23 replies to this topic

[steve-o]

Below is the latest scan I ran without a trace of malware. However, I continue to get redirected and experience continuous reboots at startup. I get to the point where I can see my desktop and icons but then screen goes black and the reboot process starts all over again. The only way I can intervene is by hitting F8 and entering pc at Safe Mode level which allows me to then to have Internet access and the ability to run MBAM. If helpful I can show log that did find the malware previously. Any assistance is appreciated. Thank you.

Malwarebytes' Anti-Malware 1.38
Database version: 2317
Windows 5.1.2600 Service Pack 3

6/20/2009 7:19:38 PM
mbam-log-2009-06-20 (19-19-38).txt

Scan type: Quick Scan
Objects scanned: 183613
Time elapsed: 25 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:

[yardbird]

Hi and welcome to the forum! Do you have all these files below in the Trusted area of your Firewall & AV software?

C:\WINDOWS\system32\drivers\mbam.sys
C:\WINDOWS\system32\drivers\mbamswissarmy.sys
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref (Windows 2000/XP)
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref (Windows Vista)

please take a look and reply back, thank you...

EDIT: It would help if I know what you are using for AV & a Firewall please

[steve-o]

Yardbird,

Thank you very much for responding so quickly. To be very blunt - I don't know. In fact I do not even know where to check or look to confirm your questions. I am a total amateur or newbie when it comes to computer troubleshooting. Can you direct me?

Steve

[yardbird]

I'll do the best I can, Tell me what kind of anti virus software you are running, and what type of Firewall if any?
And I believe you have XP? correct me if I'm wrong?

[steve-o]

AVG 8.5 and I thought Windows Firewall, but that looks like it is disabled. Yes on Win XP with Service Pack 3.

[yardbird]

Your last AVG scan that you did was clean?

[steve-o]

Yes, in fact I ran AVG twice with no detection whatsoever. The malware had the system (scan) slowed to the point it took most of this week to run them. So then I researched some of the issues on my work pc and discovered MBAM. That scan found the malware right away. But as indicated earlier, the pc still has issues.

[yardbird]

The issues are PC Keeps Rebooting at Startup, any other issues, any error messages? anything else you need to tell me. and wes should stay on the topic of the computer that is giving you trouble. (If you have another pc thats ok. Or needs attn. we will deal with that in a new thread. ok?)

[victimized]

I have seen a case like this when the pc keeps rebooting when an anti-virus/ malware/spyware removal tool finds a virus, infected with zango?

[yardbird]

victimized, on Jun 20 2009, 06:28 PM, said:

I have seen a case like this when the pc keeps rebooting when an anti-virus/ malware/spyware removal tool finds a virus, infected with zango?

Look over the thread from the top, please.. remember no. # 3 he's new. After he replies back
let me know what ideas you have please

[steve-o]

There are no other messages or errors or anything like that. The only issues are 1) continuous reboot just as my desktop shows itself, and 2) redirecting links (even in safe mode).

Additional info: after MBAM discovered the infections, I rebooted the pc and it worked just fine for about three or four hours. Then it suddenly rebooted by itself and has not worked correctly since.

I'm in safe mode now and it is the only way for me to communicate with you.

And yes, I totally agree....one pc at a time.

[yardbird]

Your mbam log shows your clean, what as you said above Additional info: after MBAM discovered the infections,? Are they in another log?

[steve-o]

Yes, below is the log that found the infections:



Malwarebytes' Anti-Malware 1.38
Database version: 2310
Windows 5.1.2600 Service Pack 3

6/20/2009 6:46:45 AM
mbam-log-2009-06-20 (06-46-45).txt

Scan type: Quick Scan
Objects scanned: 180861
Time elapsed: 24 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\AVR09.exe (Adware.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

[yardbird]

Steve your only issue is PC Keeps Rebooting at Startup, your log on top, has the current databse, & this log has DB 2310. Can you go into windows?, I know your in safe mode. Can you try it? and reply back with any errors, what works & what does not work? I need to look at AVG. and see how it should be configured & I need to look at 1 item in the old log... which when you scan it with the new database shows clean. I don't use AVG so I'll have to look at it on the net. and I or someone else from support will post back. it may be later. any questions for now? See about going into windows please. I'll wait here until you reply back -- see if you get that far 1st....

[steve-o]

You bet. I will try it and if I am unsuccessful I will be right back to let you know.

[sulliman24]

I had a PC that would keep rebooting every time the user would try to shut down. Everything worked fine for the user until they tried to manually shut down. Once they tried to shut down the computer would just restart instead. I was able to scan the PC in safe mode using MBAM. It turns out the infection was Trojan.Vundo. I am not sure if this helps at all.

[steve-o]

Yardbird,

I made it through! Here is what I did. I closed out of everything and then went through the process of shutting down pc. Instead of restarting, I shut completely down, waited for 30 seconds and then pressed button to start the computer again. I booted up fine with no problems. My desktop showed up and everything looked fine. I clicked on the MS IE button on the bar at bottom of screen and after a few seconds I got a typical error message from MS Windows saying 'The system has recovered from a serious error. A log of this error has been created.' Then it basically goves me the option to tell Microsoft about the problem so I can send an error report to them. The buttons say 'Send Error Report' or 'Don't Send'.

[steve-o]

Thanks for the input Sulli. Any help is much appreciated.

[yardbird]

It helps, I don't recall where the post was on this board? when you run mbam in safe mode you don't get all that it should do. Since like right now I have 3 windows open helping others ..I had no time to research that? The post went on to say you get the all that mbam can give when run in windows... it was posted by an admin... and I haven't had time to think about that. but all process's don't run in safe mode... its hard for me to recall a passing post... when I was busy & it was not directed at me...
another mystery?

EDIT: are you in windows ?

[steve-o]

Lol. Definitely a mystery. So should I run MBAM again in Windows and see if anything else is picked up. And maybe another AVG scan as well?