Jump to content


Photo

Hard Shutdown


  • Please log in to reply
3 replies to this topic

#1 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 17 March 2010 - 10:00 AM

Something that has made intuitive sense to me may not be true or logical, so I thought I would ask the experts here. FYI, I have searched this, and found conflicting opinions. Naturally, I figured you all would know best.

So, the other day, a family member clicked a bad link and invited AV2010 onto the computer. I did a Hard Shutdown within one minute of its initial pop-up You Are Infected message. I cleaned the computer successfully (Boot Safe Mode, Last Known Good Configuration, Restart Safe Mode, cleaning tools, Restart Normal, more tools....all clean :thumbup: ).

My (?faulty?) logic is that a Hard Shutdown will terminate any further progression of the infection by not allowing the malicious code to "complete" during a Normal Shutdown. And that a Hard Shutdown will limit saving the changes to the Registry.

Is this thinking correct, or should one do a Normal Shutdown because "what is done, is done"?

Edited by NobleTruths, 17 March 2010 - 10:58 AM.

NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#2 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 17 March 2010 - 10:58 AM

Hard shutdown: Turning the computer off with its ON/OFF switch or unplugging it from the electric supply.

This would abort any download, of course, but if keys have been added to the Registry and/or a Service installed, those will survive a hard shutdown and will be there on a subsequent normal boot.

Booting in Safe Mode and cleaning up was the right thing to do as any malicious programs or Services will not run in Safe Mode. And the ongoing installation will not complete in Safe Mode.

I myself would have done a System Restore with a Restore Point that was made before the incident. "Last known good" does approximately the same thing but you have less control over what day you return to. Restoring from a disk image would be even more ideal.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#3 NobleTruths

NobleTruths

    Advanced Member

  • Helper Trainee+
  • PipPipPip
  • 168 posts

Posted 17 March 2010 - 11:16 AM

So immediate Internet disconnect is wise, I can see. OK, "what is done, is done." However, are there other Registry changes and Services installed that may be aborted by doing a Hard Shutdown?

I apologize for the wrong language, I did do System Restore. I also had a disk image to use (Acronis True Image is great), but it was not very recent :blink: , so I went the cleaning route.
NO AMOUNT OF ENLIGHTENMENT
CAN ALTER THE WAY THINGS ARE.
IT IS OUR PERCEPTIONS,
NOT THE WORLD ITSELF,
THAT MUST BE TRANSFORMED.

#4 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 17 March 2010 - 11:27 AM

Hard shutdown will immediately disconnect internet and stop the CPU from doing anything. :)

What you are wondering about is what happens when you turn the computer back on. Power off didn't remove any autostarts. The main consequence of a hard shutdown is the loss of any files that were open for writing at the time. This would include incomplete downloads. It might include incomplete Registry edits, but those take only a few milliseconds at most, so chances are that they were completed..
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE




Member of UNITE
Support SpywareInfo Forum - click the button