• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 555
  • Last Modified:

Reboots when apps specified in registry is used

I have cleaned this system and had it working for days without error but customer gets it and 2 days later it's back and possibly more vicious. It had over 70 malware, antivirus and firewall disabled and now this 1 is left. Tried removing it today and when booted or rebooted in normal startup (safe mode seems fine) the registry entries come back. I'm positive these are the cause but cannot find the file etc that causes it to re-install. Many are beginning to have this same problem when i looked online today but no-one has supplied an answer as of yet on any of the forums i happened upon. This must have been a test case because the user had this start months ago and not done anything with it then I worked on it a couple months later in January or February the internet reports look more recent.
The System boots fine and works ok but then restarts if Internet Explorer is started, this was noticed by the customer every time but it also does this when Word is started and I noticed there are other programs affected which you can see in the pics attached. I can delete or cleaned them from Registry but why and how does it come back I need help with so I can understand how to stop it or stop similar occurences.

Is it just a case of finding the right registry cleaner? None of the Anti-Virus programs seem to find it as a problem, last scan of McAfee found cookies and maybe 1 trojan which did not help.

 2nd opinion or find of restart in registry Registry entries cause found
0
Freshcafe
Asked:
Freshcafe
  • 5
  • 4
  • 2
  • +4
6 Solutions
 
Donald StewartNetwork AdministratorCommented:
Have you ran malwarebytes

http://malwarebytes.org/

Or Hitman Pro ??


http://www.surfright.nl/en   - [Moderator note: see http:#a35900158 - not recommended to be used]
0
 
FreshcafeAuthor Commented:
I did run Malewarebytes but that was a month or so ago when I 1st had the machine - maybe the latest will find & cure it and I've not tred combofix on this machine - I thought Combofix was for Some Viruses = the most, Worst, known ones.At the moment it's a Bank Holiday Weekend so I do not know if I will see that particular system now though I am working right through. Thanks for the answers so far.
0
 
Sean MeyerCommented:
I always run combofix at the end of any bad infection. It often finds the leftovers  
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Donald StewartNetwork AdministratorCommented:
Hitman pro is quite useful as well
0
 
huacatCommented:
Don't trust any Anti-Virus/Anti-Malware software!
These software always alerting after infection.

I recommend you format you re-install you system.
Please install all patchs before connect to the internet.

Please Form a Good Habit when you using computer:
1: download software from official website
2: Install all security patch in time.
3: Never run strange program.
4: When open your mail attachment/zipped file, please check it carefully.
5: Often using [Process Explorer] and [Autoruns] to check your system.(These two tools you can download it from Microsoft website)
0
 
Donald StewartNetwork AdministratorCommented:
"I recommend you format you re-install you system."

That's "cop out" advise!!!  

I havent come across any virus/spyware/malware that I couldnt get rid of.
0
 
huacatCommented:
1: Only 2 days, so we needn't bakup up & restore a lot of data.
   If we take 2 hours or more time to clean 70 malware/spyware/virus, why not only use 30 minutes to re-install and get a "pure clean system"?
   Maybe have some newest spyware/malware/virus, these software/tools canno't find it out.

2: We can "come across" everything, but the customer can't.
  I'm afraid the customer still have 70+ malware/spyware/virus 3+ days later again.

3: Maybe we should teach the user "How to use the computer safely".
   or Recommend a security software(e.g. Norton Anti-Virus, ESNOD and so on) to the customer.
0
 
Donald StewartNetwork AdministratorCommented:
I highly doubt the OP paid for a subscription to this forum just to be told "Reformat"

Reformatting is ALWAYS the very last resort, not the first.
0
 
FreshcafeAuthor Commented:
I agree - I always use reformat and re-install as last resort - though it is the 1st thing larger companies do like companies with names like Personal Computer Earth or manufacturers when you send your sysytem in for warranty repair - many or most users don't have a proper backup routine or even 1 backup and realise too late and therefore loses everything.

