Author Topic: track the process that's calling shutdown.exe  (Read 22198 times)

0 Members and 1 Guest are viewing this topic.

Offline garegin

  • Jr. Member
  • **
  • Join Date: Nov 2014
  • Posts: 85
  • Karma: 1
    • View Profile
track the process that's calling shutdown.exe
« on: June 27, 2015, 03:30:23 pm »
 Some malware(?) calls shutdown.exe to restart the computer every three minutes, unless I use safe mode. In safe mode I can see the log in event viewer that says that shutdown.exe is doing this. I  renamed shutdown.exe and now the whole process "fails". In the sense that shutdown.exe doesn't get run and the computer stays on. The question is how can I track the process that's going this. Can I program some kind of a trace routing that would catch the culprit.
I tried naming notepad into shutdown.exe and see what happens but I get nothing.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #1 on: June 27, 2015, 04:17:00 pm »
Autoruns or Process Explorer would highlight any bogeys, although I prefer the latter as Virus Total is auto once enabled.

https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

https://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx

While I'm not sure if you still have to do this with Process Explorer, but if you don't auto get a Virus Total column - click on Options, hover over VirusTotal.com and check the box.

The Verify Signature should already be enabled but you can enable that as well in Options if necessary.

Any items in the Virus Total column with a high red value/50ish will be suspect.

You could also run a scan with the free version of MBAM. https://www.malwarebytes.org/

Offline garegin

  • Jr. Member
  • **
  • Join Date: Nov 2014
  • Posts: 85
  • Karma: 1
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #2 on: June 27, 2015, 06:06:58 pm »
i don't have access to the machine until Monday, but do you think I can create a "fake shutdown.exe" to track the process that's trying to call it. Thanks for your help BTW, I'll try what you said when I get to work on Monday.
A year and a half ago another computer did the same thing. It also made the partition hidden on every restart.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #3 on: June 28, 2015, 01:48:06 am »
I don't know about creating the fake .exe but I think you should definitely give it a scan in Safe Mode with MBAM as it deals with PuMs.

Offline Julian

  • "Professional Googler"
  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jun 2015
  • Posts: 1325
  • Location: USA, New Mexico
  • Karma: 38
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #4 on: June 28, 2015, 04:16:14 am »
open up task scheduler and see if you have a running task.
Julian

Offline jraju

  • Hero Member
  • *****
  • Join Date: Feb 2013
  • Posts: 2323
  • Location: india
  • Karma: 17
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #5 on: June 28, 2015, 06:32:45 am »
Please check the processor heat sink and remove the dust. This may be due to overheating. Pl remove all the plugs before doing any physical repair.
                                  Do you mean power off or complete shut down.  If the power is off, then enter key would resume your normal screen you were last on.
                                         If you meant, shutting auto, then it is virus doing and Boggins suggestion would do the remedy for you.
                                         HI, Boggins, what are all those colours  denote in Process explorer and not in the virus total. some shown as red , some shown as pink etc. How to identify the process that gives the problem from PExplorer. This i want to know . Thanks
The Bottom line is "Check your hardware first if it supports the task you try".

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #6 on: June 28, 2015, 10:48:36 am »
That was a good question, JR.

I've only ever concerned myself with ensuring the Virus Total entries were all blue - once had an Adobe entry showing in red with a score of 2/50 but that doesn't pop up now.

Your question about the colours prompted me to a Google and came up with this useful article http://www.howtogeek.com/school/sysinternals-pro/lesson2/ which I hope will help.

Offline jraju

  • Hero Member
  • *****
  • Join Date: Feb 2013
  • Posts: 2323
  • Location: india
  • Karma: 17
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #7 on: June 28, 2015, 10:15:53 pm »
Hi, Thank you boggins for this specific link. It has all the things that i want to know. Your virus total information is really new to me. from the link, i could gather that by clicking the virus total findings, details of the scan and details of virus will be known. Good to have this installed for modern computer attacks.
The Bottom line is "Check your hardware first if it supports the task you try".

