Strange Shutdown - Suspect Malware
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Strange Shutdown - Suspect Malware

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743

    Strange Shutdown - Suspect Malware

    Hi Guy's,

    The question is "IS there a Malware that will shut off a computer.. that clean off / like pulling the plug?"

    Was helping a friend with their computer last night here is the problem we started with..

    Sloooow operation, When using IE some websites are not accessable.. and when attempting to DL some programms (like Spybot, or even doing a AV update) the system switches off..
    When I was told about this the switch of was described as "crashes" .. so I only turned up with software tools.. system is unable to complete a NAV scan..
    This history is from memory.. left my notes with the machine

    1/ Installed Spybot SnD:
    Couldn't update.. Disabled a family of sus exe's that were running, and some known ok exe's.. still couldn't update.. Managed to start a scan picked up a few sus entries then Click Off.. the bloody system just clean switched off..
    2/ Restarted in safe mode:
    did a quick HJT scan.. manualy removed some Blaze media crap. Now started the Spybot scan. got passed the inital few hundred items scanned.. had a small list of 6 or so I stopped the scan and removed components of what I had just removed.. restarted the scan.. and kept doing this until I had 200 or so items removed.. BUT Spybot scan could only reach 70% or so and the system would die.
    3/ REstsrted in normal mode: Installed Adaware..
    Was able to update it (oh and could now update Spybot and NAV) Scann by Adaware went full course.. removed another 30 items (mainly Cookies and more parts of what Spybot had removed)..
    Tried Spybot.. fouund a couple more items .. but dies at about 70% (that is computer shut off)
    4/ Defraged HDD restart clean TIF, Win Temp, Win Prefetch, empty recycle Bin.. Defrag, restart defrag
    5/ spybot failed again at 70% (not this is on or about 10500 item of 15500, it could be 10200 or as late as 10600 but always about the 10500 mark)
    6/ the cleaner.: good old moosoft..
    Tried a scan in normal and in safe Mode.. System shuts of at around the 70% mark.. first time removed more crap, adware "trojans"all related to the earlier stuff..
    7/ Checked the temp of the HDD and cpu temps.. (It is winter and the room temp was 15deg Celcius) none of the gear was even warm..

    I didn't have a Meter with so I couldn't check the status of the PSU, The tone of the HDD changes just before the shut off, so I intend running a HDD test , as well as a full PSU test on the weekend..No visable funnies on the Mobo.. so a full hardware test may still be in order.. even a swap out of the RAM.. Oh and I failed to mention .. I will do a External scan of the HDD..ie test it in another system.. scan it from another OS..

    As the problem is consistent with a point of operation in a program rather a thermal point.. I do consider a Malware problem as very likley, but not rulled out Hardware..

    Any comments welcome..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    SASSER???

    I had something similar recently....ended up being sasser.

    Only way I could get some response was using the norton sasser removal tool.

    I was then able to scan and clean all the other malware on the computer.

    The sasser infection definately impeded my diagnostics.

    HTHs
    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    Sasser is nice about it, "shutdown -a" would take care of it. It also warns you, it wouldn't give you a hard shutoff IIRC.

    Sloooow operation, When using IE some websites are not accessable.. and when attempting to DL some programms (like Spybot, or even doing a AV update) the system switches off..
    2/ Restarted in safe mode:
    did a quick HJT scan.. manualy removed some Blaze media crap. Now started the Spybot scan. got passed the inital few hundred items scanned.. had a small list of 6 or so I stopped the scan and removed components of what I had just removed.. restarted the scan.. and kept doing this until I had 200 or so items removed.. BUT Spybot scan could only reach 70% or so and the system would die.
    Sounds like memory to me?

    Try making a BartPE malware disc, put AV and adaware on it. If you still get problems, then you have identified the problem as hardware.

  4. #4
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    Could also be the Power Supply going bad. Although it doesn't explain the coincidence of shutting down when accesing certain websites, but its still worth a look.

  5. #5
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Have you run chkdsk.exe ? waybe worth a try.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #6
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    Greets,

    I am yet to run any HDD test progs
    did defrag.. managed to complete
    turned off the "Automatic restart"option.. and no BSOD .. but the machine switches OFF anyhow..
    PSU is still considdered,, as is RAM (and HDD)
    It also died during a run of fxgaobot tool from symantec.. but no hints of it witha quick check of the reg in safe mode.. looking for items tha load with Explorer.. or load as explorer.. tried to spot some thing with Silent runners.. no joy there,

    Will be back in front of the machine on saturday.. so will update then..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  7. #7
    Senior Member
    Join Date
    Feb 2004
    Posts
    122
    Do you have a firewall? it could be possible that a hacker is using a backdoor to [gloworange]remotely[/gloworange] shutdown your comp.

  8. #8
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    Do you have a firewall? it could be possible that a hacker is using a backdoor to
    remotely
    would have to be good.. I used the "Cable out of socket" Firewall for a few of the scanns
    '
    By this time tomorrow I should know some more..


    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  9. #9
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Cable out of socket
    Fastest kill all tcp connections i no of
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  10. #10
    Senior Member OverdueSpy's Avatar
    Join Date
    Nov 2002
    Posts
    556
    I've encountered similar problems with systems infected with the W32/BLASTER virus. I couldn't update the antivirus over the web, because the system would reboot before the download or connection could be completed. Most systems gave a warning about an RPC failure, but I also encountered some systems that did not give any warnings before shutdown. You can look for entries in the eventlogs, stating that the shutdown was intiated by NTAuthority. (I think) Which would indicate a BLASTER infection.

    Good luck Bubba.
    The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •