Tweaking.com Support Forums
Main Forum => General Computer Support => Topic started by: garegin on June 27, 2015, 03:30:23 pm
-
Some malware(?) calls shutdown.exe to restart the computer every three minutes, unless I use safe mode. In safe mode I can see the log in event viewer that says that shutdown.exe is doing this. I renamed shutdown.exe and now the whole process "fails". In the sense that shutdown.exe doesn't get run and the computer stays on. The question is how can I track the process that's going this. Can I program some kind of a trace routing that would catch the culprit.
I tried naming notepad into shutdown.exe and see what happens but I get nothing.
-
Autoruns or Process Explorer would highlight any bogeys, although I prefer the latter as Virus Total is auto once enabled.
https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
https://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx
While I'm not sure if you still have to do this with Process Explorer, but if you don't auto get a Virus Total column - click on Options, hover over VirusTotal.com and check the box.
The Verify Signature should already be enabled but you can enable that as well in Options if necessary.
Any items in the Virus Total column with a high red value/50ish will be suspect.
You could also run a scan with the free version of MBAM. https://www.malwarebytes.org/
-
i don't have access to the machine until Monday, but do you think I can create a "fake shutdown.exe" to track the process that's trying to call it. Thanks for your help BTW, I'll try what you said when I get to work on Monday.
A year and a half ago another computer did the same thing. It also made the partition hidden on every restart.
-
I don't know about creating the fake .exe but I think you should definitely give it a scan in Safe Mode with MBAM as it deals with PuMs.
-
open up task scheduler and see if you have a running task.
-
Please check the processor heat sink and remove the dust. This may be due to overheating. Pl remove all the plugs before doing any physical repair.
Do you mean power off or complete shut down. If the power is off, then enter key would resume your normal screen you were last on.
If you meant, shutting auto, then it is virus doing and Boggins suggestion would do the remedy for you.
HI, Boggins, what are all those colours denote in Process explorer and not in the virus total. some shown as red , some shown as pink etc. How to identify the process that gives the problem from PExplorer. This i want to know . Thanks
-
That was a good question, JR.
I've only ever concerned myself with ensuring the Virus Total entries were all blue - once had an Adobe entry showing in red with a score of 2/50 but that doesn't pop up now.
Your question about the colours prompted me to a Google and came up with this useful article http://www.howtogeek.com/school/sysinternals-pro/lesson2/ which I hope will help.
-
Hi, Thank you boggins for this specific link. It has all the things that i want to know. Your virus total information is really new to me. from the link, i could gather that by clicking the virus total findings, details of the scan and details of virus will be known. Good to have this installed for modern computer attacks.
-
i got nothing with process explorer but can clearly see shutdown.exe (which is really renamed notepad.exe) called many times in the log. Can someone please take a look at the log file on google drive
https://drive.google.com/file/d/0B1lqZhpyr-KQZDliUm5Bc3dwQkE/view?usp=sharing
-
I don't have anything on my computer to open a .pml file.
-
First thing I would do, if you havent yet is to check the task scheduler for anything. But normally in order to find what is calling or touching what is I use sysinternals process monitor. This allows me to see every file and registry key a program touches. Then you can filter out all the successful results and look for the failed ones instead that failed on trying to find or call shutdown.exe
Shane
-
the .PML log file was created by process monitor. So it definitely shows shutdown.exe being called by I don't know by what.
-
Can you send me the whole log of when it happens?
I found that what ever is calling it is sending the command "shutdown -r -t 00"
No .exe at the end of it, which I then see cmd.exe searching for which one to use. So since something is calling shutdown.exe directly it is causing cmd.exe to do the work, so i need to see what is calling the cmd.exe
Shane
-
ok
this is the new link to the log file. It's 800MB, so will take some time to download.
https://drive.google.com/file/d/0B1lqZhpyr-KQcWdtRDRDUkJRcU0/view?usp=sharing
-
ok
this is the new link to the log file. It's 800MB, so will take some time to download.
https://drive.google.com/file/d/0B1lqZhpyr-KQcWdtRDRDUkJRcU0/view?usp=sharing
takes me a couple seconds to download i have 100mbs per second ha lol and dang why so big?
-
I'll pass on that :lol - only have ~6.5meg speed.
-
Hi, Log file of 800 mb, near 1 g b. Something squarely wrong for having the huge log file
-
It becomes big if you run it for a minute or two
-
ok
this is the new link to the log file. It's 800MB, so will take some time to download.
https://drive.google.com/file/d/0B1lqZhpyr-KQcWdtRDRDUkJRcU0/view?usp=sharing
takes me a couple seconds to download i have 100mbs per second ha lol and dang why so big?
would you have any ideas what's causing it?
-
How big is the file is you compress it with 7-zip or something? It is just text so it should compress down really good.
Shane