when windows restarted it just rebooted my machine again and again. I can only get in on safe mode!

PLEASE HELP!
0
Comment
Question by:Eternal_Student
  • 14
  • 11
25 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 17995394
Get in safe mode, click Start->Run->MSConfig
Locate the offending program from the startup tab and deselect it (otherwise deselect everything).
Reboot and run an online scan from www.antivirus.com
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995683
I tried that but it didnt solve anything .. still just restarts before windows fully loads.

Any other suggestions or should I try a system restore?
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995705
Actual system restore isnt even an option, I didnt have that enabled.

OoOps. HELP
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17995777
Try the msconfig route again, this time, check the Hide MS services and deselect all remaining.

You might also try this script:
http://www.silentrunners.org/Silent%20Runners.vbs

As well as downloading www.hijackthis.de
Download it, save it, then run it - post your log to the same site and have it evaluate it for you.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995903
Will hijack this be effective in safe mode?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17995926
sure
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17995958
I will try the other things you mentioned first and then try hijack this but it seems to be something nasty running on start up.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996089
The only possibly nasty hijack this entry was this one:

         O17 - HKLM\System\CCS\Services\Tcpip\..\{4FFEA1EE-DDD8-4199-B65C-306E0B3F61D3}: NameServer = 217.169.46.215,217.169.46.208

Does that look like it could be the culprit?

Nothing else seemed to work!
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996161
No, that's probably your DNS settings.
Can you post the link to your logfile (not the logfile please)
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996173
The vb script produced a log but the only thing that stands out [in my humble understanding] was this:


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Would that have anything to do with it?

thanks.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996194
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996214
No, that just enables the Shutdown button on your logon screen...
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996242
hummm, im actually at my work station, so im unable to work at the minute!

If worse comes to worse I will have to get our support guy here but I was hoping to save the embarassment and fix it myself!

Any ideas?

Thanks for your time sirbounty.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996262
Give me a few to look at your log file...
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996273
Good man, MUCH appreciated .. I also have the silent runners log file if you need that ?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996303
You can post it for ha-has if you want to...
0
 
LVL 67

Accepted Solution

by:
sirbounty earned 500 total points
ID: 17996325
Hmm - I'm not sure that Last Known Good would help here either...
Try going back into MSConfig and clear all startup items and all non-MS services (remember to check the box below).
Reboot - can you get in that way?

If that doesn't work, I'd be likely to suspect a rootkit, and that's not a good thing...
Although there are 'rootkit revealers' out there, I belive it might be left to a support person:

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
http://www.sysinternals.com/utilities/RootkitRevealer.html

You can try running it to see, but don't remove anything without being 100% certain.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996339
oh ok, I wont bother, I just thought you may be able to gague some information from that. What a nightmare!
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996419
Hi Sirbounty,

I tried to log in after going through the MSConfig settings but it just rebooted so I tried last know good and IM IN !!!!

It said windows has recovered from a serious error about 5 times and seemed to be running slow.

What can I do to make sure my machine is clean from this virus?

many thanks.

IM IN THO !!
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996456
Search for the EXE/RAR and DELETE IT!  Other than that, it should not have made any permanent damage...
You can repeat the steps above to be sure.
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996466
I deleted it in safe mode!

Wow, seems like I have been lucky then.

Do you want me to post hijack this link again now?

Your the man
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996475
Sure, can't hurt... :^)
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996510
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17996815
The only one I don't recognize is
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE

Could be 'work' related, though...?
0
 
LVL 18

Author Comment

by:Eternal_Student
ID: 17996878
Yea, I think that is a remote access tool used to gain access to my computer from another machine.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ISA & antivirus 10 75
Incredibly nasty malware/adware 15 65
Is TeamViewer Secure for HIPAA Compliance 3 144
IPS Logs NMap Scans 1 92
In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Edureka is one of the fastest growing and most effective online learning sites.  We are here to help you succeed.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now