Malware shutting down computer

Ok here is the scoop.  I have a client (Windows 7, 4 gig ram) who got a pop-up going to CNN.  It looked like a scary Windows warning and they clicked on it before they had time to think.  It started "Scanning" and they realized what they had done. They immediately did a hard shutdown of their computer hoping to stop the problem.  Well it didn't.  The computer started randomly shutting down about every 3 to 4 hours and not yet when they have been around.

I did a clean of the computer with Combofix and the ESET online scanner.  They seemed to get everything but Combofix took about 20 minutes longer than usual.  On reboot just about every key was "Marked for deletion"  so I could not get to the internet or anything.  I did another reboot and the computer seemed to work fine but it is still rebooting about every 3 or 4 hours and this user still has not seen it happen.

What would you recommend besides a full re-install to fix the problem?  I will be taking the computer home for a few days repair come Wednesday and would like to know if it is hopeless to find the issue (saw nothing in windows logs).

Thank you
Sean MeyerAsked:
Who is Participating?
nobusConnect With a Mentor Commented:
rebooting several times can have cured it
MikeConnect With a Mentor IT ManagerCommented:
System restore comes to mind.

I also suggest running MalwareBytes.
X-treemConnect With a Mentor Commented:
check scheduled taskss
run tdskiller (and MBAM)
use autoruns to see what programs start up and disable them to eliminate the source
check eventvwr
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

RyanConnect With a Mentor Project Engineer, ElectricalCommented:
I've had good luck with MalwareBytes and MSSE when run in safemode for Win 7.  Also be sure to scan any external drives that may have gotten infected.

If you do identify the problem specifically, CNN's webmaster should be notified.

Online scanning of an infected computer has never been a great idea. You should download some offline scanner, maybe this one
Afterwards, you should consider what "security" means to you. Are you secure/clean if some (any) scanner says you are? No, of course not, but you might be. decide for yourself if you will keep that infected pc running. To be secure, I would use a backup.
Frosty555Connect With a Mentor Commented:
Also - and this might sound stupid - doublecheck that the computer's Power Options are NOT set to put the computer into standby or hibernation after a few hours. You'll smack yourself if it turns out the problem was just a simple configuration setting that got reset.
younghvConnect With a Mentor Commented:
Start with the basics and work your way through the steps.

Most current variants of malware make it a waste of time to "run scanners". You have to run a rogue process stopper before the scanners can do their job.

Details in these EE Articles: Rogue-Killer-What-a-great-name Stop-the-Bleeding-First-Aid-for-Malware

Both "RogueKiller" and and "TheKiller" have menu options and/or auto-functions that will clean some of the symptoms you describe.

Please be sure to post the logs of any tools/scanners you use.

Based on what the logs show, we can make other recommendations.
nobusConnect With a Mentor Commented:
try this :
 download the windows offline defender

follow the guide to make the cd - boot form it, and when it starts running; stop it, and select FULL scan - let it run
it takes more than an hour, and the reboot takes also long - but everything was fine then !
Does the Windows shutdown happen gracefully or is it like someone pulled the plug?
Any error messages before the shutdown?

I would check that all the fans, CPU, power supply, case, are working and the vents aren't clogged. Maybe the system is overheating and shutting itself down.
I would check that all the fans, CPU, power supply, case, are working and the vents aren't clogged. Maybe the system is overheating and shutting itself down.

Good suggestion!
Scott ThompsonComputer Technician / OwnerCommented:
Again, sorry alanhardisty.  New to answering questions and jumped the gun.  RootsMan has a good idea with cleaning the inside of the computer.  One more thing I would recommend is CoreTemp.  This is a program that can monitor the temperature of the computer to see if the system is overheating as RootsMan is wondering.
Sean MeyerAuthor Commented:
Going to be a bit before I can close this out.  User does not want me to grab the computer for any thing not at their home yet.  

It was not the power settings.  Computer is 4 months old and the home is very clean.  Should be no problems with the inside of the computer. The problem did not start happening until the user encountered the malware.
younghvConnect With a Mentor Commented:
ArmyGroo -

I only found this a couple of days ago, but it comes highly recommended and has kicked some serious butt for me yesterday and today.

Give it a try - download to CD or USB stick and it will boot from either:

"Emsisoft Emergency Kit 2.0" 

Ooh Rah and Semper Fi!
Sean MeyerAuthor Commented:
User finally giving me access to the computer this Friday.  I will be running the tests over the weekend.  Thank you for all the recommendations.
Sean MeyerAuthor Commented:
Ok I have run all the programs and also some on links within the links and we still have a problem.

Combofix looks to fix the problem but after a few reboots/length of time my homepage (Google) is still broken.  It does not redirect anywhere but it does go to a blank page and says it cannot be found.  

HRM.... after running GMER (which said it found nothing) it is running correctly. I had also let it sit overnight.  Going to reboot a few more times and see what happens.
Sean MeyerAuthor Commented:
Ok let me give a detailed post as to what has been done and what is happening.

First off the original issue looks to be a non-issue.  I believe the monitor going into powersaving mode is making the user believe that the computer is "turning off". However there is an issue with their homepage -  When I try to go to their homepage it says it can not reach the page.  When I input other addresses...,, they resolve fine.

I have checked and replaced the hosts file and checked for proxy settings but they are ok.

I have run every scan in the links provided with the following results -

Windows Offline Defender -
Found 1 file in a temporary interent location.  It cleaned the file.

CCleaner -
Since there was a file in a temp location I used ccleaner to clean all of them out.

RougeKiller -
Found 3 registry entries dealing with hiding files. Let it clean the files.

Found nothing

MalwareBytes -
Clean bill of health

ComboFix -
Found nothing but upon rebooting there was no problem going to as their homepage.

A few more reboots and time saw the problem happening again.  Then I let it sit for a few hours and when I checked again it was not having the problem. I did nothing in between not working and working.

I have checked dns information and it is all pointing to valid addresses.  
Other computers on the network have no issues resolving
Sean MeyerAuthor Commented:
And further data ... rebooted and has the issue of not finding google again.

Before I opened internet browsers I opened a command prompt and did a ping and received an instant four replies.

I then open the interent browser and I get an HTTP 400 Bad Request.  Other sites work fine.

Flushdns does not help either... and work.

30 minutes after boot it now works.  I did nothing.
Sean MeyerAuthor Commented:
Doing all teh scans and many reboots cleared the pc.
tx for feedback
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.