Hi *
I am running windwos XP SP2. For past few weeks I am facing a strange prob.
Task manager shows multiple lsass.exe,services.exe and svchost.exe apart from this
all this process are taking a heavy toll on my cpu making it very slow and over heated.

I have run Norton 2006,AVG,says no virus, and if I try to run msconfig or cmd the system reboots. Not able to access even regedit, says "not proper permission". One of my pen drive was positively detected for "WORM_RONTKBR.B" on a different machine but not in my machine. HijackThis log attached. Kindly help me.


Logfile of HijackThis v1.99.1
Scan saved at 11:51:05 PM, on 4/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Omniquad Total Security\TScutyNT.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Documents and Settings\admin\Local Settings\Application Data\winlogon.exe
C:\Program Files\Omniquad Total Security\AntiSpy\TSAtiSy.exe
C:\Documents and Settings\admin\Local Settings\Application Data\services.exe
C:\Documents and Settings\admin\Local Settings\Application Data\lsass.exe
D:\datas\downloads\Antivirus\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\Omniquad Total Security\PopupBlocker\PopupBlocker.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [Total Security] "C:\Program Files\Omniquad Total Security\TScutyNT.exe"
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\admin\Local Settings\Application Data\smss.exe"
O4 - Startup: Empty.pif = ?
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ImageFox.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download using Download &Express - G:\SOFTWARES\MYSQL\Mysql\Add_Url.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\Omniquad Total Security\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\Omniquad Total Security\PopupBlocker\PopupBlocker.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

You have acquired a serious WORM infection 'with high damage potential' (items showing in your HJT log):

http://www.trendmicro.com/vinfo/viru...RO%2EC&VSect=T

Upon execution, this worm drops copies of itself, depending on the following platforms:

On Windows 2000, XP, and Server 2003

%System%\{User name}'s Setting.scr
%UserProfile%\Local Settings\Application Data\csrss.exe
%UserProfile%\Local Settings\Application Data\inetinfo.exe
%UserProfile%\Local Settings\Application Data\lsass.exe
%UserProfile%\Local Settings\Application Data\services.exe
%UserProfile%\Local Settings\Application Data\smss.exe
%UserProfile%\Local Settings\Application Data\winlogon.exe
%UserProfile%\Start Menu\Programs\Startup\Empty.pif
%UserProfile%\Templates\WowTumpeh.com
%Windows%\eksplorasi.pif
%Windows%\ShellNew\bronstab.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and 2003. %UserProfile% is the user profile folder, which is usually C:\Documents and Settings\{user name}. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

You may need to alter or delete the file AUTOEXEC.BAT:

This memory-resident worm drops several copies of itself into various folder locations on the affected system, depending on the platform of the affected user. It then overwrites the file AUTOEXEC.BAT, which is located in C:\, with the following string:

pause

This modification causes the affected system to pause on startup, requiring the user to press any key to resume.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"

O4 - HKLM\..\Run: [BRON-SPIZAETUS] "C:\WINDOWS\ShellNew\bronstab.exe"
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\admin\Local Settings\APPLICation Data\smss.exe"
O4 - Startup: Empty.pif = ?

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.



1) Please download the Killbox.
Unzip it to the desktop and run it.

2) Select "Delete on Reboot".
3) Then Click the "All Files" button.

4) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Documents and Settings\admin\Local Settings\APPLICation Data\csrss.exe
C:\Documents and Settings\admin\Local Settings\Application Data\inetinfo.exe
C:\Documents and Settings\admin\Local Settings\APPLICation Data\smss.exe
C:\Documents and Settings\admin\Local Settings\Application Data\winlogon.exe
C:\Documents and Settings\admin\Local Settings\Application Data\services.exe
C:\Documents and Settings\admin\Local Settings\Application Data\lsass.exe
C:\Windows\eksplorasi.pif
C:\Windows\ShellNew\bronstab.exe

5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

6) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" to reboot next.




The following items may also need to be separately resolved (found and deleted):
%System%\{User name}'s Setting.scr
%UserProfile%\Start Menu\Programs\Startup\Empty.pif
%UserProfile%\Templates\WowTumpeh.com



POST A REVISED HIJACKTHIS LOG for review:
Post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

Hi
Thanks It worked.