Offline garegin

  • Jr. Member
  • **
  • Join Date: Nov 2014
  • Posts: 85
  • Karma: 1
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #8 on: June 29, 2015, 08:39:53 am »
i got nothing with process explorer but can clearly see shutdown.exe (which is really renamed notepad.exe) called many times in the log. Can someone please take a look at the log file on google drive

https://drive.google.com/file/d/0B1lqZhpyr-KQZDliUm5Bc3dwQkE/view?usp=sharing
« Last Edit: June 29, 2015, 08:56:57 am by garegin »

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #9 on: June 29, 2015, 09:19:26 am »
I don't have anything on my computer to open a .pml file.

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #10 on: June 29, 2015, 10:40:51 am »
First thing I would do, if you havent yet is to check the task scheduler for anything. But normally in order to find what is calling or touching what is I use sysinternals process monitor. This allows me to see every file and registry key a program touches. Then you can filter out all the successful results and look for the failed ones instead that failed on trying to find or call shutdown.exe

Shane

Offline garegin

  • Jr. Member
  • **
  • Join Date: Nov 2014
  • Posts: 85
  • Karma: 1
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #11 on: June 29, 2015, 01:14:52 pm »
the .PML log file was created by process monitor. So it definitely shows shutdown.exe being called by I don't know by what.

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #12 on: June 29, 2015, 01:34:52 pm »
Can you send me the whole log of when it happens?

I found that what ever is calling it is sending the command "shutdown  -r -t 00"

No .exe at the end of it, which I then see cmd.exe searching for which one to use. So since something is calling shutdown.exe directly it is causing cmd.exe to do the work, so i need to see what is calling the cmd.exe

Shane

Offline garegin

  • Jr. Member
  • **
  • Join Date: Nov 2014
  • Posts: 85
  • Karma: 1
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #13 on: June 29, 2015, 11:07:08 pm »
ok
this is the new link to the log file. It's 800MB, so will take some time to download.

https://drive.google.com/file/d/0B1lqZhpyr-KQcWdtRDRDUkJRcU0/view?usp=sharing

Offline Julian

  • "Professional Googler"
  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jun 2015
  • Posts: 1325
  • Location: USA, New Mexico
  • Karma: 38
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #14 on: June 29, 2015, 11:31:46 pm »
ok
this is the new link to the log file. It's 800MB, so will take some time to download.

https://drive.google.com/file/d/0B1lqZhpyr-KQcWdtRDRDUkJRcU0/view?usp=sharing
takes me a couple seconds to download i have 100mbs per second ha lol and dang why so big?
Julian

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #15 on: June 30, 2015, 02:03:31 am »
I'll pass on that :lol - only have ~6.5meg speed.

Offline jraju

  • Hero Member
  • *****
  • Join Date: Feb 2013
  • Posts: 2323
  • Location: india
  • Karma: 17
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #16 on: June 30, 2015, 02:54:21 am »
Hi, Log file of 800 mb, near 1 g b. Something squarely wrong for having the huge log file
The Bottom line is "Check your hardware first if it supports the task you try".

Offline garegin

  • Jr. Member
  • **
  • Join Date: Nov 2014
  • Posts: 85
  • Karma: 1
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #17 on: June 30, 2015, 05:13:23 am »
It becomes big if you run it for a minute or two

Offline garegin

  • Jr. Member
  • **
  • Join Date: Nov 2014
  • Posts: 85
  • Karma: 1
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #18 on: June 30, 2015, 10:39:36 am »
ok
this is the new link to the log file. It's 800MB, so will take some time to download.

https://drive.google.com/file/d/0B1lqZhpyr-KQcWdtRDRDUkJRcU0/view?usp=sharing
takes me a couple seconds to download i have 100mbs per second ha lol and dang why so big?

would you have any ideas what's causing it?


Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile
Re: track the process that's calling shutdown.exe
« Reply #19 on: July 02, 2015, 09:00:32 pm »
How big is the file is you compress it with 7-zip or something? It is just text so it should compress down really good.

Shane