-----Original Message-----
From: Peter Nabbefeld [mailto:Peter.Nabbefeld@gmx.de]
Sent: September 2, 2004 15:24
To: focus-virus@securityfocus.com
Subject: Shutdown from NT-AUTHORITY\... = virus/attack?
Hello,
could anybody here tell me, if a "Shutdown from
NT-AUTHORITY\..." (can't
remember the full name) is caused by a virus or an attack? How can I
stop W2k from shutting down? I've tried to close the shutdown
task and
to open notebook and fill in some text, but both didn't work. I fear,
that some virus might have been installed into my startup files
(probably a backdoor).
Could this not be the result of your Event Log settings being
configured to "Shut down the computer when the security audit
log is full"? I'll bet that this is your culprit, since this
practice is highly recommended by many different sources.
INFO (beware of line wraps):
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/
RegistryTips/Shutdown/CrashOnAuditFail.html
http://support.microsoft.com/default.aspx?scid=http://support.
microsoft.com:80/support/kb/articles/q232/5/64.asp&NoWebContent=1
I've installed a firewall (maybe outdated) and a virus scanner (last
update about one week ago, maybe also some days more), so if
it's been
caused by a virus, it should be a relatively recent one.
If you're firewall and AV have remained quiet (especially the
firewall not asking if app such 'n' such is allowed to listen
on port whatever), it is likely that it isn't malware at all.
It is probably an Event log setting.
One other possibility is that your system is having problems
writing to the Event Log (System shutdown because of this is
not a default setting though). You didn't mention seeing a
blue screen error, so I don't think that this is it...
INFO (beware of line wrap):
http://support.microsoft.com/default.aspx?scid=http://support.
microsoft.com:80/support/kb/articles/q178/2/08.asp&NoWebContent=1
Alex Arndt
