Windows Shutdown Command Virus

[MrCameroon]

It set so that when I log into one of my PC accounts it launches the console with something along the lines as "Windows Shutdown -f"

I have booted in safe mode and looked into the startup folder but there is no BAT or dodgy files.

I have also booted in safe mode and ran anti virus scans etc.

Help

Windows 7

 

[blasc]

log in normally

now, do this as fast as you can:

- "windows" + r
- shutdown -a
- enter

so basically, press the keys "widows + R", run window appears, type "shutdown -a", press enter

this disables the shutdown process. now you can search for that darn file

if you have a password to login, before puting password, type "shutdown -a" and do a "ctrl+c" so you only need to do "ctrl+v" after the "window+r"

 

[MrCameroon]

log in normally

now, do this as fast as you can:

- "windows" + r
- shutdown -a
- enter

so basically, press the keys "widows + R", run window appears, type "shutdown -a", press enter

this disables the shutdown process. now you can search for that darn file

if you have a password to login, before puting password, type "shutdown -a" and do a "ctrl+c" so you only need to do "ctrl+v" after the "window+r"

Problem is, its absolutely instant.. It was so fast to the point I had to record the screen to see what came up in the console.

 

[blasc]

in safe mode

windows + r -> "msconfig" -> startup

check if there is anything out of ordinary.

Also, malwarebytes is a good software to run while on safe mode.
https://www.malwarebytes.org

 

[blasc]

other thing you can do in safe mode, is creating a batch file that runs "windows -a" command on startup 😀 lol

Edit: i just searched for your problem and found a guy that had a faulty keyboard, that would make windows shutdown on startup... lol wtf? xD you could try that...

 

[MrCameroon]

other thing you can do in safe mode, is creating a batch file that runs "windows -a" command on startup 😀 lol

Edit: i just searched for your problem and found a guy that had a faulty keyboard, that would make windows shutdown on startup... lol wtf? xD you could try that...

Nah, I downloaded a dodgy file and either I now have a RAT in my PC or the file created a file on my PC..

 

[little_me]

windows can also store things to be run in multiple places in registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

but all of those should be visible in msconfig.