LANfiltrator virus, closes Norton

jonnyjohan
jonnyjohan used Ask the Experts™
on
I am running Windows 98 SE.  I have a virus that when disconnected from the internet pops up a small warning box titled LANfiltrator.  It apparently is shutting down my Norton Antivirus in normal mode.  I have updated my virus definitions and tried scanning the computer using the Norton AV CD, the Norton AV Website, running Norton AV in safe mode.  None of these things have come up with any virus though.  Yet it still is doing there with the popups when I disconnect from my LAN and the internet.  I have tried what the Symantec website suggests for the virus Backdoor.LANfiltrator.  The following is what the Registry Editor is running  

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Ati2cwxx                                    Ati2cwxx.exe
AtiPTA                                        Atiptaab.exe
bpcpost.exe                              C:\WINDOWS\SYSTEM\bpcpost.exe
ccApp                                        "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy                                   "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
CriticalUpdate                           C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
CTRegRun                                 C:\WINDOWS\CTRegRun.EXE
HPDJ Taskbar Utility                  C:\WINDOWS\SYSTEM\hpztsb05.exe
ICSDCLT                                    C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
IrMon                                        IrMon.exe
LoadPowerProfile                      Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
LoadQM                                     loadqm.exe
Logitech Utility                           LOGI_MWX.EXE
LWBMOUSE                               C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
Quicktime Task                          "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
RegShave                                  C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
ScanRegistry                              C:\WINDOWS\scanregw.exe /autorun
StillImageMonitor                       C:\WINDOWS\SYSTEM\STIMON.EXE
System                                       C:\WINDOWS\SYSTEM\css.exe
SystemTray                                SysTray.Exe
TaskMonitor                                C:\WINDOWS\taskmon.exe
TKBellExe                                   "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
WhenUSave                                C:\Program Files\Save\Save.exe

A lot of that is gibberish to me but as I understand it these are the programs that run upon startup.  I am guessing that a lot of these are probably not necessary, but I iwll fight that battle another day.  For right now I just need to know how to get rid of the Lanfiltrator garbage.  I think that is all of the information that I have.  Thank you anyone for any help that you can offer.  
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
I've made some analysis. In my opinion there are two suspicious items:
1) WhenUSave seems to be a known adware.
2) I can't find trusted information about CSS.EXE. It's named similar to a Windows system process (csrss.exe).

I would recommend to disable these items temporarily. Try css.exe first. Then check whether NAV will be still terminated.

Ati2cwxx: ATI video cards, not needed (http://www.azpchelp.com/StartupListA-F.htm)
AtiPTA: Part of ATI display drivers (http://www.answersthatwork.com/Tasklist_pages/tasklist_a.htm)
bpcpost.exe: Microsoft TV Viewer Post Setup program (http://answersthatwork.com/Tasklist_pages/tasklist_b.htm)
ccApp: Norton Antivirus Auto-Protect
ccRegVfy: Norton Antivirus Auto-Protect
CriticalUpdate: Windows Critical Update Notification (http://www.windows-help.net/windows98/troub-312.shtml)
CTRegRun: Creative Labs registration reminder. Not required.
HPDJ Taskbar Utility: Ghostscript device driver for printers (http://dvdxcopy.afterdawn.com/thread_view.cfm/31817)
ICSDCLT: Internet Connection Sharing (http://www.pacs-portal.co.uk/startup_pages/startup_i.php)
IrMon: Windows Infrared Port Monitor (http://www.liutilities.com/products/wintaskspro/processlibrary/irmon/)
LoadPowerProfile: Loads Power Management settings (http://www.greatis.com/regrun3necessary.htm)
LoadQM: MSN Queue Manager Loader (http://www.liutilities.com/products/wintaskspro/processlibrary/loadqm/)
Logitech Utility: Logitech Mouseware driver (http://www.pacs-portal.co.uk/startup_pages/startup_l.php)
LWBMOUSE: Mouse driver
Quicktime Task: Quick Time Tray Icon (http://www.liutilities.com/products/wintaskspro/processlibrary/qttask/)
RegShave: Fuji Finepix digital cameras (http://www.azpchelp.com/StartupListQ-U.htm)
ScanRegistry: Windows registry checker (http://homepages.maxnet.co.nz/brunnies/pchelp/regcheck.html)
StillImageMonitor: Still Image Monitor (http://support.microsoft.com/?kbid=257815)
System - C:\WINDOWS\SYSTEM\css.exe - ???? CAN'T FIND INFORMATION ABOUT THAT!!!
SystemTray: Windows Power Management (http://www.liutilities.com/products/wintaskspro/processlibrary/systray/)
TaskMonitor: Windows Task Optimizer (http://www.liutilities.com/products/wintaskspro/processlibrary/taskmon/)
TKBellExe: RealNetworks Scheduler (http://www.reger24.de/prozesse/realsched.exe.html)
WhenUSave: Adware that causes pop-up windows to appear on respectable sites. Comes from WhenU.com (http://www.winpatrol.com/stats.html)

