Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

System Shutdown by NT ADMIN / SYSTEM 2

Status
Not open for further replies.
kjv1611

kjv1611

New member
Jul 9, 2003
10,758
US
I have a serious question here: I know that there are at least a couple viruses out there that use this for rebooting a machine, and getting update files for their viruses during the reboot process. What I have run into was trying to stop the virus on a machine, then tested on 2 other machines, which I supposed to be virus free. What I did was open the task manager, and right click on one of the "svchost.exe" files and hit end process tree. What I do is continue to end on each one of those until they are all one or I get the same message "System is being shut down by NT ADMIN / SYSTEM because of an error in the RPC (Remote Procedure Call)." Well, I've tried it on a few different machines, the same ones where I could find no viruses or Spyware with AVG antivirus or AD-Aware, respectively. I believe I do have one machine infected, and still not finding a virus - but it continues to just shut down all my Symantec Norton stuff - plan on just DBANing that one and starting over. The other ones, however, I do not think (or have reason to believe) they have the virus other than that message. I tried wiping one clean, reinstalling Windows XP Home, without being connected to the internet, then going in and hiting "end process tree" on all the svchost.exe files, and got the same message. Does anyone have any expertice here on whether that is something built into Windows that the viruses are using, and thus I could cause via the task manager, or if the virus is just really tough to get rid of?

Stephen [infinity]
"Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me." John 14:6 KJV
 
Sort by date Sort by votes
Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).

Unless one of these processes is consuming lots of memory or CPU time then it is unlikly that you are infected by a virus or worm (commonly W32/Welcha or Blaster) on these machines.

It sounds more likly on the PC where your A/V software has become dissabled.

Hope that helps.
 
Upvote 0 Downvote
So, If a user randomly closes all the svchost.exe processes, should they get the message, "System being shut down by NT Admin / System? I mean, with a fresh install (format and install) of Windows XP Home on a separate machine not on any network or internet connection, when I close all the svchost.exe files in processes, it gave this message. Is that something already in windows? It looks identical to what the blaster and netsky viruses cause (but I'm causing it myself, not being caused by another process). I did this myself on the machine that I thought had the virus (the one where Norton stuff messing up), and looks identical. Any ideas on the message : part of windows or not?

Stephen [infinity]
"Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me." John 14:6 KJV
 
Upvote 0 Downvote
What happening is these virus' cause an issue with the RPC causing it to crash and that causes the system to reboot. Thats why on its own the computer will throw up the "shut down by NT ADMIN / SYSTEM" issue.

By shutting down all the Svchosts, you are force closing the RPC DLL and you are replicating the issue that the virus creates more or less.

Shutting down the Svchosts is not the way to check to see if there is a virus, you are closing a whole bunch of DLLs that are needed to run in the background.

Only time you need to worry about the "shut down by NT ADMIN / SYSTEM" is if the computer does it itself.


Hope this answers your question.
 
Upvote 0 Downvote
You will get this error if you close all of the svchost.exe processes down as Windows thinks there is a seriouse error and will reboot.
On point two you are correct this is the same error that certain worms cause, this is because of a bug in these worms that sometimes crashes the svchost process when it tries to infect the PC.
If your A/V software says you are clean then it is unlikly that you are infected.

Tip if you type shutdown /a at the run box this will abort the shutdown.

Hope this helps.
 
Upvote 0 Downvote
Thanks for the info.. I was just wanting to make sure I was not going crazy or anything. [SMILE]

Stephen [infinity]
"Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me." John 14:6 KJV
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

hamburg18w
  • Locked
  • Question
Task Host is Stopping the Shutdown
Replies
1
Views
392
Ign3us
Ign3us
Flinx
  • Locked
  • Question
Windows 10 Strange problems recently appear caused by microsoft ransomeware protection
Replies
3
Views
381
Andrzejek
Andrzejek
spamjim
  • Locked
  • Question
Sanitizing illegal filenames on NTFS volumes
Replies
2
Views
190
spamjim
spamjim
Thespian
  • Locked
  • Question
Transfer files and applications from a hard drive to a new system
Replies
4
Views
127
gbaughma
gbaughma
theConjurian
  • Locked
  • Question
No administrator rights after upgrading to Windows 11
Replies
19
Views
747
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top