Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Uspected, Though Unknown, Trojan Infection


  • Please log in to reply
8 replies to this topic

#1 tjackson80

tjackson80

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 14 June 2008 - 07:41 AM

Greetings all,

I am new here but have run out of places to turn, so it is my hope that you'll be kind enough to offer me some aid in my hour of desperation. Basically here's my scenario.

Recently, I noticed extremely decreased usage speed in my Windows XP Pro install. I have had SP3 installed for a bit, and it was working fine prior to the decreased efficiency, so I don't think it is a factor. I have, since noticing the decrease, done the following.

Run a full scan with Norton 360 (after liveupdating)
Installed Ad-Aware, updated, ran a full scan
installed SpyBot, updated, ran a full scan

My symptoms aren't incredibly distinct so as to warrant an effective internet search. Shortly after noticing the speed decrease, I noticed the emergence of firefox popups and unauthorized new tabs. This was new as I had previously had wonderful luck with firefox's popup blocking. I checked in the following places for suspicious items;

Registry ... current user and local machine windows run and runonce folders
startup folder in menu

the registry hunt returned a couple suspicious items, but i suspect their namings are so random that they don't offer much in the way of leads. Basically they were rundll commands for a few gibberish files in system32. I removed them and rebooted and they returned. Here's where it gets annoying.

I also safebooted, went into the system32 folder and removed the gibberish files there. I rebooted, and they too returned. Upon the installation of Spybot, I have been receiving notification (which I have set for automatically deny) that something is trying to recreate another of those rundll commands in the registry. I have a lurking suspicion that my problems are related somehow to activeX, but I haven't found anything substantial to support such a suspicion.

BRIEF EDIT: Upon a post, spybot clean reboot, it appears this pesky notification still remains, though the dll it is trying to setup for run has randomed its name. the consistent naming is given to the entry itself, 'BM6f0e9528'.


There are also two or three extremely quick command windows popping up on reboot. They say something to the effect of failing to find a file. I suspect this is a partial success, in that I probably have removed some suspect dll files from system32 and the lovely 'whatever it is' can no longer find them. I do however, continue to have an unusually high amount of rundll and svchost processes sitting in my task manager now and this is what concerns me most.

My questions are these, what do you think I have? and what could I do to better facilitate aid in diagnosis and treatment?

-tom jackson
tjackson80@gmail.com

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:10 AM

Posted 14 June 2008 - 07:48 AM

Welcome to BC tjackson80

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Instructions with screenshots if needed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 tjackson80

tjackson80
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 14 June 2008 - 12:14 PM

log is as follows:

Malwarebytes' Anti-Malware 1.17
Database version: 854

11:47:30 AM 6/14/2008
mbam-log-6-14-2008 (11-47-30).txt

Scan type: Quick Scan
Objects scanned: 42419
Time elapsed: 24 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 8
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fccbCvUl.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\jvxfbryn.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\mlJYRJDu.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7d995d05-d942-4004-a64e-37cec0017bfe} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7d995d05-d942-4004-a64e-37cec0017bfe} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e25ee903-37eb-467b-b1f0-f71063f6b8c8} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e25ee903-37eb-467b-b1f0-f71063f6b8c8} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljyrjdu (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6c3da6b4 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM6f0e9528 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e25ee903-37eb-467b-b1f0-f71063f6b8c8} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccbcvul -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccbcvul -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\fccbCvUl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lUvCbccf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lUvCbccf.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jvxfbryn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nyrbfxvj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUkjHwX.dll_old (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\XwHjkUtv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\XwHjkUtv.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tom Jackson\Local Settings\Temporary Internet Files\Content.IE5\6JW3MBC7\CAAVSXYF (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tom Jackson\Local Settings\Temporary Internet Files\Content.IE5\6JW3MBC7\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qxkgennh.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mlJYRJDu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


I did the reboot the program requested, and although I'm getting significantly less prompts for registry modification, my internet connection is slower than it should be. I'm not sure if this trojan is known for buggering firefox.

#4 tjackson80

tjackson80
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 14 June 2008 - 01:52 PM

Because of the Malaware diagnosis, I've also been running the recommended options in other threads based on this trojan. I downloaded Vundofix and it found one instance in my PowerISO directory. This is disturbing as I have that also installed on another machine, so i'll check that out soon enough.

I have also downloaded the Symantec Removal tool for Vundo and will be running it in safemode soon.

Because my symptoms were presenting themselves again, I ran Malaware again. This resulted in some items which were removed without any prompt for reboot. I'll be doing a third scan after the Symantec Removal. If problems remain, I'm wondering if I should follow other advices for running SUPERAntispyware and ATF Cleaner?

