I ran SpyBot on 2 different machines (HP & Toshiba). Both machines were running MS Vista HP edition. After running SpyBot and removing several threats the machines will only go as far startup login screen before the machines shut down. MS Startup Recovery program reports that it can detect no problems with startup and restoring to an earlier restore point does not fix the problem. Something was changed, but I can't figure out what it is.

Hi CityKid,

:welcome: to Safer Networking Forums. :)

Can you start your computer in safe mode (http://www.pchell.com/support/safemode.shtml)?

Which kind of Malware did Spybot find?

Here's a bit more detail:

The problem started (on 2 separate machines) from 2 different manufacturers after I ran SpyBot Search and Destroy to remove SpywareBot.SpywareStop from the machines. Startup gets as far as the login screen. I have just enough time to start typing the password and then the machine(s) shutdown.

Safemode runs to the point where I get a mouse cursur on the screen but then the machine(s) turn themselves off.

I have tried running Startup Repair but it reports, "Boot status indicates that the OS booted sucessfully."

I can get a Command Prompt from the System Recovery Options menu and have run chkdsk /r /f but to no avail.

I have tried restoring the machine to an earlier point but the problem persists, restore fails BTW (I have tried turning off all active protections, but to no avail).

I can log into Vista using the "Last known good configuration" from the Advanced Boot Options menu. Is there anyway to transfer the settings from the "Last known good configuration" to whatever set is being used for the standard startup?

<b>UPDATE: I just restored the virus using SpyBot and my machine will now boot. So, it would seem that the problem is related to how SpyBot is removing the virus/Malware.

I have been picking my way through the files that SpyBot has identified as parts of SpywareStop and removing them selectively.

Removing the following causes Vista's standard login to fail:

- All registry entries
- All files
- a file named SpywareStop.srv.exe

Login worked after removal of these files:

SpywareStop on the web.lnk
SpywareStop.lnk (in various directories)

A quick update. I managed to narrow down the problem (as detected by SpyBot S&D) to three files in the SpwareStop package. They are:

- SpywareStop.srv.exe
- TCL.dll
- ZLIB.dll

if these items are removed, Vista's normal logon process will die and the machine will turn off shortly after the login splash screen appears. My assumptions are based on SpyBot S&D results. There may be more to the picture such as files Spybot S&D may have missed, for example.

Now I have to figure out how to get rid of these - I suspect some time in the registry will be required.

Hi CityKid,

thank you for your updates.

Unfortunately, I can't help you. :sad: But I will ask for help. :)

Do you already have removed this Malware or can you still log in? Sorry, I'm a little bit confused now... :blink:

Hey Matt,

I can log in now. as long as I leave the 3 files I mentioned in place and don't delete them. The machine seems to be operating normally. Initially after a Spybot scan I had deleted those three files that mentioned along with all the other files SpyBot associated with the SpywareStop trojan/malware. After running SpyBot, the only way I could log into Vista was via the "Last known good configuration" from the Advanced Boot Options menu.

Hi CityKid,

thank you for this update. :)

If you think that you still have Malware onto your computer, I've the following recommendation for you:

Please read the thread "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) from tashi carefully, especially prepare an HijackThis logfile.

After that, you can open your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22), where an expert tries to help you. ;)

Please add any information in this post, which looks helpful in your eyes.