60 Second Shutdown Virus

MobileTechie said:
Norm - Out of interest, how do you know it is being caused by a virus?

Have you tried to stop it running with rkill?

Or, if you can get it running in 60 secs you could try Process Explorer to suspend (not shut down) the process it relies on.

Failing that I'd be looking to edit the registry and delete the relevant startup entries.
Click to expand...

I don't know what else would cause this pop up saying it will shut down in 60 seconds, other than a virus.

RKill causes the pop up to appear and the computer shuts down.

Process Explorer: I can shut down processes, reg key, etc, but never found the one that causes the problem. No matter what I shut down, I would still get the 60 second pop up and shutdown when I tried to scan.

Dr Web, which boots it in Linux and does a scan, says it is Backdoor Trojan. Still scanning, so not sure if I can kill it.

Norm
 
If you still have the problem after the scans, try holding the shift key down immediately after log in and until the desktop icons appear.

If you find "Dr. Web very hard to read on the screen" you may want to try Avira Rescue CD

Note: On the Avira Rescue CD you may have to select the British flag in the bottom left corner.

Also if you select the option to rename the files, if they cannot be removed, they will be renamed with a .XXX extension


You may also want to try G Data Boot CD
 
Re: shutdown -i t 6000
Currently the computer freezes as soon as it boots. I think I need to use external boot solution on this one. I will certainly try this in the future.

Thanks, Norm
 
I have currently burned Dr Web and Kasperski boot CDs. I will also burn these two. I am trying learn all that I can about virus removal. I am getting a lot of calls on them and they are getting tougher.

Thanks, Norm
 
normbarb said:
Re: shutdown -i t 6000
Currently the computer freezes as soon as it boots. I think I need to use external boot solution on this one. I will certainly try this in the future.

Thanks, Norm
Click to expand...
I don't get it, you can't run this, but you can run process explorer and rkill?

P.S "shutdown -a" aborts the shutdown, rather than just extending it.
 
What else does it say in the box besides "shutting down in 60"?

Need more details, how long after login? What's the OS?

Anyway, this sounds like a very very very old virus. Is the computer running XP?
 
This reminds me of the blaster and nimda worms that hit in about 2003. They worked on a buffer overflow vulnerability in windows xp that was subsequently patched by Microsoft.

is the attached photo the same pop up you are seeing?
 

Attachments

  • Windows_XP_Emergency_Shutdown.png
    Windows_XP_Emergency_Shutdown.png
    8.9 KB · Views: 52
ATTech said:
I don't get it, you can't run this, but you can run process explorer and rkill?

P.S "shutdown -a" aborts the shutdown, rather than just extending it.
Click to expand...

Sorry for the confusion, I am working on this problem on two different computers. On the laptop I could run rkill and shutdown -a, but rkill caused the 60 second shutdown before it could complete and Process Explorer did not show anything to be a problem. I did shutdown many processes and services, but was not able to eliminate the shutdown.

The desktop freezes on bootup. I am now down to just working on the desktop. Laptop got into mode where I could only get blue screen, so I reloaded OS.

Norm
 
HAL said:
This reminds me of the blaster and nimda worms that hit in about 2003. They worked on a buffer overflow vulnerability in windows xp that was subsequently patched by Microsoft.

is the attached photo the same pop up you are seeing?
Click to expand...

I was getting a similiar popup graphic. Not exactly the same. Running XP Home, SP3. Must be different, because it is getting by Microsoft.
 
Fixed:

Here is what appeared to work:

Booted with Kaspersky Rescue Disk

It ran for about 2 minutes and then shutdown the computer.

I rebooted normally and downloaded and ran Malwarebytes. Found six (6) infections (Minibug, Trojan Agent and Adware Hotbar (4)).
Ran CCleaner (Cleaner and Registry Cleaner)

Dr Web Boot Disk:

I ran this first. I could not read the messages in GUI mode, but it did say that I had Backdoor Trojan infecting many files. I then ran it in safe mode. It ran for hours with the result of finding no infections.

