Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

I don't know if I have a virus

by rosavela Jan 2, 2006 1:21PM PST

I don't know if I have a virus, my computer keeps shuting down, especially when I run the virus scan. I think I found a problem in a specific folder because when the scan reaches that folder the pc shuts down. The file is in the WINDOWS folder, subfolder I386 and/or subfolder system32.
I even had a technician look for the computer and apparently he found that it was a virus, he installed the norton antivirus but the problem wasn't solved.
We have tried to scan the cpc with mcafee, stinger, avg, and norton and most of the times it shuts down. I don't know wheter it is only a virus that can be deleted or it already has made some damage to my pc.
Help please! and thanks.

Discussion is locked

7 Posts
- Collapse + Expand Details
- Collapse -
Does Sound LIke a Virus/orTrojan. Does Norton Run ...
by tobeach Jan 2, 2006 4:19PM PST

its scan OK or does comp crash then also?? Which Anti-Virus did you have before Norton?
Most unusual for Stinger not to run a full scan. Is it on your machine? You can run Stinger from a non-machine source i.e.: From a floppy disk, CD or removable USB storage drive. The advantage is: since you obtained a clean copy from web(on another machine) and it is not resident on your computer, it won't be corrupted before you try to run it. You can just stick it in Floppy Drive(A?) or USB port and double click it to run. There are a few around that actually hunt in your comp. specifically looking for any file with ''Stinger'' in it so as to disable it. You can try renaming the the new, clean copy: s-t-i-n-g-e-r.exe to try and fool the invader.Then run it.
Do you have Sun Micros Java on your machine (not just Microsofts version)? If so, you could try an Online Scan using Java from link here:
http://uk.trendmicro-europe.com/enterprise/products/housecall_launch.php
You can get clean copy of Stinger here:
http://vil.nai.com/vil/stinger/
I'm a little concerned by Norton as it sometimes doesn't like to let competitors run( may block other scans online or install of another AV).
If you only have MS version of javascript, you can try for an Active-X scan from same company at this address:
http://housecall.trendmicro.com/
At this point, I'm assuming you have Windows XP (you don't say in your post).
Once you are pretty sure you're clean, you can run an CheckDisk repair to replace any damaged system files from a copy XP put on at install. here's how:
Disk/repair (like SFC)
Left click on My Computer(open)
Right click on ''C'' or your OS drive if another letter.
Left click Properties and then click Tools Tab.
Left click on ''Error Checking''> Check Now.
Left click to enter check mark in BOTH boxes offered.
Left click on ''Start''.
Computer will have to reboot to begin repairs.
Just leave alone (you're locked out anyway) 'til process finished.
In regular mode will take about 1 Hour (more/less)
In Safe Mode about 2 hours.
If computer normal after process complete you might want to create a new
restore point and Lable it POST ERROR REPAIR.
Many of the more serious attackers will try to corrupt you System Restore Backup copies so they can re-install themselves if you do a restore. If the scans mention ''in backup'' or ''system volume'' in locations where virus found you may have to disable (delete backup points)System Restore & re-enable after clean up.
Have you tried doing any of your scans while in ''Safe Mode''? Sometimes this gives you enough of a head start to find & remove successfully despite not being to do so from Normal Mode. It does take considerably longer to run any scan. Instructions for Safe Mode here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
Please Write Down EXACTLY any path found w/ virus & name of virus or trojan or adware.
Let us know how it goes! Happy

- Collapse -
Couldn't do anything
by rosavela Jan 3, 2006 1:50PM PST

I tried all the things I was recommended to do and everthing remained the same.
The computer shuts down when I am running the scan (either norton, mcafee, stinger, avg, the one of java) and even there are times when it goes off when I am not running an scan, just working on my pc.
I tried to run he stinger from a cd recorded on a clean computer and still it didn't worked. I tried to run both online scans recommended and neither worked. I also tried to scan in safe mode but it was more difficult because the computer shuted down more often.
I couldn't do the CheckDisk thing because I am not clean.
Before the Norton I had McAfee (free download), and before that I had the free version of AVG.
I do have Windows XP and I bought my computer 6 months ago (at the most).
I think the pc shuts down when it reaches the subfolder I386 on the WINDOWS folder under My PC, I do not know if the problem is there or what is in that folder that doesn't allow me to go on with the scan.
I have scanned the My PC folders one by one and when it reached the WINDOWS there it goes off.
When I scan each folder one by one there were no signs of trouble nor any antivirus showed any threat.
When I tried to scan one by one the subfolders of WINDOWS I realized that the pc shuts down on the I386 folder, again, all other folders were fine.
Thanks for the previous help, I hope that there can be something else that I have not tried yet.

