[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 543
  • Last Modified:

Need Help!. Shutdown.exe under System32 keeps shutting down PC

Hello all.  Ok I had to delete this stupid program on my PC that was causing my PC to shutdown.  I think it was a virus.  So I cleaned up a bunch of things and deleted what I found to tbe the registry keys etc.  Last night what I did was after deleting things I restored the shutdown.exe in my System32 directory.  What was happening today was everytime the PC would load up Windows even in safe mode it was turning my PC off everytime.  So what I did was went into Command Prompt Safe Mode and deleted the Shutdown.exe again.  What I need to find is what the heck is calling that Shutdown.exe even when I am going to safe mode.  Right now it is completly deleted off my PC I should have just renamed it.  Does the Shutdown.exe suppose to be in the System32 directory?  Any idea where I can find what on Windows Startup is calling that?  Thanks all
0
sbornstein2
Asked:
sbornstein2
  • 7
  • 4
1 Solution
 
Rob WilliamsCommented:
Yes Shutdown.exe is usually in the system32 directory.
Are you sure this is the application that is shutting down the computer. The Sasser worm will generate a message to do with LSASS and that the machine will shutdown in X seconds. If this is the case see the following link for details and a removal tool. Also when complete install all Windows updates to eliminate future problems.
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html
0
 
sbornstein2Author Commented:
no you are correct it is not.  I just had it happen again so its not the Shutdown.exe.  Next time I restared. Also what I did yesterday was run regclean tool.  What I just had to do again was go to safe mode and ran the undo reg clean file I had.  Went in regular again and got in again.  Not sure if that is going to fix it or next time again I have to first go in to Safe Mode with Command Prompt then in again.  Any idea what I can look for? , I dont think its that worm.  Is there some file I can look at that shows the steps it runs on windowsstartup?
0
 
Rob WilliamsCommented:
Make sure it is not the worm. There are numerous versions of it and it is a VERY common problem. Wouldn't hurt to run the tool.

As for inspecting services at boot time, normally you might use MSConfig, but it is not installed on Windows 2000.
However, you can use the XP version (as per http://www.jsifaq.com/subI/tip4200/rh4221.htm ) With that you could disable as many services or applications as possible from starting at boot. See if the problem disappears, and if so start re-enabling until you find the culprit.
0
New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

 
sbornstein2Author Commented:
Im running that now.  Any idea where I can get that shutdown.exe now because I deleted it from the command prompt.  
0
 
sbornstein2Author Commented:
Also starting to back up all my files to CD while at least I am getting on at this time.
0
 
sbornstein2Author Commented:
Any idea what cvpd.exe is?
0
 
sbornstein2Author Commented:
I actually have the msconfig I installed something a while ago so I remembered I could get that up from this PC.  So I see something called cvpd.exe that I deleted from system32.  I think its also one of the virus exes that was actually recreating another exe each time if one did not exist that it found.
0
 
sbornstein2Author Commented:
sasser worm not found so thats good.
0
 
sbornstein2Author Commented:
Just did the shutdown again and it went to screen It is safe to turn off your computer again.  Then first time to command prompt it came up so I thought I was totally screwed.  Then this time for some reason it took and got past the starting windows and I am on again.  
0
 
Rob WilliamsCommented:
No idea what cvpd.exe is. It doesn't show up in a search either.

You can copy the shutdown.exe from another system32 folder, use the extract command to get from your cd, use sfc /scannow  to replace/repair all missing or damaged Windows files, should also be in C:\WINNT\ServicePackFiles\I386 folder, or download from:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/shutdown.exe

You might want to try a full virus scan by an online service in case your local system has been compromised:
http://www.symantec.com/techsupp/home_homeoffice/index_virus.html
0
 
Rob WilliamsCommented:
Thanks sbornstein2 ,
--Rob
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now