Thanks for all the help that I received on this forum. Guess it is not a big loss not being able to post on the Tech forums (must be some elite group).

Norm
 
TLE said:
Hi,

You need to look at Live CD's which run in an enviroment outside of the OS. I would suggest starting with Dr.Web. There are plenty of others out there. You could also slave the drive to another PC and scan it that way.

You can find Dr. Web here...
http://www.freedrweb.com/livecd/?lng=en

If you are serious about learning to remove malware, you consider setting yourself up a Virtual PC and going to sites to get it infected. I am sure there is a thread on this already.

You should also visit BleepingComputers, they are an excellent resource for malware removal.

Hope this helps.
Click to expand...

Now that I have this virus fixed, I am taking your advice and going to setup a machine for learning virus removal. I am probably the first person in the world to ask this question, but "how do you go about getting a virus on your computer".

Thanks, Norm
 
Of course there are a few approaches to any virus removal.
My strategy on any drive that will not boot to OS is to try SafeMode first and then run rkill and MBAM from there initially.
If it will not boot to SafeMode, slave the drive to a bench PC* and run a MBAM scan. The recommendations against doing this are based on just what TLE said:
Malwarebytes looses much of its effectiveness and also loses critical whitelisting since it no longer sees system files on the slaved drive as system files since they aren't in the system folders of the currently running OS.
Click to expand...
However, it will often remove the major executables and allow boot to OS whereupon rkill can be employed and MBAM can be run for full scan.**
MBAM, although popular is not the only tool to be used. I have made it a habit to check for rootkits on every virus removal and to update windows and update the native AV and run a scan with that too. (if nothing else it prevents the client from getting a "you need to run a scan" nag balloon the day he gets his machine back).




*Re:slaving a drive. Slaving directly to the mobo of your bench machine via SATA provides a faster throughput than using a USB/SATA/IDE interface. During scans the speed difference is negligible but during data transfer it will really make a difference. SATA 1.0=1.5GB/s; SATA 2.0 = 3.0Gb/s; SATA 3.0 or SATA 6Gb/sec. Most 7200 rpm drives have a disk-to-buffer rate of about 70MB/s but the buffer rate to interface is only limited by the interface speed. By comparison USB 2.0 speed limit is touted as being 60MB/s but in practice communication overhead uses about 30% of that and drops the effective rate to about 42MB/s at its best. What all this means is that SATA drives via SATA or eSATA can transfer @ max of 70MB/sec under continuous use (empty buffer) and via USB at a max of 42MB/s.

**to all the "manual virus removal" fans: It is obvious from the OP that this tech/student does not yet have the registry editing skills to manually remove viruses and relies on automated scans/tools.
 
Virus Removal

My first approach has been MBAM in Safe Mode. This works about 90% of the time. I have found that external scans are not too effective.

The rescue disks that use Linux boot seem to work on the real tough ones.

BTW: I grew up in Farmingdale and also lived in Bayshore for 13 years.

Norm
 
normbarb said:
Now that I have this virus fixed, I am taking your advice and going to setup a machine for learning virus removal. I am probably the first person in the world to ask this question, but "how do you go about getting a virus on your computer".

Thanks, Norm
Click to expand...

There is a website which lists websites which are infected. www.malwareurl.com

There are quite a few threads on this subject so have a search through the forum and see what you can find.:)
 
You must log in or register to reply here.

Similar threads

Billed1954
HP Pavilion All-in-One - 24-k0024 BIOS and CMOS Issues
Replies
8
Views
909
Billed1954
Billed1954
Diggs
Spectrum Security Alert
Replies
10
Views
802
Diggs
Diggs
britechguy
Clean Reinstall of Windows 11 on an LG Gram 16 Laptop
Replies
3
Views
3K
Sky-Knight
Sky-Knight
S
Strange!! HP Pavillion G6 2000, first BIOS crash, then motherboard dead ??
Replies
19
Views
3K
serious_electron
S
GTP
Predictions for the future?
2
Replies
30
Views
13K
NviGate Systems
NviGate Systems
Back
Top