Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bad infection, computer very slow, blue screen when I try to do more than one thing


  • Please log in to reply
23 replies to this topic

#1 AMarie006267

AMarie006267

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 11 August 2009 - 06:29 AM

Hi guys. First of all, thanks for reading.

My computer is in pretty bad shape, I think. I thought I could get rid of the problem on my own using Malwarebytes & Combofix, but I've since learned that I cannot. My computer is dragging and is very slow.. I have a seagate external drive I'm trying desperately to back up all my important files on.. but when I try to transfer them, my computer screen flashes blue and restarts.
What when this first started happening was I ran Malwarebytes numerous times, the results were all the same, two infections named "Trojan.TDSS". It was set to remove upon reboot but that never happened. After that, I tried Combofix, because it had worked in the past. I read the rules and you guys seem to be against instructing people to use it, so I hope you guys will still help me. When I ran Combofix, it deleted these files:

C:\Windows\system32\sdra64.exe
C:\Windows\system32\drivers\SKYNETwalysvou.sys
C:\Windows\system32\SKYNETrfiqaljf.dll
C:\Windows\system32\SKYNEThhavknob.dat
C:\Windows\system32\SKYNETwhnyshla.dll
C:\Windows\system32\SKYNETocjaoyag.dat Rootkit

What should I do now? I think my computer is still severely infected, and I'd like to fix it without reformatting it. Please help!

Also, I'm running Windows XP Also if me mentioning Combofix or what it did isn't allowed here, someone tell me and I will remove it ASAP

Edited by AMarie006267, 11 August 2009 - 06:44 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:05 AM

Posted 11 August 2009 - 08:54 AM

Please note the message text in blue at the top of this forum.

You should not be using Combofix unless instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Combofix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer. That's the decision by the creator and we will abide by that decision.

With that said, now rescan again with Malwarebytes Anti-Malware but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

I'd like to fix it without reformatting it.

I'm still obligated to let you know what you are dealing with.

IMPORTANT NOTE: One or more of the identified infections (SKYNET[random characters].***) is related to a nasty rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 AMarie006267

AMarie006267
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 11 August 2009 - 05:19 PM

Here's the log from Malwarebytes' full scan:

Malwarebytes' Anti-Malware 1.40
Database version: 2600
Windows 5.1.2600 Service Pack 3

8/11/2009 3:18:31 PM
mbam-log-2009-08-11 (15-18-31).txt

Scan type: Full Scan (C:\|D:\|E:\|G:\|H:\|I:\|K:\|L:\|)
Objects scanned: 258962
Time elapsed: 1 hour(s), 2 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\AVR09.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruismlgidup.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETwalysvou.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP145\A0022593.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP151\A0022987.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP153\A0024569.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP153\A0024598.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP153\A0024602.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP153\A0024603.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OJYH0X8D\exe[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.


The computer rebooted fine and normally. I read the links you gave me, thanks for providing me with so much info. I didn't know Combofix could screw your computer up so badly (I'm thankful it didn't do that to mine) and will not use it again unless instructed to do so by it's creator. Thanks.

Edited by AMarie006267, 11 August 2009 - 05:34 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:05 AM

Posted 11 August 2009 - 05:36 PM

Not a problem. Lets do another scan to see if we find anything MBAM may have missed.

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to download the Full version Free Trial, just ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete..
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 AMarie006267

AMarie006267
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 11 August 2009 - 05:56 PM

I ran TFC and it finished quickly, but I got the following error:
"The file or directory C:\WINDOWS\Temp\Perflib_Perfdata_204.dat is corrupt and unreadable. Please run Chkdsk untility" When I clicked "ok" the error kept popping up, but then the program prompted me to reboot so I did just that.. aside from the error I listed, it rebooted fine and started smoothly. I will be away for the afternoon so I will preform the Dr.Web CureIt scans tonight and post the logs ASAP.

Edited by AMarie006267, 11 August 2009 - 06:12 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:05 AM

Posted 11 August 2009 - 08:15 PM

Don't worry about the error message for now. Just continue with the Dr.Web scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 AMarie006267

AMarie006267
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 12 August 2009 - 12:03 AM

Hi, I ran the scans you asked me to, this was the only result:

KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;

Also I'd like to note that I could not boot my computer into Safe Mode, so I had to run it all in normal mode. I want to report that I now have random beeps & clicks coming through the speakers, also getting some random pop ups too

Edited by AMarie006267, 12 August 2009 - 03:48 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:05 AM

Posted 12 August 2009 - 07:42 AM

Please download RootRepeal.zip and save it to your Desktop.
alternate download link 1
alternate download link 2
  • Unzip the file on your Desktop or create a new folder on the hard drive called RootRepeal (C:\RootRepeal) and extract it there.
    (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Disconnect from the Internet as your system will be unprotected while using this tool.
  • Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
    This will ensure more accurate results and avoid common issues that may cause false detections.
  • Click this link to see a list of such programs and how to disable them.
  • Open the RootRepeal folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
  • When the program opens, click the Report tab at the bottom, then click the Scan button.
  • In the Select Scan, dialog which asks What do you want to include in the scan?, check all the boxes.
    Posted Image
  • Click OK.
  • In the Select Drives, dialog Please select drives to scan: select your primary system drive (usually C:), then click OK.
  • The scan can take some time to finish. Do not use the computer while the scan is running.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Click on the Save Report button and save it as rootrepeal.txt to your desktop.
  • A copy of the report with the date (i.e. RootRepeal report 07-30-09 (17-35-54).txt) is also saved to the root of your system drive (usually C:\).
  • Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
  • Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 AMarie006267

