What is ShutDownTime?
The Malwarebytes research team has determined that ShutDownTime is a hosts file hijacker and part of an adware bundle. These adware applications display advertisements not originating from the sites you are browsing.
This one replaces your hosts file.
How do I know if my computer is affected by ShutDownTime?
You may see these entries in your hosts file:
How did ShutDownTime get on my computer?
Adware applications use different methods for distributing themselves. This particular one was installed by a bundler.
How do I remove ShutDownTime?
Our program Malwarebytes can detect and remove this potentially unwanted program.
- Please download Malwarebytes to your desktop.
- Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
- Then click Finish.
- Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
- If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes removes ShutDownTime completely.
- This adware replaces your hosts file, so if you were using a protective hosts file, you may have to re-install it.
We hope our application and this guide have helped you eradicate this adware.
As you can see below the full version of Malwarebytes would have protected you against the ShutDownTime adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late.
The web protection module also blocks their domain:
Technical details for experts
Possible signs in FRST logs:
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt 127.0.0.1 cpm.paneladmin.pro 127.0.0.1 publisher.hmdiadmingate.xyz 127.0.0.1 distribution.hmdiadmingate.xyz 127.0.0.1 hmdicrewtracksystem.xyz 127.0.0.1 linkmate.space 127.0.0.1 space1.adminpressure.space 127.0.0.1 trackpressure.website 127.0.0.1 doctorlink.space 127.0.0.1 plugpackdownload.net 127.0.0.1 texttotalk.org 127.0.0.1 gambling577.xyz 127.0.0.1 htagdownload.space 127.0.0.1 mybcnmonetize.com 127.0.0.1 dscdn.pw 127.0.0.1 beautifllink.xyzChanges made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Windows\System32\drivers\etc Alters the file hosts 6/10/2009 11:00 PM, 824 bytes, A ==> 8/23/2017 11:10 AM, 1258 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tschmna] "state"="REG_SZ", "succed" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tsckmna] "state"="REG_SZ", "succed" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{24F5E422-6A70-4FAA-8CAD-E23D5DC1DAE6}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DD0688A5-FC8B-4E93-A485-CBF606A56D49}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchy]Malwarebytes log:
Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/23/17 Scan Time: 11:31 AM Log File: mbamShutDownTime.txt Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.160 Update Package Version: 1.0.2643 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 321878 Threats Detected: 3 Threats Quarantined: 3 Time Elapsed: 1 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Searchy, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{24F5E422-6A70-4FAA-8CAD-E23D5DC1DAE6}, Delete-on-Reboot, [7049], [415599],1.0.2643 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 Adware.Tuto4PC.Generic, C:\USERS\{username}\APPDATA\LOCAL\TEMP\IS-GDIEB.TMP\KLM52.EXE, Delete-on-Reboot, [1301], [414802],1.0.2643 Adware.Tuto4PC.Generic, C:\USERS\{username}\APPDATA\LOCAL\TEMP\IS-QK839.TMP\KLM52.EXE, Delete-on-Reboot, [1301], [414802],1.0.2643 Physical Sector: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention