Unknown virus

[Ghost121]

There seems to be a virus on my parents computer that I can not find or do anything about.
The box is running xp. The virus causes a message to come up after the connect to the internet (dial-up) which says something along the line of Nt system will shutdown in and there is a countdown timer of 60 sec..then the machine reeboots. I have seen this before on my machine... I think it was the w32.welchia worm...Norton found it on my system and i used a removal tool from them to get rid of it... However norton will not detect the virus on their box, norton is upto date on the virus defenisions... I ran an updated version of the welchi removal tool and it did not find any versions of the worm
does anyone know any other viruses that cause this or any other way i can scan the system to find what virus it is......
thank you

[Spyder32]

Hrmm, doesn't sound familiar. I think you should boot in safe mode and scan for Trojan's (with SwatIt http://www.swatit.org) and for Viruses (HouseCall http://housecall.trendmicro.com). Let me know what come's up after that.

[moxnix]

I would suggest going to Trend Microsystems free on line virus scan 'Housecall' http://housecall.trendmicro.com/ and running that. It is a great backup virus detector that you can use to check your inbox antivirus against.

[edit]> Spyder you were quicker than me.

[groovicus]

Ummm, in case I am missing something, Sasser or MSBlaster maybe??

IMHO, I wouldn't give too much credibility to what Norton finds. There may be something else on there that corrupted it.

Try one of the online scans as suggested above, make sure all the critical updates are on there, etc.

[Spyder32]

Sasser or MSBlaster maybe??

Heh, I've never had any personal dealing's with either thus I didn't know, but it could be one of those.

[edit]> Spyder you were quicker than me.

I know

[nihil]

Good advice above............

I would say sasser or blaster or both...............the 60 second countdown is a teltale sign...........and the fact that you get a warning message, rather than it just happening?

I think you go into <start> <run> and type: shutdown -a

Then you can kill it at your leisure.

I am sure that someone else will correct that command line, but you have to stop it shutting down. Then you update AV and do what the rest of the members have suggested.

And be sure to run AdAware6 and Spybot S&D, and your update AV in safe mode............they have a better chance that way

Mox's Trend Micro is good, you need to be online and in normal boot for that.........

Spyder's SwatIT is very good.............run in safe and go to the pub/bar.............it takes a long time.........as a true craftsman will

Good luck

[jinxy]

If it's the sasser worm, the following is fro Symantec:

Before you begin:
If you are running Windows 2000 or XP, and have not yet done so, you must patch for the vulnerability described in Microsoft Security Bulletin MS04-011. If you do not, it is likely that your computer will continue to be re-infected.

What to do if the computer shuts down before you can patch or get the tool
This threat can cause Windows to keep shutting down and restarting. This can prevent you from installing the Microsoft patch or downloading the tool described below. To prevent the shut down, do the following. (You may have to try this several times, as you only have about 20 seconds to do steps 3 to 6.) (This will not work on Windows 2000.)

Disconnect the computer from the network/Internet connection. (Disconnect the cable if necessary.)
Restart the computer.
As soon as Windows opens and you see the Windows desktop, click Start > Run.
Type:

cmd

and press Enter.


Type:

shutdown -i

and press Enter.


In the Remote Shutdown Dialog that opens, do the following:

Click Add and type your computer name into the appeared window. Then click OK.
In the "Display warning for <number of seconds> Seconds" field, type 9999 in place of the default value of 20.
Type any message in the Comment box.
Click OK.

Reconnect the network/Internet connection.
Connect to the Internet, and get the patch. Then continue with the steps described below.






This gives you about three hours to get the patch installed, update the definitions, and so on.


When you have patched for and removed the threat, you can re-enable the 20-second default warning if you want to.

--------------------------------------------------------------------------------


Removal using the W32.Sasser Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.Sasser.B.Worm. Use this removal tool first, as it is the easiest way to remove this threat.

[xierox]

Originally posted here by Ghost121
There seems to be a virus on my parents computer that I can not find or do anything about.
The box is running xp. The virus causes a message to come up after the connect to the internet (dial-up) which says something along the line of Nt system will shutdown in and there is a countdown timer of 60 sec..then the machine reeboots. I have seen this before on my machine... I think it was the w32.welchia worm...Norton found it on my system and i used a removal tool from them to get rid of it... However norton will not detect the virus on their box, norton is upto date on the virus defenisions... I ran an updated version of the welchi removal tool and it did not find any versions of the worm
does anyone know any other viruses that cause this or any other way i can scan the system to find what virus it is......
thank you

Sounds like Sasser to me. (Possibly MS.Blaster, but that came out like last August or something and if you've ran Windows Update since then you should be protected.) You can find info on it here: http://securityresponse.symantec.com...oval.tool.html
Symantec Security Response - W32.Sasser Removal Tool