What virus is this?

kt

Diamond Member
Apr 1, 2000
6,027
1,342
136
Seem to only affect if your computer is connected to the network. After a user is logged in, the system reboots itself. If I disconnect the system from the network physically, it will login fine locally. It's not Sasser since running a full scan could not find any Sasser virus on the system.
 

SagaLore

Elite Member
Dec 18, 2001
24,036
21
81
The computer might not be infected, but Sasser may still be the cause of the reboot. It causes a buffer overrun that will reboot the computer. Make sure the computer has been installed with the latest Security Rollup by Microsoft. You will have to download it to somewhere else and burn it to cd or copy it to zip, because for Windows 2000 it's over 6mb, XP it's over 2mb.
 

kt

Diamond Member
Apr 1, 2000
6,027
1,342
136
They already have the patch installed on their computer. As I understand it, Sasser exploits the LSASS.EXE but the error screen I saw right before the reboot relates to the RUNDLL32.EXE file.
 

MrBond

Diamond Member
Feb 5, 2000
9,911
0
76
I'm replying both to subscribe and to say I've seen the same thing on a friend's pc. It's bizzare, no varient of Sasser is on the computer according to the checker on MS's site, but it reboots the pc within 10-20 seconds of being connected to the internet. If I keep it unplugged, it works fine, but I plug it in and about 30 seconds later I get a quick flash of a BSOD and it reboots. It flashes the BSOD so fast I can't read it. All patches are installed on the system from MS.

Tried a system restore and it's still a problem.
 

kt

Diamond Member
Apr 1, 2000
6,027
1,342
136
MrBond, that's the exact symptom of all the PC's no our network. As long as you have the network cable physically disconnected, the system will work. If you want to read what the BSOD says, just disable the automatically reboot after error. Right click on My Computer->Properties->Advanced->Go down to Startup and Recovery->Settings and uncheck the Automatically Restart under the System failure box.
 

MrBond

Diamond Member
Feb 5, 2000
9,911
0
76
Well, the plot thickens.

My friend just hopped online, her PC is a Dell laptop, she called support after I couldn't fix it, they are "experiencing high call volume" because of a "new virus" that they aren't skilled in removing. She said it was some sort of w32 software virus.

It's definatly triggered by network activity, but that's about all I know about it. She's using WinXP, probably Home edition.
 

kt

Diamond Member
Apr 1, 2000
6,027
1,342
136
This seems to be working with Windows XP Pro, may work with Home as well. Check in the process list to see if there's a file called "WToolsA.exe" running. If there is, then boot into safe mode and use "msconfig" to remove all traces of it (in Services, Startup, etc) and delete the files. The files are residing in the directory "/Program Files/Common Files/WinTools/".

Then reboot into normal Windows (with the network still disconnected). Remove everything in the Network Settings (Clients for Microsoft Network, QoS Scheduler, etc). You won't be able to remove TCP/IP protocol of course. Then remove the network adapter, reboot, and let Windows redetect the network adapter again.

That seem to have fixed the problems for us.