Author Topic: solution to cmd calling shutdown.exe  (Read 685 times)

0 Members and 1 Guest are viewing this topic.

Offline garegin

  • Jr. Member
  • **
  • Join Date: Nov 2014
  • Posts: 82
  • Karma: 1
    • View Profile
solution to cmd calling shutdown.exe
« on: February 21, 2019, 09:58:01 PM »
few years ago I posted a question here on a virus that created a script that restarted the computer. Even after removing the virus, the script still persisted. I actually saved the procmon log file. And we now know what it was. For one thing it's a scheduled task. It calls a batch file stored in c:\windows\system32\com\ntsd2.bat. AFAIK, Windows shouldn't even have a com folder in system32. My Windows 10 doesn't.
I googled this file and found a SINGLE thread from '10. https://forums.techguy.org/threads/hacker-logged-on-w-diff-user-name-changed-system.897126/

The log fie is stored in google drive https://drive.google.com/file/d/0B1lqZhpyr-KQcWdtRDRDUkJRcU0/view?usp=sharing

The key to finding out the cause is using the process tree view in procmon. It shows the parent process that has spawned the process in question. In our case, it was taskeng.exe, which is the task scheduler.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 8803
  • Location: UK
  • Karma: 114
    • View Profile
Re: solution to cmd calling shutdown.exe
« Reply #1 on: February 22, 2019, 01:16:42 AM »
Thanks for posting that - it's a pity that thread went unanswered.
Tom.