Reboot virus ?

[Bob]

Is there a virus that causes a win2K machine to reboot immediately
after user/password <enter> entry ?

I have a machine that does not seem to have hardware/memory issues.
However, it reboot immediately when you hit enter after entering the
user/password. It is not user based. I can do other things such as go
to standby, shutdown, even type a bad password - but as soon as I
enter a valid combination it causes an immediate, not even a BSOD,
reboot. I do see a BSOD if I boot in safe-mode and generate the
login crash but it displays for less than 1/4 second so I am working
on reading it piece by piece via multiple reboots.

Thanks for any help,

 

[Dave Patrick]

Check Event Viewer for errors from a safe mode boot.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Is there a virus that causes a win2K machine to reboot immediately
| after user/password <enter> entry ?
|
| I have a machine that does not seem to have hardware/memory issues.
| However, it reboot immediately when you hit enter after entering the
| user/password. It is not user based. I can do other things such as go
| to standby, shutdown, even type a bad password - but as soon as I
| enter a valid combination it causes an immediate, not even a BSOD,
| reboot. I do see a BSOD if I boot in safe-mode and generate the
| login crash but it displays for less than 1/4 second so I am working
| on reading it piece by piece via multiple reboots.
|
| Thanks for any help,
|

 

[Bob]

Check Event Viewer for errors from a safe mode boot.

I can't log in even with a safe boot... the only difference with a
safe boot is that I see a BSOD for 1/4 second before it reboots. Is
there some way to extract the Event log file from a non-HD boot ?

 

[David H. Lipman]

From: "Bob" <[email protected]>

| On Mon, 28 Aug 2006 12:00:04 -0600, "Dave Patrick"
|
| I can't log in even with a safe boot... the only difference with a
| safe boot is that I see a BSOD for 1/4 second before it reboots. Is
| there some way to extract the Event log file from a non-HD boot ?

It is NOT a virus.

 

[Dave Patrick]

From a parallel install, run regedt32.exe, then from the Local Machine Hive,
choose Registry|Load Hive, then navigate to the
%systemroot%\system32\config
directory on the other install, and find the system file, then Open, in the
Key Name box give it some temp name, then under tempname, navigate to
HKEY_LOCAL_MACHINE\SYSTEM\Select
and look in the Reg_Dword value of "Current", this is the current
controlset, then navigate to
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\CrashControl
Where x = the value of "Current" (found above) and set the values as follows

"AutoReboot"=dword:00000000
"CrashDumpEnabled"=dword:00000001
"LogEvent"=dword:00000001
"Overwrite"=dword:00000001
Then navigate back up to "tempname" and choose Unload Hive, and boot your
original install, Autoreboot is now turned off so you should be able to read
the stop error.

Bug Check Codes
http://msdn.microsoft.com/library/d..._f55acfed-3296-4e84-8885-c3162fd0ddbf.xml.asp

If nothing else you can at least recover your data from the parallel install
prior to rebuilding the operating system.

This article may also help you.

http://support.microsoft.com/default.aspx?scid=kb;en-us;266465


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| I can't log in even with a safe boot... the only difference with a
| safe boot is that I see a BSOD for 1/4 second before it reboots. Is
| there some way to extract the Event log file from a non-HD boot ?

 

[Bob]

Then navigate back up to "tempname" and choose Unload Hive, and boot your
original install, Autoreboot is now turned off so you should be able to read
the stop error.

Dave:

Thanks, I will try that out. I suppose just the parallel install (if
it succeeds) will tell me something. I'll give it a shot. There's no
data stored on the workstations but it does take quite a while to
rebuild from scratch so it would be nice to save it.