LANfiltrator virus, closes Norton
I am running Windows 98 SE. I have a virus that when disconnected from the internet pops up a small warning box titled LANfiltrator. It apparently is shutting down my Norton Antivirus in normal mode. I have updated my virus definitions and tried scanning the computer using the Norton AV CD, the Norton AV Website, running Norton AV in safe mode. None of these things have come up with any virus though. Yet it still is doing there with the popups when I disconnect from my LAN and the internet. I have tried what the Symantec website suggests for the virus Backdoor.LANfiltrator. The following is what the Registry Editor is running
HKEY_LOCAL_MACHINE\Softwar
Ati2cwxx Ati2cwxx.exe
AtiPTA Atiptaab.exe
bpcpost.exe C:\WINDOWS\SYSTEM\bpcpost.
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
CriticalUpdate C:\WINDOWS\SYSTEM\wucrtupd
CTRegRun C:\WINDOWS\CTRegRun.EXE
HPDJ Taskbar Utility C:\WINDOWS\SYSTEM\hpztsb05
ICSDCLT C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.
IrMon IrMon.exe
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPw
LoadQM loadqm.exe
Logitech Utility LOGI_MWX.EXE
LWBMOUSE C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
Quicktime Task "C:\WINDOWS\SYSTEM\QTTASK.
RegShave C:\Progra~1\REGSHAVE\REGSH
ScanRegistry C:\WINDOWS\scanregw.exe /autorun
StillImageMonitor C:\WINDOWS\SYSTEM\STIMON.E
System C:\WINDOWS\SYSTEM\css.exe
SystemTray SysTray.Exe
TaskMonitor C:\WINDOWS\taskmon.exe
TKBellExe "C:\Program Files\Common Files\Real\Update_OB\reals
WhenUSave C:\Program Files\Save\Save.exe
A lot of that is gibberish to me but as I understand it these are the programs that run upon startup. I am guessing that a lot of these are probably not necessary, but I iwll fight that battle another day. For right now I just need to know how to get rid of the Lanfiltrator garbage. I think that is all of the information that I have. Thank you anyone for any help that you can offer.
HKEY_LOCAL_MACHINE\Softwar
Ati2cwxx Ati2cwxx.exe
AtiPTA Atiptaab.exe
bpcpost.exe C:\WINDOWS\SYSTEM\bpcpost.
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
CriticalUpdate C:\WINDOWS\SYSTEM\wucrtupd
CTRegRun C:\WINDOWS\CTRegRun.EXE
HPDJ Taskbar Utility C:\WINDOWS\SYSTEM\hpztsb05
ICSDCLT C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.
IrMon IrMon.exe
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPw
LoadQM loadqm.exe
Logitech Utility LOGI_MWX.EXE
LWBMOUSE C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
Quicktime Task "C:\WINDOWS\SYSTEM\QTTASK.
RegShave C:\Progra~1\REGSHAVE\REGSH
ScanRegistry C:\WINDOWS\scanregw.exe /autorun
StillImageMonitor C:\WINDOWS\SYSTEM\STIMON.E
System C:\WINDOWS\SYSTEM\css.exe
SystemTray SysTray.Exe
TaskMonitor C:\WINDOWS\taskmon.exe
TKBellExe "C:\Program Files\Common Files\Real\Update_OB\reals
WhenUSave C:\Program Files\Save\Save.exe
A lot of that is gibberish to me but as I understand it these are the programs that run upon startup. I am guessing that a lot of these are probably not necessary, but I iwll fight that battle another day. For right now I just need to know how to get rid of the Lanfiltrator garbage. I think that is all of the information that I have. Thank you anyone for any help that you can offer.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad I could help you and thank you for rating the answer! Your question was very professional becaue you offered the necessary information to do further investigation. I would be happy if every question here would be so detailled. I'm interested whether it was really css.exe that did shut down NAV. Or did housecall find another trojan?
ASKER
It is strange, I ran all the different antivrus software and online checkers (including housecall) and there is no record of any virus or trojan being on my computer. When I disabled the CSS.EXE file and restarted NAV ran fine. I then enabled CSS.EXE again and restarted in safe mode. I used RegCleaner to delete the registry entry for CSS.EXE and deleted CSS.EXE out of the C:\WINDOWS\SYSTEMS folder. Restarted in normal mode and all has been well since. And you are welcome for rating your answer, you definitely deserved the A!
