Windows 7 Windows shuts down anytime it connects to the Internet

Nick Daly

New Member
Anytime my laptop connects to the Internet, I get this message: "Windows has encountered a critical error and will shut down automatically in one minute. Please save your work now." I tried using the shutdown -a command, as well as disabling automatic shutdown in advanced boot options, but it still occurs. The computer works just fine as long as it doesn't connect to the Internet. As soon as I let it connect, within 30 seconds it gives me that error.


Like I said, I've tried disabling the automatic shutdown but it doesn't work. I've run antivirus programs (SuperAntiSpyware and MalwareBytes) and they have found nothing. Please help! I'd rather not have to reinstall my whole system if I can help it.



I ran sfc.exe /scannow and it did indicate it found problems and repaired them, and directed me to a rather lengthy log it generated (I can post it here if needed; it's just really long) and asked me to restart. I restarted and let it connect to the Internet, and within a few seconds the same error appeared.


From the event log:

[FONT=&quot]Faulting application name: services.exe, version: 6.1.7600.16385, time stamp: 0x4a5bbf1b[/FONT]
[FONT=&quot]Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000[/FONT]
[FONT=&quot]Exception code: 0xc0000005[/FONT]
[FONT=&quot]Fault offset: 0x00dfff41[/FONT]
[FONT=&quot]Faulting process id: 0x270[/FONT]
[FONT=&quot]Faulting application start time: 0x01cb4526e01d86a4[/FONT]
[FONT=&quot]Faulting application path: C:\windows\system32\services.exe[/FONT]
[FONT=&quot]Faulting module path: unknown[/FONT]
[FONT=&quot]Report Id: 55a31efa-b11a-11df-936a-001e33f35107[/FONT]
 
Hi.

That usually happens because of malware. The malware shuts down a critical Host Process for Windows Services needed for Windows to continue running.

It could be that Malwarebytes and SAS do not have definitions for this strain of malware yet.

Update the definitions and try scanning again.

Let me have a look at your system info to see if there's anything I can point out. To post it, type msinfo32 in the start menu. File | save on the screen that opens. Zip the saved file then attach the zip to a post using the paperclip above where you type, in advanced mode reply.
 
That makes sense; it is weird that it only happens when it connects to the Internet. I've attached my system info here as you specified.

I updated the definitions of MWB and SAS - and downloaded Microsoft Malicious Software Removal Tool - and these still came up empty.

Thank you so much for your help!
 

Attachments

  • systeminfo.zip
    61.6 KB · Views: 308
Ya, definitely something strange going on. There's a weird blank startup entry that should not exist, likely causing issues. I attached a screenshot of what I am talking about.

Open Regedit. Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete anything there besides the following:

IgfxTray
HotKeysCmds
Persistence
RtHDVCpl
SynTPEnh

------------

You'll also want to remove the notorious Bonjour service. Here's exactly how to do so:

How To Uninstall or Remove Bonjour mDNSResponder.exe | Raymond.CC Blog

-----------

Let us know how it goes after making these changes. Perhaps we can think of other things to do if the problem still exists.
 

Attachments

  • 1.JPG
    1.JPG
    70.3 KB · Views: 952
Went into regedit and tried to delete the one additional unnamed entry as shown; it told me it can't delete all of the values. I did get rid of Bonjour. Restarted the laptop, still got the error within 10 seconds of letting it connect to the Internet.
 
Run Regedit from an administrator account to delete the entry. If you already are or you still can't delete it, that means the malware has locked itself so you can't delete.

Anyhow, I'd suggest a clean install while formatting. Whenever a machine is compromised, there really is no telling what it has done or what it can do in the future. That's the "professional" advice I can give to you.

Low level formatting the hard drive is recommended approach as well.
 
Yeah, it still won't let me delete it, administrator or no. So the only way to fix this is to format everything? Luckily I can still back-up my files (as long as I don't let it connect to the Internet) but I was hoping to not have to go back and reinstall everything.
 
Does it disconnect even with e-mail programs?

What firewall or anti-virus programs are you using?

Anything in event viewer as far as errors or warnings concerning the internet?

The attachment shows Problem Devices from your system info file. Was the device disabled on purpose when you ran the report?
 

Attachments

  • NIC.GIF
    NIC.GIF
    4.7 KB · Views: 433
Hi!

It literally gives me the error and begins the shutdown process as soon as the system connects to the Internet. Whether I open a browser, email program, etc. or not, it doesn't matter.

I used Super Anti-Spyware, MalwareBytes, Windows Malicious Software Removal Tool, and I had Windows Defender and Avast.

It shows my wireless adapter as disabled because that was literally what I had to do to get the system to keep from shutting down. If I disabled the adapter, it wouldn't connect to wireless and therefore the system runs like normal with no issues.

I posted what I got from the event log in my initial post. Here it is again:

[FONT=&quot]Faulting application name: services.exe, version: 6.1.7600.16385, time stamp: 0x4a5bbf1b[/FONT]
[FONT=&quot]Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000[/FONT]
[FONT=&quot]Exception code: 0xc0000005[/FONT]
[FONT=&quot]Fault offset: 0x00dfff41[/FONT]
[FONT=&quot]Faulting process id: 0x270[/FONT]
[FONT=&quot]Faulting application start time: 0x01cb4526e01d86a4[/FONT]
[FONT=&quot]Faulting application path: C:\windows\system32\services.exe[/FONT]
[FONT=&quot]Faulting module path: unknown[/FONT]
[FONT=&quot]Report Id: 55a31efa-b11a-11df-936a-001e33f35107[/FONT]
 
The fact the system shuts down would lead me to believe some driver is causing a conflict. I had a setup once last year that would freeze the computer when I tried to access the net, but that was a combination of ZoneAlarm and Microsoft Security Essentials. Have you updated the Wireless driver? Any chance the wireless adapter is just bad? Can you remove and reinstall the wireless card?

Do you have a Ethernet connection and does the system work with the internet if you use it?

The fault listing you posted does not help me. I would look in the event viewer for any condition that occurs around the time you connect. You may show something beside a services error. But if immediately shuts down, it may not have time to write the error.
 
It's not a driver issue.

"Windows has encountered a critical error and will shut down automatically in one minute. Please save your work now."

That message from Windows means that a critical svchost.exe process was terminated. Only malware or a user using the task manager would do that.

We can effectively rule out the task manager possibility which leaves only one cause.

It definitely has something to do with the startup entry and the fact it can not be deleted. It could even be custom malware and that's why there's no definitions for it.

---

An interesting experiment would be to boot to safe mode + networking to see how it goes. My bet is that it will be fine there.
 
OK, but I did notice the latest driver for the wireless device is 2017 dated 8/24/2010. The current one is 2006, unless I am misreading something.

The blank startup programs always bother me. I have seen that, but I believe I could disable it in msconfig. And I suppose it also does not show the startup command in msconfig? I wonder if the Autoruns utility patcooke recommended would be able to tell what it was?
 
Last edited:
Hrrrm...not too sure I know what you mean.

The Realtek RTL8191SE Wireless LAN 802.11n PCI-E NIC driver he currently has installed is from August 10, 2010.
 
lol seems the MS guy doesn't even know for sure why that message is happening (he hasn't mentioned any svchost.exe at all):

Link Removed - Invalid URL

To be even more precise, I can tell ya that it's the rpc service being terminated. That's why you aren't able to manually stop the service in the services.msc page. Further, if you look at what the action taken by the pc is when it fails (in the Recovery tab of the service), it is to restart the computer. Most services, when failed, simply restart the actual service and the pc continues on.
 
Last edited:
When I boot into Safe Mode with Networking, the problem still happens. It takes maybe a minute or two longer, but sure enough, as soon as it connects to the Internet (and I mean connects; doesn't matter if I don't do a thing on the net, if my adapter connects, this happens) it crashes. I guess I must face the inevitable and just format my laptop. I hope this problem isn't going to turn up in my backup somewhere.
 
Malware can run in safe mode.

Yes, re-install Windows. First, use a low level format tool to blank the drive so malware can not return. Killdisk is good for this.
 
Cool, I'll do that. Thanks for all your help. Downloading Killdisk now.

Here's a dumb question that could perhaps help in the future; when I had an Acer laptop, the drive was formatted so if I needed/wanted to reinstall Windows, I wouldn't lose my documents. My Toshiba doesn't have a formatted drive. I know I can Google this - and I have - but can you point me in the direction of an "easy" way to format my current machine in that way?
 
Killdisk may take a long time to work......, depending on the size of your drive..
 
Back
Top