- Collapse -
Hi, Rosavela ! I'm Not 100% Sure But I Think.....
by tobeach Jan 3, 2006 4:00PM PST

your problem may have to do with the Sasser Worm. One of it's main symptoms is it causes the computer to crash & reboot at random.
Sasser uses the Lsass.exe exploit to gain entrance and if the MS patch isn't applied, the infection will happen again quickly.
I'm not expert but.. I have seen mentioned, the lsass.exe should only be found in System32 files ( I have 2: 1 main & 1 copy of main)and if found else where (say i386) it is likely the worm.
( I note I have that lsass.exe in my i386 service pack files but have no symptoms).
Despite not being clean, I think I would do the CheckDisk anyway (if it works that long) just to be sure system files aren't the problem.
It could also be system overheating and shutting down to cool off. Doesn't seem right on a system that new.
Below are 2 links to Symantecs security page. 1 contains link to Sasser Removal Tool with instructions.
The other to a main page with descriptions of Sassers (particularly W32 Sasser.G which also tries to import and run Netsky.AC @mm).
You could try to find 1 or more of the files named as being install by the worm using search all files & folders including hidden folders. You could also confirm/change folder options to show all folders.
1)http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

2)http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.g.html

I believe there are links on those pages to obtain the lsass.exe patch as well. There are also instructions there to delay the shut down to give you time to work ( or at least more than 20 seconds). Additionally gives names of running processes to stop using control/alt/delete task manger.
I could be 100% wrong on this. I thought, at first, it was the scanning programs shutting down at start. Now understand the whole computer is rebooting.
Probably worth a try with the removal tool as it won't cause any harm if you don't have. I note it says to disable System Restore (dumping all old restore points). This will be necessary if in fact thia is what you have. I would be tempted to run the tool without disabling S.R. as at end it will tell you if Sasser was found. If not you're no worse off. If it IS Sasser you can dump SR points and run tool again. G'Luck! Happy

- Collapse -
! More Thought (Probably Off Base) But... there are some....
by tobeach Jan 3, 2006 4:11PM PST

reports of Norton AV not getting properly configured on XP machines if they have the Norton Personal Firewall installed as well. This would prevent Norton from finding some infections. Since you(personally) did not do the Norton Install, might be worth a thought if you have N.P.F. If that is the case: They suggest you disconnect from the net & dsl/cable etc. Turn off the Norton P.F>and double click the Norton symbol on your desktop or in programs list. This should bring up the Norton config wizard to finish with a proper config. then turn on firewall again. May Not Apply to You! Happy

- Collapse -
replying to: I don't know if I have a virus
by martinozekin Jan 3, 2006 6:19PM PST

the folder i386 is the PC's Driver cache,so it could be a virus or maybe it could be a faulty driver install, but to me it seems like you have a Worm, which is a type of Virus which shuts down the PC automatically. if u want further help on this problem could you please e-mail me at martinozekin@hotmail.com

- Collapse -
some worms use this exploit
by donkeypoo Jan 3, 2006 9:01PM PST

some worms use DCOM as a backdoor,
there is an executable in system 32 that can be used to remotely shut down your pc, the port is useually strealthed by your firewall but you might as well turn off DCOM as its pretty useless, go to --->

START/RUN,
type in REGEDIT,
press F3 to start a search,
enter into the search field--> enabledcom,
you should get one result,
double click on the enabledcom key,
in the value data field change the Y to N,
this will stop dcom when you next restart,

you need still to clean up your system of course, a rootkit may be hiding the worms from your antivirus,you never know??

Ideally if you are infected it would be best to scrub your drive and start again from scratch, because there may be damaged system files that need replacing, unless you can get an expert on it its just easier to reinstall windows, but..

1)this time make sure you disable DCOM

2)use this link to disable remote xp services that open you pc to worms and viruses,

http://engr.smu.edu/~kaytaz/xpservices.html

most of these remote services are completey useless to the home user, and are in fact extremely dangerous to your securuty,

3)Use 2 accounts,
make a ADMINISTRATOR ACCOUNT (very importantley, make the admin account PASSWORDED),

and make the folders private when asked if you want that option,
use this acccount to make changes to your system and install programs,( why not make changes and install programs with your modem switched off whenever you can, while logged in as admin )

4)make a LIMITED USER account,
use this account for surfing the web and opening emails, nothing can be installed with this logon, unless you choose RUNAS from the context menu and type in the admin password,
in other words nasty things can't install themselves on your pc without you knowing, unless of course you install them yourself using runas,

5)install your firewall/antivirus logged in with the ADMINISTRATOR account,

you will need to run your antivirus updates using runas or be logged on to your admin account,

once you get used to useing these precautions you will appreciate the extra saftey you have,

when I want to install anything or make changes to my system, all I do is switch off my desktop modem, log of the user account, log in as admin,
install or make changes, flip on the modem to if I need to update the antivirus,
log back in as the user account,

by the way I dont bother with fast user switching, I don't mind waiting an extra couple of seconds to change users...

hope that helps,
any corrections to this post will be appreciated...

- Collapse -
Try all your scans again in Safe Mode, directions
by roddy32 Jan 3, 2006 8:34PM PST
Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info