Additionally you could try to scan your computer with an online virus scanner. This might be not disabled by the trojan and might clean the infection:
http://housecall.trendmicro.com/

Author

Commented:
Simply amazing! When I found Experts Exchange I have to admit that I was skeptical.  I mean seriously, who offers expert help for free? (Even one question!?) But the first answer I received was so indepth, professional, and accurate.  I was able to fix the problem within a matter of minutes of reading the expert's (ghana, you were right on thanks so much!!) reply to my question.  Next time I have a problem (there is always a next time with computers) I know where the first place I will go is...www.Experts-Exchange.com!!  

Commented:
Glad I could help you and thank you for rating the answer! Your question was very professional becaue you offered the necessary information to do further investigation. I would be happy if every question here would be so detailled. I'm interested whether it was really css.exe that did shut down NAV. Or did housecall find another trojan?
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Author

Commented:
It is strange, I ran all the different antivrus software and online checkers (including housecall) and there is no record of any virus or trojan being on my computer.  When I disabled the CSS.EXE file and restarted NAV ran fine.  I then enabled CSS.EXE again and restarted in safe mode.  I used RegCleaner to delete the registry entry for CSS.EXE and deleted CSS.EXE out of the C:\WINDOWS\SYSTEMS folder.  Restarted in normal mode and all has been well since.  And you are welcome for rating your answer, you definitely deserved the A!

Commented:
Thanks for your feedback!

Commented:
I totally agree with jonnyjohan in his grade and definitely ghana deserves an A+!!!!!

One of our manager's computer was infected with this trojan and just like jonny described, the advice in the Symantec website its impossible to follow since the Anti-virus is just not working.  Only after I followed the instructions ghana provided (jonnyjohan, thanks for detailing what you did step by step in one of your replies too!!!) I was able to get rid of the annoying pop-up, fix the registry, and re-install the AV.

I am definitely coming here first the next time!
Thankyou very much Ghana, although your solution did not help mine I was able to fix it.  Here is my full assesment as to what I had.

My problem was very similar to jonny's.  It would close McAfee, regedit, and installs of any virus programs that I could find.  So I started investigating MsConfig (Start -> Run -> MsConfig).  I found a strange entry called Csrss.exe.  I know that Csrss is a system process that windows uses(for what I don't know) so I didn't want to disable it.  However it had a strange file path C:\Windows\Csrss.exe and it had 3 entries.  So I went to that location and investigated the file.  To my suprise that is NOT a normal file and doesn't not belong.  So I went back to Msconfig and disabled the startup process for Csrss.  Csrss.exe can be renamed or moved but it cannot be deleted.  So I moved it to my desktop so I could keep and eye on it.  I rebooted and the problem was gone!  So I went futher and compiled some instructions for removal.

1) First off you have to remove the file from startup.  So go to Start -> Run then type MsConfig
2) Click the tab Startup and uncheck Csrss.exe, there should be 3.
3) Go to C:\Windows and move csrss.exe to your desktop
4) Restart
5) Delete the file Csrss.exe from you desktop
6) Open regedit by going to Start -> Run and type Regedit (the virus prevented this from being done before removal)
7) Go to the following roots and remove the key "Runtime Process" with the value "C:\Windows\Csrss.exe"  Nothing ELSE!!!
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
      HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

That top HKEY might be located in either RunServives or RunOnceExe, sorry just check both.
(Those are NOT the only places this virus implants to the registry, however they are all that need deleting.  If you want them all gone, search your registry for Csrss and delete ONLY the ones with the value C:\Windows\Csrss.exe.  NOTHING ELSE.  I CANNOT stress how important it is that you DO NOT delete anything else that you DO NOT understand in the registry.  This CAN result in permant damage. )

This should get rid of the file permantly.  It worked great for me and I hope anyone else with this problem will be able to fix it as easily as I did.
BTW I am running Windows XP Professional.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial