Computer runs shutdown command prompt on startup, possible virus?
thefadedline
Manchester, England
Hi all. I've decided to use this forum for help as my dad (bothered) uses it regularly.
Briefly, something has completely filled my C: drive in the space of 6 hours and a shutdown command prompt appears on every startup.
I'll try to be as descriptive as possible without making it too long or boring, but I would appreciate any help I can get.
My C: drive is around 75gb and I was using just around 40gb as of this morning. I left my PC running when I went to work. When I got home, there was a balloon in the lower right corner which read: You are running very low on disk space on C. To free space on this drive by deleting old or unnecessary files, click here.
I thought this was odd as I knew I had at least 35gb of free space, so I checked the drive properties and it told me I had just 3mb space left. I really didn't understand this, so decided to restart, hoping this would sort it. When my computer restarted, a few error windows popped up, informing me that various applications could not start as the system was shutting down.
Then, a command prompt screen appeared, with the command: C:\Documents and Settings\Administrator>shutdown -s -t -2 repeating itself over and over at a rapid speed, with the title of this command prompt window being c:\windows\system32\cmd.exe. Then, the computer shuts itself down.
This happens on every restart. This last time, I managed to cancel the command prompt by very quickly clicking the cross in the right corner almost as soon as it appeared, not giving it a chance to run itself.
I have deleted a few files and freed up around 400mb. This appears to be enough to stop the 'Low disk space' balloon from appearing, but I really want to know what has used my free 35gb space up in just one day, without my knowledge. And I wanna fix it.
Also, I have tried running a system restore, but my computer has no system restore dates, other than my last startup. I don't understand this either as I've had system restore active over the last week as I've had my C: drive formatted and I've installed a lot.
I've ran scans on AVG Free/Spyware, Avast and Trend Micro HouseCall. Trend Micro found '2 Infections' and is currently in the process of removing them.
Any help will be greatly appreciated.
Thanks in advance,
Matt.
Briefly, something has completely filled my C: drive in the space of 6 hours and a shutdown command prompt appears on every startup.
I'll try to be as descriptive as possible without making it too long or boring, but I would appreciate any help I can get.
My C: drive is around 75gb and I was using just around 40gb as of this morning. I left my PC running when I went to work. When I got home, there was a balloon in the lower right corner which read: You are running very low on disk space on C. To free space on this drive by deleting old or unnecessary files, click here.
I thought this was odd as I knew I had at least 35gb of free space, so I checked the drive properties and it told me I had just 3mb space left. I really didn't understand this, so decided to restart, hoping this would sort it. When my computer restarted, a few error windows popped up, informing me that various applications could not start as the system was shutting down.
Then, a command prompt screen appeared, with the command: C:\Documents and Settings\Administrator>shutdown -s -t -2 repeating itself over and over at a rapid speed, with the title of this command prompt window being c:\windows\system32\cmd.exe. Then, the computer shuts itself down.
This happens on every restart. This last time, I managed to cancel the command prompt by very quickly clicking the cross in the right corner almost as soon as it appeared, not giving it a chance to run itself.
I have deleted a few files and freed up around 400mb. This appears to be enough to stop the 'Low disk space' balloon from appearing, but I really want to know what has used my free 35gb space up in just one day, without my knowledge. And I wanna fix it.
Also, I have tried running a system restore, but my computer has no system restore dates, other than my last startup. I don't understand this either as I've had system restore active over the last week as I've had my C: drive formatted and I've installed a lot.
I've ran scans on AVG Free/Spyware, Avast and Trend Micro HouseCall. Trend Micro found '2 Infections' and is currently in the process of removing them.
Any help will be greatly appreciated.
Thanks in advance,
Matt.
0
Comments
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:47:24, on 06/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [JavaStartUpdate] "C:\Windows\SoftwareDistribution\Datastore\Logs\edb0002.bat"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196383735453
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
--
End of file - 7291 bytes
Nothing that I can think of. My computer was formatted last week and the only things I have reinstalled are programs I have on discs (Cubase, various games, etc) and a few downloaded programs (such as MP3 management tools, Winamp, etc). However, I haven't installed anything within the last 3 days, and this problem started up within the last 24.
Is there a way to turn off this automatic command? There must be something, somewhere, telling it to do this.
I think a file has been mass-duplicated or something, as I don't understand how I lost 35gb of space in 6 hours, against my knowledge. I also don't know where/what all of this extra data is.
I cannot turn my computer off as bypassing the command the last time was such a pain and took around 10 attempts/restarts. So it's more of a case of I don't want to go through that hassle again.
Helllp.
Okay, thank you for your help so far.
Anyone?
Just a little more info for you here: I just installed and ran a program called SequoiaView which analyses your system. From here, I can see a file called Mswnsk95.chm located in the directory C:\WINDOWS\Help\.
The size of this file is 30gb. The date under 'Date Modified/Created' is December 5, 2007, 9.51pm. Both of these factors seem consistent with my problem.
I have browsed both my dad's and my brother's computers and cannot locate this file on either.
Could this be a/the source of my problem?
I'll do a little 'Googling' on Mswnsk95.chm.
Thanks guys.
*Update*
A Google search retrieves nothing what-so-ever. I have just deleted the file and am about to restart my computer. I will post again in a few moments letting you know how this goes.
*Update 2*
Deleting this file didn't seem to fix the shutdown command I am getting on startup. Just had to physically place a plasticine marker on my monitor over the 'x' of the command prompt so I could keep clicking there to bypass it on the next startup!
The file, however, does seem to be the one that was taking up all of my space as I now have 33.7gb of space again and I am not noticing any problems as of yet. But as I said, a Google search retrieved nothing and the file was not present on either my dad's or my brother's computers.
So now, I need to fix this damn shutdown command prompt.
Thanks for the help so far. I will end my mass-waffle... now.
*EDIT -I think you are running two antivirus programs (Avast & AVG) you should only ever have one installed on your PC at any one time, this may not be the source of your problem, but it will cause you grief sooner or later***
First thing I would do is a Disk Cleanup in case it's your temp files. Click Start button - All Programs - Accessories - System Tools - Disk Cleanup.
Also, if you un-hide your hidden files and go looking for which files are clogging your system, this might give you a further clue to the source of the problem. (If you need instructions on "Showing hidden files" post back I will write it out for you step by step.)
If you want to take control of your Windows Start Up items click on your Start button, then the Run button and type in "msconfig" (without the quotation marks) and click OK.
This will open a window with 6 tabs along the top. Click on the tab to the far right that says "Startup". Here you can untick items that you don't wish to have starting up as soon as Windows starts, however I don't think this is the problem in this particular case. Please don't tick anything you are not sure of, as there are programs that must start on reboot.
I personally think you have a virus. So if these steps don't help, give the Spyware forum a whirl. They are busy over there but extremely helpful (unlike the previous poster - TrinityX- dude if you've nothing helpful to say just go to bed.............)
I will post a copy of my thread in the Spyware forum shortly. However, my main aim as of now is to disable/remove this shutdown command prompt which keeps appearing at every restart and I feel that issue belongs in this forum as it is affecting startup heavily.
I noticed various users saying you should only ever have one antivirus installed whilst trying to find other threads about similar problems and have since uninstalled Avast.
I have had a look through the startup processes and those I don't recognise I have listed below and Googled.
"C:\WINDOWS\SoftwareDistribution\Datastore\Logs\edb0002.bat" - couldn't really find any information on this, except for in a couple of Polish user forums. No help there then.
"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t - I've been told this is rooted in 'Common Files' and has something to do with Java updates, but I'm not sure about the '-t' at the end of it. What does this mean? Forgive my naivety!
Other than these, I can't really see anything that odd. Everything else relates to a program I have installed or various drivers.
I'm going to disable both of these startup processes and try a restart. I have also disabled a bunch of processes for a few programs (Real Player automatic updates, etc... nothing important).
I'll be back shortly to let you know what happens.
Thanks again mate.
The computer managed to start without the need of rapid clicking at 'point x', literally. In other words, the shutdown command didn't appear this time. System Configuration Utility appeared, informing me I'd made changes to the way Windows starts but I'm gathering that this is normal.
I'm just going to perform another restart to make sure it wasn't a fluke. Back again shortly.
*Edit*
2 restarts in a row with no hassle. The joy! So I'm guessing the problem lay within one of these processes? I'd still like to, in some way, figure this out with Icrontic's help, if I may.
Here's a list of everything I disabled:
edb0002.bat - unknown file
dwtrig20.exe -t - possibly Java-related, has since disappeared from the startup processes list
NeroCheck.exe - Nero burning ROM update check
QTTask.exe - Quicktime update check
SaiSmart.exe - Gamepad profiler application
jusched.exe - Java update check
winampa.exe - Winamp application
LASTFM~1.exe - Last.fm application
Currently in a good mood. I'll go to work happy now, unlike yesterday...
Please don't untick anything unless you know what it is for though.......it could result in further disaster.
BTW - I have done some research into the file you spoke about with the file extension .chm
I believe this is a kind of compessed file (like a zip file) which still lends itself towards a potential virus..........
Bat files are dos commands. That was what was causing your problems.
Glad to hear you're sticking around, might catch you in the "pub" one day.....
That's exactly what I'm doing
So Icrontic is doing baby sitting now? Only joking, he's 20
I didn't know anything about this as the shifts we're on means we haven't seen each other for a couple of days. Thanks for all the help guys. As I keep telling people 'any PC probs go to Icrontic, the folks there will really help out', I've been proved right again.
ihope this has helped.i will post more as they become available to me..dont forget both browsers even if you never use one ok..cool im glad your sorted:Dbe cool my man ..laterz
thefadedline- I am glad you've got your machine going. I really suggest you visit our spyware & virus removal forum and follow the procedure here and post your HJT log- just to make sure you have nothing dormant, latent or going on in backgroud. The advice in that forum really helps defend you from future attack. It is really one of the best forums you can find on the matter.
That said, I think you've done a a very good job of running down your issue.
C:\WINDOWS\SoftwareDistribution\Datastore\Logs\edb 0002.bat
in notepad and post its contents.
ste
when you go out with firefox or explorer these seemingly innocent addresses attach themselves to your browser and come back with you and start then to infect your system and start dialing out using your connection to the web:sad2:so what i want you to do is open your browser ,go to tools and to options,for exploreer go to security ,then restricted sites,and put every one in the block these sites list,ok?after do the same with firefox,tools ,options,privacy,then exceptions,and do the same listas these are the ways they can enter your system[through your browser]:)when i get the more up to date sites i will pass them onto you,ok?great stuff.if you need me,say the qeldroma does not work out,you know where i am,ok:D
I deleted the file a week ago, sorry.
Sorry... have you even read the thread? I'm baffled by your post.
First thing I would like to know is why you put these dangerous links here in the first place, (though I think I understand you are trying to give thefadedline some preventive measures to protect his browsing ??!! right)or do some infecting yourself:confused2 perhaps? {if not then ignore}
Secondly, and if the answer is yes I apologize - but I am assuming that English is not your first language - your post is an "experience" to decipher.
No offense to deadlock-777, but I would Ignore his posts and do as you are doing thefadedline, follow the advice given by Qeldroma and work with the excellent Icrontic Anti-Spyware/Anti-Virus/Anti-Malware team we have here.