Restarting Automatically

Problems like you are describing could be due to malware or they could be due to hardware problems.

1. Does your PC remain running if you just power up and logon and don't do anything?
2. What if you don't run HJT, msconfig, regedit, or WMP? Do all other programs work without causing your PC to restart? Like can you run IE and surf for awhile without problems?
3. Can you access the HJT folder and run msconfig, regedit and WMP without problems in safe mode?
4. Why are you running regedit?

If this is really malware, you will need to help us by running as much of the below as is possible. The more you run, the more likely we will be able to help you and the faster we will be able to do it.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Try running GetRunKey and ShowNew in safe mode if necessary.

I also want you to try running the below.

Please download GMER

1. Save the GMER.zip file to your desktop
2. Now uzip it to your desktop to reveal a GMER.exe file
3. Double click the GMER.exe file
4. Click the Rootkit tab and then click the Scan button.
5. IMPORTANT: Do NOT use the computer while the scan is in progress.
6. Please, do not select the "Show all" checkbox during the scan.
7. When it finishes, click the Copy button. This will copy the results to your clipboard.
8. Paste the clipboard into a notepad file and save it to a log (like gmer.log).
9. Attach your log to your next reply.

If you don't know how to open notepad, click Start, Run, and enter notepad and click OK. To paste the info you copied into notepad, just hit CTRL-V. Then save the log.

 

It looks like you may have a Gromozon Rootkit infection. You appear to have a least one sign of it in your log, so let's go under the assumption that you have it and run a fix for it. This can be quite nasty and difficult to remove. Let's give the below tool a run and hope that it can fix the problems.

Gromozon Rootkit Removal Tool


Attach the log from this! If it does say anything about find and removing the infection, see if you can now run other programs.

 

Then download it on another PC and copy to this PC somehow. Or try downloading in safe mode.

The rootkit is the problem. You will need to get tools onto this PC for us to be able to help you. So figure out a way to get them copied on to the infected PC.

Another tool that could be useful is ADSspy.

• Please download ADS Spy, save to your desktop.
• Once you have downloaded this utility, extract the contents and double click "ADSSpy.exe" to run the utility.
• Once the utility has loaded, make sure the first 2 boxes are checked.
• Now click Scan the system for alternate data streams
• After the scan has finish look for any lines that have the below on them
  • C:\WINDOWS\system32:ciaa.dll
• Select ONLY THOSE LINES and nothing else! And then have ADSspy remove them (there may only be one instance).

Then reboot your PC into safe mode. Make sure you have enabled viewing of hidden & system files per step 2 of the READ ME. Look for C:\WINDOWS\system32\ciaa.dll and if found, delete it.

Attach a new log from GMER