I am finally goin back to the the address today after the few holidays passed and will try a few of your suggestions.
0
 
BillDLCommented:
Hi Freshcafe

Could you possibly do us a favour if you are back at the house and you see the entries in the registry as shown in your 2nd screenshot.  Could you export them to a *.REG file, rename as *.TXT, and attach here or Double-Click on each of the "Application Restart" values and copy the paths out into Notepad.  Either that, or move the vertical divider across to the left so we can see the full paths shown for the "Application Restart" values and create another screenshot.

I'm really curious to see the paths to the files and determine if they are legitimate "crash recovery" entries or bogus ones pointing to infected files.
0
 
BillDLCommented:
Oh damn, this is an old question.  I thought it said 27th May in that last comment, not April ;-)
0
 
FreshcafeAuthor Commented:
Thank you for the thought BillDL, I went back and the good news is there is now 2 or 3 AntiVirus progs that helped on another Very annoying job - Ramnit, Alureon etc was on and all said just give up but I'll try getting those run first. The bad news is they keep being out or saying they'll call when convenient. The Microsoft (10 day valid) scanner MSERT, Nortons and 1 other (i wish I remembered) are now effective on these pests that stop us goin to the 'Cure' sites or running the appropriate app or re-infecting imediately and on reboot etc.

This'll probably close and I'll keep trying to sort them out - their mother has some kind of adult learning to do on it so they definitely still want it sorted they keep telling me. Sorry for the delay / inconvenience.
0
 
Sean MeyerCommented:
I have been recently using http://www.eset.com/us/online-scanner   I first started using it after a recommendation by RPGGamergirl.  It often finds little things left over.

0
 
Sudeep SharmaTechnical DesignerCommented:
I would also recommend you to go through the articles from Younghv

http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

I hope that would help.

Sudeep
0
 
phototropicCommented:
"...Ramnit, Alureon etc was on and all said just give up..."

Ramnit is a file-infector, in the same class as Virut or Sality.  It is extremely difficult to remove or back up data without prolonging the infection.  Good article here:

 http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_1009-Virut-Malware-continues-to-evolve.html?sfQueryTermInfo=1+10+30+evolv+virut

Thus, whilst I agree with dstewartjr that reformat is a nuclear option...in this case it probably is the way forward.

Incidently, Combofix should only be downloaded from the developer's approved site:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

And Hitman Pro has a VERY bad press at the moment - I was taken to task by rpggamergirl for recommending it a couple of days ago:

http://www.experts-exchange.com/Security/Vulnerabilities/Q_27056402.html?sfQueryTermInfo=1+10+30+bsod+hitman+pro

I'm not suggesting it at all until the problems get resolved.
0
 
FreshcafeAuthor Commented:
Thank you MODAlot - The Uers/Owners kept messing me around with appointments not being kept but I've had a similar problem on another system just not as bad - only had 1 file restart. Nortons along with the Microsoft (MSERT) sorted it.  Wish I had chance to find out what the problem and/or solution was in the end. Thanks for your answers (I thought I closed this before).

0
 
FreshcafeAuthor Commented:
Gave Armygroo Best Solution as I also like using online scanners when possible to find the latest malware though most of the new 1s stop access to the sites necessary. All did well in their suggestions even the previous standard process of format and move on has it's uses.

Thank you all
0
 
phototropicCommented:
As I said above: "...Ramnit is a file-infector, in the same class as Virut or Sality.  It is extremely difficult to remove or back up data without prolonging the infection.  Good article here:

 http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_1009-Virut-Malware-continues-to-evolve.html?sfQueryTermInfo=1+10+30+evolv+virut ..."

Are you saying that the eSet online scanner removed Ramnit from a customer's computer? ("...Gave Armygroo Best Solution as I also like using online scanners when possible to find the latest malware...")

If that is the case, please could you post the scan logs, or talk a little bit more about the proceedures you used.  I have never seen a Virut/Sality/Ramnit infection that could be adequately cleaned.  In my experience, file infectors are always uncleanable except by a format/reinstall.  It's the only time I would consider biting the bullet and reinstalling.

Ramnit certainly cannot be removed via Mbam or Hitman Pro, and the last time I ran Combofix on a Ramnit infected pc, it stopped when it detected the presence of a file infector.  So if you found a way to clear out Ramnit without a format, please post the steps you took.  That is an exciting development.

 
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 5
  • 4
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now