Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NT AUTHORITY System Shutdown Message


  • Please log in to reply
10 replies to this topic

#1 Rutt Roh

Rutt Roh

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 08 January 2009 - 06:58 AM

i posted already in the "Am I Infected?" subforum here so you can get an idea of what i've done and the moderator told me to post here now... here's a link to my previous post for your review: http://www.bleepingcomputer.com/forums/t/193201/not-sure-what-i-have/

i have windows XP pro and basically, when i try to LAN a game with my brother (who lives in a different state than me) using Hamachi i get booted to my desktop in the middle of the game with a system prompt indicating that my system will need to shutdown and restart in 60 seconds. Hamachi is a program that creates a VPN, which makes it seem as if i'm directly connected with my brother's computer through a router so that we're able to LAN.

if you read the link i've provided, i've done multiple scans for malware and viruses but i was told it doesn't seem like they're issues now. i seem to only get that NT AUTHORITY system shutdown message when i'm LANing with my brother and randomly during the middle of the game. i'm able to access and surf the web fine without any trouble and my computer doesn't have that shutdown message if it's left alone either... just when i'm LANing with my brother.

the issue is that i've LANed with my brother with the same game for awhile using this Hamachi program and never had any issues like this before. i haven't gone to any weird questionable sites or installed any questionable programs either recently so i don't know what the problem is.

some people were telling me that maybe the problem is coming from my brother's computer (because we were connected via the Hamachi client)? i'm not sure... but then why would MY computer restart and not his?

any help is greatly appreciated!!

Edited by Rutt Roh, 08 January 2009 - 07:06 AM.


BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:03:17 AM

Posted 08 January 2009 - 09:40 AM

The automated shutdown message comes because something critical for Windows operations has terminated. As such, Windows can't keep running - so it shuts down on you.

The first step would be to check your Event Viewer for errors around the time that it shut down.
To do this, go to Start...Run...and type in "eventvwr.msc" (without the quotes) and press Enter.
Click on the System log in the left hand pane, then scroll down the right hand pane looking for errors around/just before the shutdown.
Then do the same thing for the Application log file.

Post back with the results and we'll move on from there.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 55,870 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:17 AM

Posted 08 January 2009 - 09:42 AM

Well...maybe the problem is your install of the Hamachi program, such things happen.

If files are corrupt/damaged, the system might behave as it does when that program is used.

Me, I would check for program updates and I would probably uninstall/reinstall the program prior to installing any updates that may apply.

Louis

#4 Rutt Roh

Rutt Roh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 08 January 2009 - 06:48 PM

ok, on 1/4/09 - this past sunday - according to the event viewer, it says that at 4:25 PM (this was my first time i encountered this NT AUTHORITY shutdown message):

The process winlogon.exe has initiated the restart of DF0C1121 for the following reason: No title for this reason could be found
Minor Reason: 0x6
Shutdown Type: reboot
Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code 0. The system will now shut down and restart.

in the event viewer, this entry's source was USER32 and the user was SYSTEM.

on 1/6/09, the log says that at 8:55 PM (this was after running malware scans, virus scans, spybot, and ad-aware scans when i decided to try to LAN the game again with my brother using Hamachi):

The process winlogon.exe has initiated the restart of DF0C1121 for the following reason: No title for this reason could be found
Minor Reason: 0x6
Shutdown Type: reboot
Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code 0. The system will now shut down and restart.

and just like above, in the event viewer, this entry's source was also USER32 and the user was SYSTEM.



in the applications log of the event viewer, it says at that same time on 1/4/09:

A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 00000000. The machine must now be restarted.

the applications log doesn't have much information except for 1/2 - 1/4/09. it did not have an entry log for 1/6/09.


**** and these times above were when i guess my brother and i were LANing using the Hamachi program. we were in the middle of the game around these times specified (wasn't just starting up) when i got that NT AUTHORITY shutdown message. no other entries in the event viewer seemed pertinent or out of the ordinary.

Edited by Rutt Roh, 08 January 2009 - 06:55 PM.


#5 hamluis

hamluis

    Moderator


  • Moderator
  • 55,870 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:17 AM

Posted 08 January 2009 - 07:16 PM

Worth reading, if not conclusive: http://www.wilderssecurity.com/archive/ind...hp/t-37783.html

Louis

#6 Rutt Roh

Rutt Roh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 08 January 2009 - 07:32 PM

hmmm... interesting. i currently have XP service pack 1 and i don't know if i did any updates. seems like if you turn on the windows firewall function, it'll help out... i dunno. but it's so weird though, i NEVER had any problem LANing with my brother before (and the setup/settings haven't changed).

i'm guessing XP sp1 doesn't have a firewall function? if i do update, assuming i can, should i just upgrade to sp2 vs sp3? will i lose all my programs and settings? that's what i'm worried about if i do update.

do you think i should uninstall and reinstall hamachi? basically that program creates a "new" LAN connection in addition to the existing one like a VPN. perhaps that is causing this issue; i'm not sure. but still if that's the case, then why now versus some time ago as i have been using the same program before?

Edited by Rutt Roh, 08 January 2009 - 07:35 PM.


