Virus Restarting Windows Before it can be Scanned

Posted on 2012-08-27
Last Modified: 2013-12-06
Hi Experts,
I have a PC that has a virus that keeps rebooting the PC.
Windows 7 Pro

You are about to be logged off.
Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now.

I've tried safe mode and safe mode with command line and both shut down.  

Then it downs the PC.  Have about 2 minutes to do anything before it goes down.
I killed some of the processes with Hijack this.

Security Essentials keeps popping up but the system goes down before it can remove them.
Virus: Win32/Sirefef.R

A USB drive does not get recognized soon enough but a CD will.
I've burned a CD & dragged several programs over to try but none of them have enough time to finish.
Combofix  Made it through creating a restore point and started to scan
Rootkit Buster

I can run hijack this and have attached log.
Question by:sgt_best
    LVL 15

    Expert Comment

    by:Ess Kay
    restart in safe mode with no networking

    Taskmanager - close all processes

    run STOPZILLA!
    and superantispyware

    also, if it doent go through the shutdown process, perhaps it is just overheating quickly.
    LVL 38

    Accepted Solution

    You can try running one of the rogue process stoppers during that interval before shut down. If that doesn't work, you may have to resort to a "Boot CD".

    Rogue process stoppers described here: Rogue-Killer-What-a-great-name
    and here: Stop-the-Bleeding-First-Aid-for-Malware

    Boot CD's that may work:

    @esskayb2d -
    In the original question, the asker says that "Safe Mode" doesn't work.
    LVL 29

    Expert Comment

    by:Sudeep Sharma
    The advise above from Younghv would work for you.

    I suggested the same steps to one of the user and that worked for him, see below links as a proof
    LVL 6

    Expert Comment

    please use malwarebytes MBAM and after starting the system ,go to the command prompt and keep the command prompt open and type shutdown -a  and when you see any shutdown is initiated run run the shutdown -a command in your command prompt so your system shutdown can be aborted and in the meantime keep on running the MBAM.
    LVL 3

    Author Comment

    I had a linux boot CD that the PC stayed up on so I know it is not hardware shutting it down.  Also, the research I've read on this virus is consistent with the 1 minute warning although the time varies. Sometimes you don't get a desktop, only the warning but most times I have about 2 minutes.  Safe mode with or without networking & command prompt are the same.
    Rogue Killer doesn't finish.  Is there a particular # in Rouge Killer to use?

    Will superantispyware or Stopzilla be any different as far as how quick they identify and stop the rouge process?

    I thought the boot CD is probably the least video game like of my choices.

    I downloaded the windows defender offline and made a CD in another PC. It scanned and found the same two viruses and it chose to remove one and disinfect the other but on reboot it came back.  Since it started with a quick scan, I am now repeating with a full scan to root out any Easter eggs...
    LVL 3

    Author Closing Comment

    Full scan with Windows Defender Offline found more instances of the same viruses and I chose to remove rather than disinfect.  Worked.  Virus is gone but can't turn on windows firewall.
    Windows Firewall cannot change some of your settings.   Error code 0x80070424.
    Back to the knowledge base.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Suggested Solutions

    UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
    To Remove Security Suite for Windows Malware from a Windows XP Machine:  Restart computer in Safe Mode (to do this see Login as Administrator Go to My Computer /Tools/ Folder Options/ View/  check mark the selectio…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now