running cmd and msconfig cause Windown XP to reboot.

  1. 28-04-2006  #1
    shivaji_22
    shivaji_22 is offline Newbie

    running cmd and msconfig cause Windown XP to reboot.

    Hi *
    I am running windwos XP SP2. For past few weeks I am facing a strange prob.
    Task manager shows multiple lsass.exe,services.exe and svchost.exe apart from this
    all this process are taking a heavy toll on my cpu making it very slow and over heated.

    I have run Norton 2006,AVG,says no virus, and if I try to run msconfig or cmd the system reboots. Not able to access even regedit, says "not proper permission". One of my pen drive was positively detected for "WORM_RONTKBR.B" on a different machine but not in my machine. HijackThis log attached. Kindly help me.


    Logfile of HijackThis v1.99.1
    Scan saved at 11:51:05 PM, on 4/27/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Omniquad Total Security\TScutyNT.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Documents and Settings\admin\Local Settings\Application Data\winlogon.exe
    C:\Program Files\Omniquad Total Security\AntiSpy\TSAtiSy.exe
    C:\Documents and Settings\admin\Local Settings\Application Data\services.exe
    C:\Documents and Settings\admin\Local Settings\Application Data\lsass.exe
    D:\datas\downloads\Antivirus\HijackThis.exe

    F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\Omniquad Total Security\PopupBlocker\PopupBlocker.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
    O4 - HKLM\..\Run: [Total Security] "C:\Program Files\Omniquad Total Security\TScutyNT.exe"
    O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\admin\Local Settings\Application Data\smss.exe"
    O4 - Startup: Empty.pif = ?
    O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: ImageFox.lnk = ?
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: Download using Download &Express - G:\SOFTWARES\MYSQL\Mysql\Add_Url.htm
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\Omniquad Total Security\PopupBlocker\PopupBlocker.dll
    O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\Omniquad Total Security\PopupBlocker\PopupBlocker.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
  2. 28-04-2006  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    You have acquired a serious WORM infection 'with high damage potential' (items showing in your HJT log):

    http://www.trendmicro.com/vinfo/viru...RO%2EC&VSect=T
    Upon execution, this worm drops copies of itself, depending on the following platforms:

    On Windows 2000, XP, and Server 2003

    %System%\{User name}'s Setting.scr
    %UserProfile%\Local Settings\Application Data\csrss.exe
    %UserProfile%\Local Settings\Application Data\inetinfo.exe
    %UserProfile%\Local Settings\Application Data\lsass.exe
    %UserProfile%\Local Settings\Application Data\services.exe
    %UserProfile%\Local Settings\Application Data\smss.exe
    %UserProfile%\Local Settings\Application Data\winlogon.exe
    %UserProfile%\Start Menu\Programs\Startup\Empty.pif
    %UserProfile%\Templates\WowTumpeh.com
    %Windows%\eksplorasi.pif
    %Windows%\ShellNew\bronstab.exe

    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and 2003. %UserProfile% is the user profile folder, which is usually C:\Documents and Settings\{user name}. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)



    You may need to alter or delete the file AUTOEXEC.BAT:
    This memory-resident worm drops several copies of itself into various folder locations on the affected system, depending on the platform of the affected user. It then overwrites the file AUTOEXEC.BAT, which is located in C:\, with the following string:

    pause

    This modification causes the affected system to pause on startup, requiring the user to press any key to resume.




    SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

    F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"

    O4 - HKLM\..\Run: [BRON-SPIZAETUS] "C:\WINDOWS\ShellNew\bronstab.exe"
    O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\admin\Local Settings\APPLICation Data\smss.exe"
    O4 - Startup: Empty.pif = ?

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

    Make sure that all browser windows and internet links are closed, even this one!
    CLICK ’FIX CHECKED’ with HijackThis.



    1) Please download the Killbox.
    Unzip it to the desktop and run it.

    2) Select "Delete on Reboot".
    3) Then Click the "All Files" button.

    4) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\Documents and Settings\admin\Local Settings\APPLICation Data\csrss.exe
    C:\Documents and Settings\admin\Local Settings\Application Data\inetinfo.exe
    C:\Documents and Settings\admin\Local Settings\APPLICation Data\smss.exe
    C:\Documents and Settings\admin\Local Settings\Application Data\winlogon.exe
    C:\Documents and Settings\admin\Local Settings\Application Data\services.exe
    C:\Documents and Settings\admin\Local Settings\Application Data\lsass.exe
    C:\Windows\eksplorasi.pif
    C:\Windows\ShellNew\bronstab.exe
    5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

    6) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" to reboot next.




    The following items may also need to be separately resolved (found and deleted):
    %System%\{User name}'s Setting.scr
    %UserProfile%\Start Menu\Programs\Startup\Empty.pif
    %UserProfile%\Templates\WowTumpeh.com



    POST A REVISED HIJACKTHIS LOG for review:
    Post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
  3. 02-05-2006  #3
    shivaji_22
    shivaji_22 is offline Newbie
    Hi
    Thanks It worked.
  4. 02-05-2006  #4
    VopThis
    VopThis is offline Senior Member (Canada)
    Save 20% on AVG Internet Security 2012 Suite!
    Thanks It worked.
    Good news!! Suggest you post a new HijackThis log in case something still remains left behind.
+ Reply to Thread
« Please review this HiJackThis log | strange dll »