Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NT AUTHORITY Shutdown


  • Please log in to reply
5 replies to this topic

#1 Juyi

Juyi

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 19 July 2018 - 06:20 PM

Lately I have been getting shutdowns and before my PC shutdown it pops up a notification saying "You have been sign out, Windows will shutdown" something like that and when it pops up I only have like 5 seconds before my PC shutdowns I looked at the EventLogs it says:

 

The process C:\WINDOWS\SysWOW64\shutdown.exe (USER) has initiated the shutdown of computer USER on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found

 Reason Code: 0x800000ff
 Shutdown Type: shutdown
 
I have ran TDSSKiller, RKill, Malwarebytes, JRT, AdwCleaner and nothing.

Edited by Juyi, 19 July 2018 - 06:21 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:39 AM

Posted 20 July 2018 - 09:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

Please wait for further instructions.

===

p.s.
Have you experienced an other shutdown recently?

#3 Juyi

Juyi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 21 July 2018 - 07:31 PM

Sorry for the late reply.

 

"Have you experienced an other shutdown recently?" 

 No, Just this NT AUTHORITY

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:39 AM

Posted 22 July 2018 - 07:39 AM

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-529217811-2136971307-3603107900-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
GroupPolicy\User: Restriction ? <==== ATTENTION
S3 cpuz140; \??\C:\Users\Juyi\AppData\Local\Temp\cpuz140\cpuz140_x64.sys [X] <==== ATTENTION
S3 iobit_monitor_server; \??\C:\Program Files (x86)\IObit\Advanced SystemCare\drivers\Monitor_win7_x64.sys [X]
S3 xhunter1; \??\C:\WINDOWS\xhunter1.sys [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\WINDOWS\System32\drivers\zamguard64.sys [X]

ShellIconOverlayIdentifiers: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} =>  -> No File
ShellIconOverlayIdentifiers: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} =>  -> No File
ContextMenuHandlers1: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} =>  -> No File
ContextMenuHandlers1: [YunShellExt] -> {6D85624F-305A-491d-8848-C1927AA0D790} =>  -> No File
ContextMenuHandlers3: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} =>  -> No File
ContextMenuHandlers4: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} =>  -> No File
ContextMenuHandlers4: [YunShellExt] -> {6D85624F-305A-491d-8848-C1927AA0D790} =>  -> No File
Task: {093A3A6E-9907-47F3-B366-F0FB74D9EB1B} - System32\Tasks\action => C:\Program Files (x86)\Saluki\Pelikan.exe
Task: {440D953E-1AE2-4780-8782-C097A36A4685} - System32\Tasks\sequeira trim snia => C:\Users\Juyi\AppData\Local\Pelikan.exe
Task: {97024696-869F-4A2B-A27D-4F6ED864309F} - System32\Tasks\devin-allegations => C:\Program Files (x86)\steller\Pyridoxine.exe
Task: {ABEE4A55-9E2F-4477-8A1E-BAAA4F8CBF3B} - System32\Tasks\relate_missive => C:\Users\Juyi\AppData\Local\Pyridoxine.exe
Task: {B39865CF-07CD-4905-A674-D1FA68FDE071} - System32\Tasks\vomeronasal replenishment => C:\Program Files (x86)\Iwai\Pyridoxine.exe
Task: {EFA92D11-B2E9-4955-A502-8B02EC693251} - System32\Tasks\pressmen_francesca => C:\Program Files (x86)\Iwai\Pelikan.exe
C:\Program Files (x86)\Saluk
C:\Users\Juyi\AppData\Local\Pelikan.exe
C:\Program Files (x86)\steller
C:\Users\Juyi\AppData\Local\Pyridoxine.exe
C:\Program Files (x86)\Iwa

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#5 Juyi

Juyi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 22 July 2018 - 06:35 PM

The shutdown still persist, I feel like it's my cpu overheating but there's no reason for it to pop up a shutdown notification because it should just shutdown without any notice, What do I do now?

 

Edit: I just ran a temperature log and the CPU is not overheating and still shutdowns

Attached Files


Edited by Juyi, 23 July 2018 - 03:28 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:39 AM

Posted 23 July 2018 - 07:16 AM

Hi,

There are many reasons for this unexpeected shutdown.
https://www.computerhope.com/issues/ch000689.htm

This is not caused by Malware and not my forte.

I suggest you start a new topic in theInternal Hardware Forum.
https://www.bleepingcomputer.com/forums/f/7/internal-hardware/

Explain you shutdown issue. A Technician should be able to suggest to remedial actions.

I will leave this topic open for 6 days. If you need to return please do.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users