Main Forum > General Computer Support

track the process that's calling shutdown.exe

(1/4) > >>

garegin:
 Some malware(?) calls shutdown.exe to restart the computer every three minutes, unless I use safe mode. In safe mode I can see the log in event viewer that says that shutdown.exe is doing this. I  renamed shutdown.exe and now the whole process "fails". In the sense that shutdown.exe doesn't get run and the computer stays on. The question is how can I track the process that's going this. Can I program some kind of a trace routing that would catch the culprit.
I tried naming notepad into shutdown.exe and see what happens but I get nothing.

Boggin:
Autoruns or Process Explorer would highlight any bogeys, although I prefer the latter as Virus Total is auto once enabled.

https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

https://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx

While I'm not sure if you still have to do this with Process Explorer, but if you don't auto get a Virus Total column - click on Options, hover over VirusTotal.com and check the box.

The Verify Signature should already be enabled but you can enable that as well in Options if necessary.

Any items in the Virus Total column with a high red value/50ish will be suspect.

You could also run a scan with the free version of MBAM. https://www.malwarebytes.org/

garegin:
i don't have access to the machine until Monday, but do you think I can create a "fake shutdown.exe" to track the process that's trying to call it. Thanks for your help BTW, I'll try what you said when I get to work on Monday.
A year and a half ago another computer did the same thing. It also made the partition hidden on every restart.

Boggin:
I don't know about creating the fake .exe but I think you should definitely give it a scan in Safe Mode with MBAM as it deals with PuMs.

Julian:
open up task scheduler and see if you have a running task.

Navigation

[0] Message Index

[#] Next page