#7 hamluis

hamluis

    Moderator


  • Moderator
  • 55,870 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:17 AM

Posted 08 January 2009 - 07:57 PM

I believe that the XP firewall debuted with SP2....no, not quite.

SP2 enabled the XP firewall by default, replacing what was called (in prior versions) the Internet Connection Firewall.

See comments under Windows Firewall at http://www.microsoft.com/presspass/newsroo...dowsxpspfs.mspx

As to why a program which had been working perfectly...develops problems...the best answer that I can give (maybe someone else knows a better one) is that file corruption can occur at any time. When such does occur, the system will often not work as smoothly as previously.

Causes of Data Corruption - http://ezinearticles.com/?Causes-of-Data-C...n&id=817785

Data corruption and loss causes and avoidance - http://www.thexlab.com/faqs/datacorruption.html

http://www.datarecovery.com.sg/data_recove..._corruption.htm

When I suspect program corruption, I do the uninstall/reinstall routine. No harm is done and maybe some good will result from my actions. If nothing else, it will confirm/eliminate one suspect when things go awry.

Louis

#8 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:03:17 AM

Posted 08 January 2009 - 08:41 PM

SP2 introduced a fix to prevent the execution of the lsass.exe exploit (the Blaster worm I think?).
Since you're having problems with lsass.exe and don't have SP2 installed - I'd say it was likely that you're infected.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#9 Rutt Roh

Rutt Roh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 08 January 2009 - 09:48 PM

i think the lsass.exe exploit is the sasser worm. but just like the blaster virus, the program saves random files onto your computer with files like C:\win.log or C:\win1.log and other ones which are random in names/numbers *.exe. i didn't have any of those files on my system. i read up that most times, users infected could not even log onto to the internet without getting a system shutdown message popping up and noticed that one of the many symptoms was the disabling of the task manager and regedit (which was what i have experienced the first time around). the only symptom that seemed to match what i experienced was the task manager/regedit being disabled and nothing else. so maybe i did have *something* but not blaster or sasser issue. again, i had no problems even after the first shutdown message accessing the internet or re-experiencing a shutdown message. it's only when i LANed with my brother, via that hamachi client program, that i come across that random system shutdown message.

so even though all these scanners and checkers i've used picked up things and have removed them since i've gotten that shutdown message, what do you think i should do at this point? i've done a full scan and rerun my malware and virus scanners with current updates and they've turned up nothing now. does this mean that my lsass.exe is corrupt or damaged?

should i attempt to do a windows update (again, i'm concerned that it'll wipe some files and change some settings around)? i wonder if i do uninstall hamachi and reinstall it again if that'll do anything.

i also pose this question to think outside the box. would it be possible that somehow my brother's computer has some type of trojan or virus that tries to spread itself to computers connected to his (even ones VPNed like mine when we were LANing)? this may sound far-fetched but perhaps if that were the case, all of those "connected" computers would act as zombies or slaves where his was the host. i'm not sure if this matters, but for the two recent times that my brother and i LANed that game, he was hosting the game which i joined... and during the middle of each game, i get that system shutdown message.

Edited by Rutt Roh, 08 January 2009 - 11:14 PM.


#10 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:03:17 AM

Posted 09 January 2009 - 06:59 PM

Since you're certain the system is clean, you're 1/2 way to finishing the requirements for SP2. I'd suggest updating your drivers to ensure you've got SP2 compatible one's - then install SP2. That should fix the lsass.exe and other errors (due to the broad sweep of the changes in SP2).
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#11 Rutt Roh

Rutt Roh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 09 January 2009 - 11:17 PM

crap! lol

i tried doing the windows update, but couldn't upgrade to SP2. got this error: 8007F0CC and when i did some research online i found out that's because i have modifications to some boot files. i remember updating some boot files to make my computer more "customized" to me back in the day. i read that the error message code was because my boot.ini file had been modified.

i forgot what exact files i modified back awhile ago but i have a custom boot screen and a custom logon screen. i also have style XP and i read online about some things but there's an option on style XP to "disable style XP"... not sure what that will do exactly. style xp allows me to change windows desktop themes (like your start bar) and your logon screen but not your boot screen so i must've done that the boot screen thing separate. microsoft knowledge base says to uninstall Style XP all together, but i wonder if i really have to versus just turning it off in the program.

this is my boot.ini file now which has been changed from the original awhile back (i have 2 hard drives and 1 WinXP OS on 1 hard drive... the other drive mainly is for file/game storage):

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /KERNEL=ntosboot.exe

would my original boot.ini be this?:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

for changing the default XP pro boot screen, i remember having a modified file version of ntoskrnl.exe (i have my original "backup" copy which i named ntoskrnl_original.exe) and an ntosboot.exe (also have a "backup" copy which i named ntosboot_original.exe). i forgot exactly what i did to change the boot screen though so that's why i'm hesitant to edit anything.

if i just renamed my current modified boot.ini file to something different temporarily and saved the "original version" without the kernel entry above as the boot.ini file and don't change/modify anything else, would the install of the service pack work or would i need to restart? and if it does work, i would change the "original version" boot.ini file back to what i have currently right now to still preserve that custom boot screen.

the last thing i want to happen is that once the system does install SP2 and restarts, the computer won't boot up...

Edited by Rutt Roh, 09 January 2009 - 11:25 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users