Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Pc Reboots At Loggin


  • Please log in to reply
17 replies to this topic

#1 el_ley

el_ley

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 15 November 2006 - 05:53 PM

Hi guys I have been having trouble for like a week now, this is what happened: I was downloading a file and when i tried to open it my anti-virus (avg free)deteceted like 10 trojans and i clicked on delete every one.i think it rebooted on the procces without giving any error message. thta same day i tried to download Internet Explorer 7 but in the procces my pc rebooted without warning. I went to safe mode ran avg and ad-aware but they didnt find anything. After that i rebooted the pc and it turned on fine. I didnt use it any more untill this sunday. It rebooted sudenly again and ever since i can only enter in safe mode otherwise it reboots on loggin without any warnnings or error messages.

I run Windows XP SP2. Today I uninstalled avg and installed NOD32, ran it on safe mode and detected win32\toolbarmywebsearch trojan on 2 files, i deleted them, rand adaware which detected 1 spyware and i cleaned it but when i rebooted on normal mode it just restarted at loggin and i have tried may times to start in normal mode with same rsult.

Pd. i hope some 1 understood t least something of what u described, if anything is not so clear i´ll try to explain it better. I am on my laptop because on safemode networking my pc at first connects to the internet but after like 5 minutes it jus doesnt anymore, on internet explorer i tried to fix it ut it said that htp and htpp are blocked or something.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:30 PM

Posted 16 November 2006 - 11:20 AM

Hello el_ley

Have you tried using System Restore to return to a previous state before your problems began?

If no success, then try some of the suggestions in "What to Do When XP or 2000 Won't Boot"

Edited by quietman7, 16 November 2006 - 11:39 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 el_ley

el_ley
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 16 November 2006 - 01:29 PM

System restore didnt work. i had to restore from safe mode but after i did it it started on normal mode and a window prompted saying system restore couldnt restore my pc to the setup point i specified. I´ll try the other method. Thanks a lot and i will keep posting any changes. If u have any other advise i will be gratefull to try it

#4 el_ley

el_ley
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 17 November 2006 - 09:36 AM

Recovery consoloe didnt work either. I ran it and from there did a chkdsk/r and a Fixmbr and when I ran pc in normal mode it stills restarts at loggin screen.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:30 PM

Posted 17 November 2006 - 10:11 PM

Try running the System File Checker (SFC) in Safe Mode to scan all protected files to verify their versions. If SFC discovers that a protected file has been overwritten, it retrieves the correct version of the file from the cache folder. The main reason for using this utility is when you suspect there may be a problem with a Windows system file. SFC allows you to check for any corrupt system files.

To use System File Checker:
Go to Start > Run and type: sfc /scannow

Make sure that you include a space between the c and /. This command will immediately initiate the Windows File Protection service to scan all protected files, verify their integrity, and replace any problem files. You must be logged on as an administrator or as a member of the Administrators group to run sfc and it may ask you to insert your XP Installation CD so have it available.

You said that Internet Explorer was not working properly. Have you tried using another browser like Firefox?

Also check your HOSTS file to see if its been altered. If so, there are several ways to fix, rename, replace or edit the HOSTS file.
1. Open Windows Explorer and navigate to C:\Windows\system32\Drivers\ETC\
or go to Start > Run and type: C:\Windows\system32\Drivers\ETC\
2. Double-click on the HOSTS file.
3. A message will appear saying Windows can't open the file.
4. Check the circle at the bottom entitled: Select the program from a list
5. Click OK.
6. In the next window, scroll down in programs until you see Notepad.
7. Select it and click OK.

If you see this line below the header info: 127.0.0.1 localhost
...And nothing below it, then you have not been hijacked. An example HOSTS file is shown here.

If you see many double column entries and most are anti-virus and anti-malware sites, then remove (edit) all the entries leaving only the 127.0.0.1 localhost entry.

As an alternative to editing, you can choose to rename and replace the HOSTS file (recommended)
1. Open Windows Explorer and navigate to C:\Windows\system32\Drivers\ETC\
or go to Start > Run and type: C:\Windows\system32\Drivers\ETC\
2. Rename the file HOSTS to HOSTS.OLD.
3. Restart your computer and a new HOSTS file will be created. You can then delete the old one that you renamed.

Another thing you can do is install a HOSTS protection file replacement to make it less vulnerable. Go here: http://mvps.org/winhelp2002/hosts.htm
Download the MVPS Hosts file, unzip it and replace your old HOSTS file with this one.
There are detailed instructions on that page with a good overview of the HOSTS file and how it works.

If the HOSTS file is ok and SFC does not help, you can also try running a few more anti-malware scans. To do this your going to have to download the following programs from another computer and save to a USB stick or CD:
Sysclean Package.
Virus Pattern Files (lptXXX.zip).
ATF Cleaner by Atribune.
DrWeb-CureIt.
AVG Anti-Spyware 7.5. Be sure to print out the AVG Anti-Spyware Install-Scan Instructions.

Transfer all these programs to your computer. Install AVG Anti-Spyware following the instructions you printed out but do not perform a scan yet.

For the Sysclean Package do this:
  • Create a new folder on drive "C:\" ("C:\New Folder") and rename it Sysclean.
  • Place the sysclean.com inside that folder.
  • Extract the lptXXX.zip pattern file into the same folder you created for sysclean.com.
  • DISABLE your current anti-virus software. Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them first. DO NOT use yet.
Note: When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have the rights to scan some locations resulting in Access is denied log entries.

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Scan with AVG Anti-Spyware, following the instructions you printed out for scanning in safe mode.

Scan with Sysclean as follows:
  • Open the Sysclean folder and double-click on sysclean.com to run.
  • It will take some time to complete. Be patient and let it clean whatever it finds.
  • Exit when done.
Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program.
  • An "Express Scan of your PC" notice will appear. Under "Start the Express Scan Now", Click "OK" to start.
  • Click "Select drives" and then click the "Start/Stop Scanning" button (green arrow on the right) to start.
  • When done a message will be displayed at the bottom advising if any viruses were found.
  • A log file will be created in C:\Documents and Settings\username\DoctorWeb\CureIt.log
  • Any quarantined files will be sent to C:\Documents and Settings\username\DoctorWeb\Quarantine.
  • Exit the program and reboot normally.
Finally, make sure you re-enable your anti-virus program.

If that fails, then you may have to perform a "Repair Install".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 el_ley

el_ley
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 17 November 2006 - 10:23 PM

I am on the job on what u said to do.by the way internet works at the begining and after like 5 minutes it stops working on either I explorer or firefox.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:30 PM

Posted 17 November 2006 - 10:24 PM

Good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 el_ley

el_ley
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 17 November 2006 - 10:29 PM

did the sfc /scannow. didnt ask me for a cd. it just showed a window like command promp for like 1/2 a second and it inmidiatly disapears. so is that ok?

#9 el_ley

el_ley
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 17 November 2006 - 10:36 PM

about the HOSTS file i hace 2. hosts and hosts.msn. Also have lmhosts.sam. what should i do with them?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:30 PM

Posted 17 November 2006 - 10:54 PM

From what you describe, sfc did not run. Make sure your follow the instructions here.

The one you want has no extension (Its just "hosts" not "lmhosts.sam" or "hosts.msn").
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 el_ley

el_ley
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 17 November 2006 - 10:55 PM

after the sfc and chekinig hosts which was ok estarted on normal mode and it logged on.desktop was empty and when i tried to start firefox the pc restarted again.will continue with your instructions

#12 el_ley

el_ley
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 18 November 2006 - 11:39 AM

since i couldnt run sfc even after trying what was described on the link u provided i moved on to the next steps... avg spyware scan was as follows:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:23:19 p.m. 18/11/2006

+ Scan result:



C:\System Volume Information\_restore{42448179-F96E-40DD-9773-28545D5D7179}\RP205\A0089069.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dsaoms.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\WINDOWS\system32\~isdtt.tmp -> Adware.BHO : Cleaned with backup (quarantined).
[1272] C:\WINDOWS\system32\dsaoms.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\YazzleActiveX.ocx -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\WINDOWS\YAXUninst.exe -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\WINDOWS\mtuninst.exe -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\Fuentes\Application Data\Mozilla\Firefox\Profiles\vqte08ww.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.41:C:\Documents and Settings\Fuentes\Application Data\Mozilla\Firefox\Profiles\vqte08ww.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.40:C:\Documents and Settings\Fuentes\Application Data\Mozilla\Firefox\Profiles\vqte08ww.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.50:C:\Documents and Settings\Fuentes\Application Data\Mozilla\Firefox\Profiles\vqte08ww.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.51:C:\Documents and Settings\Fuentes\Application Data\Mozilla\Firefox\Profiles\vqte08ww.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.52:C:\Documents and Settings\Fuentes\Application Data\Mozilla\Firefox\Profiles\vqte08ww.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.10:C:\Documents and Settings\Fuentes\Application Data\Mozilla\Firefox\Profiles\vqte08ww.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.7:C:\Documents and Settings\Fuentes\Application Data\Mozilla\Firefox\Profiles\vqte08ww.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.8:C:\Documents and Settings\Fuentes\Application Data\Mozilla\Firefox\Profiles\vqte08ww.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.9:C:\Documents and Settings\Fuentes\Application Data\Mozilla\Firefox\Profiles\vqte08ww.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\kernel32.dll -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

I know it is dirty....moving on to sysclean.will post that to

P.D. i have hijackthis on the pc would it help?i dont know how to use it thoug

#13 el_ley

el_ley
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 18 November 2006 - 12:56 PM

i think something went wrong with sysclean. i ran it and a command promp window opened and started scanning files but it allways said at the end of each line error 94. There were no running aplications when i did the scan,only the sysclean folder was open. I am posting the sysclean.log so u can see:


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2006-11-18, 12:38:08, Auto-clean mode specified.
2006-11-18, 12:38:08, Running scanner "C:\Sysclean\TSC.BIN"...
2006-11-18, 12:40:30, Scanner "C:\Sysclean\TSC.BIN" has finished running.
2006-11-18, 12:40:30, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Sáb Nov 18 2006 12:38:09

Load Damage Cleanup Template (DCT) "C:\Sysclean\tsc.ptn" (version 806) [success]

Complete time : Sáb Nov 18 2006 12:40:30
Execute pattern count(2971), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-11-18, 12:40:30, An error was detected on "C:\53c3028a8598e2976524343b\update\*.*": Access is denied.
2006-11-18, 12:40:31, An error was detected on "C:\9c74722700dff234eaddd1148d\update\*.*": Access is denied.
2006-11-18, 12:41:02, An error was detected on "C:\Documents and Settings\Reinaldo\Desktop\my pics\hidden\*.*": Access is denied.
2006-11-18, 12:45:00, An error was detected on "C:\Program Files\DAP\History\Fuentes\*.*": Access is denied.
2006-11-18, 12:45:00, An error was detected on "C:\Program Files\DAP\History\Reinaldo\*.*": Access is denied.
2006-11-18, 12:45:00, An error was detected on "C:\Program Files\DAP\History\Yudith's\*.*": Access is denied.
2006-11-18, 12:45:57, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2006-11-18, 13:42:30, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 11/18/2006 12:46:48
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 933 (143098 Patterns) (2006/11/17) (393300)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

163866 files have been read.
163866 files have been checked.
153759 files have been scanned.
335600 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/18/2006 13:42:29
---------*---------*---------*---------*---------*---------*---------*---------*
2006-11-18, 13:42:30, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 11/18/2006 12:46:48
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 933 (143098 Patterns) (2006/11/17) (393300)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

163866 files have been read.
163866 files have been checked.
153759 files have been scanned.
335600 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/18/2006 13:42:29 55 minutes 40 seconds (3339.88 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-11-18, 13:42:30, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 11/18/2006 12:46:48
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 933 (143098 Patterns) (2006/11/17) (393300)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

163866 files have been read.
163866 files have been checked.
153759 files have been scanned.
335600 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/18/2006 13:42:29 55 minutes 40 seconds (3339.88 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-11-18, 13:42:30, Scanner "C:\Sysclean\VSCANTM.BIN" has finished running.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:30 PM

Posted 18 November 2006 - 02:19 PM

When using Sysclean you need to use the Administrator's account or an account with Administrative rights otherwise you will not have the rights to scan some locations resulting in Access is denied log entries.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 el_ley

el_ley
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 18 November 2006 - 02:57 PM

i was and still am on safe mode and in the administrator sesion and those were the results of sysclean...is that wrong? i also remember that when i ran nod 32 also on safemode and administrator account it said a lot of acces denied error code 4.
What did u think about the avg log? would it be of help to use the hijackthis? i have never used it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users