AMarie006267
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 12 August 2009 - 02:36 PM

Hey, I left the scan going for about 3 hours, but it would not budge from this file:

"C:\Program Files\InstallShield Installation Information"

I would run it in safe mode, but as I noted, that isn't an option. It didn't scan everything it was suppoed to, but here's the log it did manage to bring up:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/12 08:01
Program Version: Version 1.3.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB4054000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB8616000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB3A64000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\Hewlett-Packard\uTorrent
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xb812887e

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "<unknown>" at address 0x8aaeb4a0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xb8128bfe

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8aae6ad0 Size: 1332

Object: Hidden Code [Driver: sr, IRP_MJ_CREATE]
Process: System Address: 0x8aae6ad0 Size: 1332

Object: Hidden Code [Driver: FltMgr, IRP_MJ_CREATE]
Process: System Address: 0x8aae6ad0 Size: 1332

Object: Hidden Code [Driver: Mup, IRP_MJ_CREATE]
Process: System Address: 0x8aae6ad0 Size: 1332

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8aae9740 Size: 1715

Object: Hidden Code [Driver: Lbd, IRP_MJ_CREATE]
Process: System Address: 0x8aae6ad0 Size: 1332

Object: Hidden Code [Driver: RAW, IRP_MJ_CREATE]
Process: System Address: 0x8aae6ad0 Size: 1332

==EOF==

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:05 AM

Posted 13 August 2009 - 06:20 AM

Are you still getting the blue screen? If so what error message is it giving? Does it mention any specific file involved?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 AMarie006267

AMarie006267
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 13 August 2009 - 08:23 AM

Yep, still getting a blue screen.. it flashes way too fast to see what it says and then it just reboots my computer. This happens when I try to connect my external hard drive to my computer, watch something on youtube, or download anything.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:05 AM

Posted 13 August 2009 - 08:29 AM

Crashes (BSOD), unexpected shutdowns, sudden freezing, random restarting, and booting problems could be symptomatic of a variety of things to include hardware/software issues, overheating caused by a failed processor fan, bad memory (RAM), failing or underpowered power supply, CPU overheating, motherboard, video card, faulty or unsigned device drivers, CMOS battery going bad, BIOS and firmware problems, dirty hardware components, programs hanging or unresponsive in the background, and even malware. If the computer is overheating, it usually begins to shutdown/restart on a more regular basis.

When Windows XP detects a problem from which it cannot recover, it displays Stop Error Messages which contain specific information that can help diagnose and resolve the problem detected by the Windows kernel. An error message can be related to a broad number of problems such as driver conflicts, hardware issues, read/write errors, and software malfunctions and malware. In Windows XP, the default setting is for the computer to reboot automatically when a fatal error or crash occurs. You may not see the error code because the computer reboots too fast.

An easier alternative is to turn off the automatic reboot feature so you can actually see the error code/STOP Message when it happens - this is also known as the Blue Screen Of Death (BSOD). To change the recovery settings and Disable Automatic Rebooting, go to Start > Run and type: sysdm.cpl
Click Ok or just press WINKEY + Pause/Break keys to bring up System Properties.
  • Go to the Advanced tab and under "Startup and Recovery", click on the "Settings" button and go to "System failure".
  • Make sure "Write an event to the system log" is checked and that "Automatically restart" is unchecked.
  • Click "OK" and reboot for the changes to take effect.
Vista users can refer to these instructions: How To Disable the Automatic Restart on System Failure in Windows Vista.

Doing this won't cure your problem but instead of crashing and restarting you will get a blue diagnostic screen with an error code and other information to include file(s) that may be involved which will allow you to better trace your problem. Write down the full error code and the names of any files/drivers listed, then provide that information in your next reply so we can assist you with investigating the cause.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 AMarie006267

AMarie006267
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 13 August 2009 - 01:23 PM

Thanks, I have a question.. it might be a little silly. Turning off the automatic reboot won't make it so I can't reboot it after I get the blue screen, will it?

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:05 AM

Posted 13 August 2009 - 04:20 PM

Just write down the info and then reboot the machine manually like you do when first turning in on.

From now on, when a problem causes a BSOD or another major error that halts the system, the PC will not automatically reboot. Rebooting manually will be necessary.

Disable the Automatic Restart on System Failure
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 AMarie006267

AMarie006267
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 13 August 2009 - 05:20 PM

I've done what you told me to.. but it's not blue screening now. All it does is freeze when it used to blue screen. Thanks for being patient with me. Is my only option to reformat here? :/

Edited by AMarie006267, 13 August 2009 - 05:33 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users