Upon completion of the Symantec Removal and the third malaware run, I'll paste the logs from VundoFix and MalAware.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:10 AM

Posted 14 June 2008 - 02:57 PM

I doubt the Symantec Removal Tool will do any good.

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 tjackson80

tjackson80
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 15 June 2008 - 02:05 AM

It appears that my problem still remains after those steps.
I am no longer getting repeated notifications of registry changes, however I still have two extremely unspecific and altogether suspicious rundll items in my registry. As requested however, here is my log for a 10 hour SuperAntiSpyware scan.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/15/2008 at 01:22 AM

Application Version : 4.15.1000

Core Rules Database Version : 3482
Trace Rules Database Version: 1473

Scan type : Complete Scan
Total Scan Time : 09:55:18

Memory items scanned : 168
Memory threats detected : 0
Registry items scanned : 7374
Registry threats detected : 1
File items scanned : 156910
File threats detected : 1

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\RemoveRP

Adware.Tracking Cookie
.atdmt.com [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.indextools.com [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.indextools.com [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.indextools.com [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.leeenterprises.112.2o7.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.sixapart.adbureau.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.sixapart.adbureau.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.sixapart.adbureau.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.sixapart.adbureau.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
www.burstbeacon.com [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\Sarah Jackson\Application Data\Mozilla\Firefox\Profiles\iukza01h.default\cookies.txt ]

Trojan.Dropper/Game
C:\PROGRAM FILES\PARSONS\QUICKVERSE\QUICKVERSE\QVINSTAL.DLL


Basically the main symptom that bothers me now, is that firefox does not want to actually load any pages. It connects to the domain fine, says it is loading, but the pages never display. This affects pretty much any and all sites, even after a full cache wipe. My next step is to attempt a full firefox uninstall including directory/registry wipes. Got any ideas on those remaining registry items? I got a notification upon booting that one of them wasn't found, indicating that the dll has been deleted but the registry entry remains. Attempted deletion of that registry item didn't work, it recreated itself. The other remaining suspicious dll doesn't generate a 'hey i can't find that' error, so it's still doing something questionable. If there's any relationality to all this, it is that there seems to be a large amount of svchost processes running.

If it helps at all, I think I might remember the original instantiation of something that looked fauxLegit but was probably some bs malware interface. I got an icon in my systray which looked like a red version of the 'windows update download' icon, the one that pops up when the automatic update thing wants you attention. Upon clicking this red version, I got a prompt to reset my options for automatic updates, firewall, and something else. I dont know if this helps narrow things down or not.

I really appreciate your help in this matter and apologize for my problem taking so darn long.

Edited by tjackson80, 15 June 2008 - 02:12 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:10 AM

Posted 15 June 2008 - 07:14 AM

I still have two extremely unspecific and altogether suspicious rundll...I got a notification upon booting that one of them wasn't found, indicating that the dll has been deleted but the registry entry remains.

It's not unusual to receive such an error after using tools to remove malware infection.

RunDLL32.exe is a legit Windows file that loads .dll files which too can be legit or malware related. A RunDLL "Error loading..."..."specific module could not be found" message usually occurs when the .dll file(s) that was set to run at startup has been deleted and it becomes an orphaned registry entry. Windows is trying to load this file(s) but cannot locate it since the file was removed during an anti-virus or anti-malware scan. However, the associated registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 tjackson80

tjackson80
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 15 June 2008 - 09:12 AM

I shall attempt that later today.
I'm going to try another Malware scan in a while.

I got a BSOD last night when I left the machine on to do a full Malware scan just in case.

it was fltmgr_file_system related ... whatever that means..

sigh... maybe it would be better to do a full rebuild after all

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:10 AM

Posted 16 June 2008 - 07:05 AM

Not much info on that error but I did find this: FLTMGR_FILE_SYSTEM

Was any more info provided on the blue diagnostic screen?

In Windows XP, the default setting is for the computer to reboot automatically when a fatal error or crash occurs. You may not see the error code because the computer reboots too fast. An alternative is to turn off the automatic reboot feature so you can actually see the error code/STOP Message when it happens - this is also known as the Blue Screen Of Death (BSOD).

To change the recovery settings and Disable Automatic Rebooting, go to Start > Run and type: sysdm.cpl
Click Ok or just press WINKEY + Pause/Break keys to bring up System Properties.
  • Go to the Advanced tab and under "Startup and Recovery", click on the "Settings" button and go to "System failure".
  • Make sure "Write an event to the system log" is checked and that "Automatically restart" is UNchecked.
  • Click "OK" and reboot for the changes to take effect.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users