nt authority shutdown box, but no blaster, sasser

My internet quit working a week or so ago. The only way I can get internet access is through safemode w/ networking. I have recieved the NT Authority Shutdown prompt. I get the prompt when I shutdown one of the svchost.exe in taskmanager. I have run every Blaster and Sasser Fix that I can find and have not turned anything up. Also I have run NAV and Trendmicro virus scans and they have turned nothing up. Is there anything that could give that box other than these 2 viruses?

 

You are going to have to go to Services and start it. Remote Procedure Call (RPC) is very important for any of the networking to work all of them depend on that one. I have 6 svchosts running. I'm on a LAN so you might have less.
Help in Computer Management will tell you the default Services settings. Or check another computer that works. If I have a problem I Remote Desktop to another computer on my LAN and compare.

 

I get the prompt when I shutdown one of the svchost.exe in taskmanager

Why are you doing that?

 

To determine where the running task is located that keeps me from connecting to the Internet. The Bogus svchost.exe will not allow itself to be turned off. Any attempt gets you the prompt like Blaster/Sasser.

 

What OS are you running? (and if XP, home or pro)

 

XP Pro and thanx for your interest. I've seen the blaster/sasser on other machines and though the prompt leads me to believe I've got a varient, nothing I try can turn it up much less fix it. Can anythingelse give the nt authority shutdown in x# of seconds box? Everything I read says its only virus related and does not exist naturally in Windows. True? I've saved My data to another drive and will probably end up formating but I would still like to know what I tied into. All my virus definitions are up to date and always were-daily even. Likewise my windows patchs including SP2 now. Thanks again.

 

XP-pro - good. Makes things easier. XP-home lacks the utility for doing this.

From a command prompt (start~run~cmd to start the 32bit version)

Code:

tasklist /svc > c:\servicelist.txt

Close the DOS window, open c:\servicelist.txt in notepad, and copy the contents to a reply here.

With that information we can see exactly what is running within each instance of svchost.exe.

 

Hi rickster

The NT Authority shutdown message, when prompted due to the Blaster/Sasser infection, is a result of a service being shutdown by said infection. In manually shutting down the proper svchost process, you are imitating the viril symptom, therefore the reason for the prompt. Have you ever gotten prompted with the shutdown message just by opening an IE window? If not, and all scans and removal tools have come up empty, then there is something else preventing you from gaining internet access. Have you possibly removed any rouge programs lately, such as NewDotNet, that may have broken your Winsock? Might try running LSPFix just to be sure. Open, check the box I know What I'm doing and click finish. Reboot and try IE again. (if any files are listed in the 'remove' section, please make note of the names and post them for us)

 

That explains why I can't find a virus. I have not knowingly removed anything. In fact, the machine was working, I went to lunch and when I returned I had lost the net. It would, however, connect in safe mode with networking leading me to think it was something that started running with normal start up that was keeping me off. Thats why I started investigating what was running at startup. I don't get the prompt unless I try to shutdown that one particular svchost so you're correct there I believe. So I'm still baffled as to what happened to cause this and how to fix it and why it works OK in safe mode but not normal mode. At least I can rule out a virus. Thanks. I will try the suggestions and repost tomorrow.

 

Newt, I got the service list.


Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 728 N/A
csrss.exe 776 N/A
winlogon.exe 800 N/A
services.exe 844 Eventlog, PlugPlay
lsass.exe 856 ProtectedStorage, SamSs
ati2evxx.exe 1044 Ati HotKey Poller
svchost.exe 1072 RpcSs
svchost.exe 1116 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
ERSvc, EventSystem, helpsvc, HidServ,
lanmanserver, lanmanworkstation, Messenger,
Netman, Nla, RasMan, Schedule, seclogon,
SENS, ShellHWDetection, TapiSrv,
TermService, Themes, TrkWks, W32Time,
winmgmt, wuauserv, WZCSVC
svchost.exe 1288 Dnscache
svchost.exe 1316 LmHosts, RemoteRegistry, SSDPSRV, WebClient
IreIKE.exe 1384 IreIKE
spoolsv.exe 1520 Spooler
IPSecMon.exe 1640 IPSECMON
MDM.EXE 1672 MDM
NPROTECT.EXE 1712 NProtectService
NOPDB.EXE 1800 Speed Disk service
svchost.exe 1824 stisvc
Tmntsrv.exe 1948 Tmntsrv
tmproxy.exe 2024 tmproxy
ati2evxx.exe 260 N/A
explorer.exe 312 N/A
PCCPFW.exe 576 PccPfw
realsched.exe 712 N/A
pccguide.exe 744 N/A
PCClient.exe 756 N/A
TMOAgent.exe 768 N/A
ctfmon.exe 448 N/A
cmd.exe 2408 N/A
tasklist.exe 2300 N/A
wmiprvse.exe 2400 N/A

 

Noahdfear, I ran the LSPFix program and it didn't fix the internet connection. There were no files listed in the remove section. Thanks for the suggestion. Do you have any more ideas?

 

rickster - I've stripped out the svchost pieces from tasklist.

Image Name PID Services
=========================
svchost.exe 1072 RpcSs

svchost.exe 1116 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
ERSvc, EventSystem, helpsvc, HidServ,
lanmanserver, lanmanworkstation, Messenger,
Netman, Nla, RasMan, Schedule, seclogon,
SENS, ShellHWDetection, TapiSrv,
TermService, Themes, TrkWks, W32Time,
winmgmt, wuauserv, WZCSVC

svchost.exe 1288 Dnscache

svchost.exe 1316 LmHosts, RemoteRegistry, SSDPSRV, WebClient

svchost.exe 1824 stisvc

Sasser/Blaster/etc. would break the session running under PID 1072 and if RPC Service stops, the PC will not function properly and will usually shut itself down. Likewise if you were able to kill that PID (and there are tools you can get that will) you'd see bad things happening.

PID 1116 has a real grab-bag of things running and especially in normal mode. Some are essential but quite a few aren't. Stopping pieces of it would be the approach to take here I think. Maybe boot to safe mode, generate a task list from there, and compare with the one posted here to try and get an idea of what is broken. But that will be time consuming and might not give you any useful information.

If you are still getting the NT Authority message and crashes even after making sure you are virus-free and the LSPFix didn't help out, your idea of just getting a clean start may be the best way to go. We could probably continue to troubleshoot this thing and eventually find the exact problem but
- it could easily take quite a while
- the end result could be a problem you'd need to reinstall to fix.

I think I'd try two additional things to fix the system and if they failed, look at format/reinstall.

Both of these should be done from a command prompt so start -> run -> cmd and OK then

Code:

sfc /scannow

and when that finishes

Code:

chkdsk c: /r