Windows restart loop .. urgent !

Hi guys ..

Urgent help needed. I downloaded a rar file with an exe inside which I double clicked [its almost def a virus] and it IMMEDIATELY restarted my machine. Then when windows restarted it just rebooted my machine again and again. I can only get in on safe mode!

PLEASE HELP!
LVL 18
Eternal_StudentAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
sirbountyConnect With a Mentor Commented:
Hmm - I'm not sure that Last Known Good would help here either...
Try going back into MSConfig and clear all startup items and all non-MS services (remember to check the box below).
Reboot - can you get in that way?

If that doesn't work, I'd be likely to suspect a rootkit, and that's not a good thing...
Although there are 'rootkit revealers' out there, I belive it might be left to a support person:

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
http://www.sysinternals.com/utilities/RootkitRevealer.html

You can try running it to see, but don't remove anything without being 100% certain.
0
 
sirbountyCommented:
Get in safe mode, click Start->Run->MSConfig
Locate the offending program from the startup tab and deselect it (otherwise deselect everything).
Reboot and run an online scan from www.antivirus.com
0
 
Eternal_StudentAuthor Commented:
I tried that but it didnt solve anything .. still just restarts before windows fully loads.

Any other suggestions or should I try a system restore?
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
Eternal_StudentAuthor Commented:
Actual system restore isnt even an option, I didnt have that enabled.

OoOps. HELP
0
 
sirbountyCommented:
Try the msconfig route again, this time, check the Hide MS services and deselect all remaining.

You might also try this script:
http://www.silentrunners.org/Silent%20Runners.vbs

As well as downloading www.hijackthis.de
Download it, save it, then run it - post your log to the same site and have it evaluate it for you.
0
 
Eternal_StudentAuthor Commented:
Will hijack this be effective in safe mode?
0
 
sirbountyCommented:
sure
0
 
Eternal_StudentAuthor Commented:
I will try the other things you mentioned first and then try hijack this but it seems to be something nasty running on start up.
0
 
Eternal_StudentAuthor Commented:
The only possibly nasty hijack this entry was this one:

         O17 - HKLM\System\CCS\Services\Tcpip\..\{4FFEA1EE-DDD8-4199-B65C-306E0B3F61D3}: NameServer = 217.169.46.215,217.169.46.208

Does that look like it could be the culprit?

Nothing else seemed to work!
0
 
sirbountyCommented:
No, that's probably your DNS settings.
Can you post the link to your logfile (not the logfile please)
0
 
Eternal_StudentAuthor Commented:
The vb script produced a log but the only thing that stands out [in my humble understanding] was this:


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Would that have anything to do with it?

thanks.
0
 
sirbountyCommented:
No, that just enables the Shutdown button on your logon screen...
0
 
Eternal_StudentAuthor Commented:
hummm, im actually at my work station, so im unable to work at the minute!

If worse comes to worse I will have to get our support guy here but I was hoping to save the embarassment and fix it myself!

Any ideas?

Thanks for your time sirbounty.
0
 
sirbountyCommented:
Give me a few to look at your log file...
0
 
Eternal_StudentAuthor Commented:
Good man, MUCH appreciated .. I also have the silent runners log file if you need that ?
0
 
sirbountyCommented:
You can post it for ha-has if you want to...
0
 
Eternal_StudentAuthor Commented:
oh ok, I wont bother, I just thought you may be able to gague some information from that. What a nightmare!
0
 
Eternal_StudentAuthor Commented:
Hi Sirbounty,

I tried to log in after going through the MSConfig settings but it just rebooted so I tried last know good and IM IN !!!!

It said windows has recovered from a serious error about 5 times and seemed to be running slow.

What can I do to make sure my machine is clean from this virus?

many thanks.

IM IN THO !!
0
 
sirbountyCommented:
Search for the EXE/RAR and DELETE IT!  Other than that, it should not have made any permanent damage...
You can repeat the steps above to be sure.
0
 
Eternal_StudentAuthor Commented:
I deleted it in safe mode!

Wow, seems like I have been lucky then.

Do you want me to post hijack this link again now?

Your the man
0
 
sirbountyCommented:
Sure, can't hurt... :^)
0
 
Eternal_StudentAuthor Commented:
0
 
sirbountyCommented:
The only one I don't recognize is
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE

Could be 'work' related, though...?
0
 
Eternal_StudentAuthor Commented:
Yea, I think that is a remote access tool used to gain access to my computer from another machine.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.