Thanks for your feedback!
I totally agree with jonnyjohan in his grade and definitely ghana deserves an A+!!!!!
One of our manager's computer was infected with this trojan and just like jonny described, the advice in the Symantec website its impossible to follow since the Anti-virus is just not working. Only after I followed the instructions ghana provided (jonnyjohan, thanks for detailing what you did step by step in one of your replies too!!!) I was able to get rid of the annoying pop-up, fix the registry, and re-install the AV.
I am definitely coming here first the next time!
One of our manager's computer was infected with this trojan and just like jonny described, the advice in the Symantec website its impossible to follow since the Anti-virus is just not working. Only after I followed the instructions ghana provided (jonnyjohan, thanks for detailing what you did step by step in one of your replies too!!!) I was able to get rid of the annoying pop-up, fix the registry, and re-install the AV.
I am definitely coming here first the next time!
Thankyou very much Ghana, although your solution did not help mine I was able to fix it. Here is my full assesment as to what I had.
My problem was very similar to jonny's. It would close McAfee, regedit, and installs of any virus programs that I could find. So I started investigating MsConfig (Start -> Run -> MsConfig). I found a strange entry called Csrss.exe. I know that Csrss is a system process that windows uses(for what I don't know) so I didn't want to disable it. However it had a strange file path C:\Windows\Csrss.exe and it had 3 entries. So I went to that location and investigated the file. To my suprise that is NOT a normal file and doesn't not belong. So I went back to Msconfig and disabled the startup process for Csrss. Csrss.exe can be renamed or moved but it cannot be deleted. So I moved it to my desktop so I could keep and eye on it. I rebooted and the problem was gone! So I went futher and compiled some instructions for removal.
1) First off you have to remove the file from startup. So go to Start -> Run then type MsConfig
2) Click the tab Startup and uncheck Csrss.exe, there should be 3.
3) Go to C:\Windows and move csrss.exe to your desktop
4) Restart
5) Delete the file Csrss.exe from you desktop
6) Open regedit by going to Start -> Run and type Regedit (the virus prevented this from being done before removal)
7) Go to the following roots and remove the key "Runtime Process" with the value "C:\Windows\Csrss.exe" Nothing ELSE!!!
HKEY_LOCAL_MACHINE\Softwar
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
That top HKEY might be located in either RunServives or RunOnceExe, sorry just check both.
(Those are NOT the only places this virus implants to the registry, however they are all that need deleting. If you want them all gone, search your registry for Csrss and delete ONLY the ones with the value C:\Windows\Csrss.exe. NOTHING ELSE. I CANNOT stress how important it is that you DO NOT delete anything else that you DO NOT understand in the registry. This CAN result in permant damage. )
This should get rid of the file permantly. It worked great for me and I hope anyone else with this problem will be able to fix it as easily as I did.
My problem was very similar to jonny's. It would close McAfee, regedit, and installs of any virus programs that I could find. So I started investigating MsConfig (Start -> Run -> MsConfig). I found a strange entry called Csrss.exe. I know that Csrss is a system process that windows uses(for what I don't know) so I didn't want to disable it. However it had a strange file path C:\Windows\Csrss.exe and it had 3 entries. So I went to that location and investigated the file. To my suprise that is NOT a normal file and doesn't not belong. So I went back to Msconfig and disabled the startup process for Csrss. Csrss.exe can be renamed or moved but it cannot be deleted. So I moved it to my desktop so I could keep and eye on it. I rebooted and the problem was gone! So I went futher and compiled some instructions for removal.
1) First off you have to remove the file from startup. So go to Start -> Run then type MsConfig
2) Click the tab Startup and uncheck Csrss.exe, there should be 3.
3) Go to C:\Windows and move csrss.exe to your desktop
4) Restart
5) Delete the file Csrss.exe from you desktop
6) Open regedit by going to Start -> Run and type Regedit (the virus prevented this from being done before removal)
7) Go to the following roots and remove the key "Runtime Process" with the value "C:\Windows\Csrss.exe" Nothing ELSE!!!
HKEY_LOCAL_MACHINE\Softwar
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
That top HKEY might be located in either RunServives or RunOnceExe, sorry just check both.
(Those are NOT the only places this virus implants to the registry, however they are all that need deleting. If you want them all gone, search your registry for Csrss and delete ONLY the ones with the value C:\Windows\Csrss.exe. NOTHING ELSE. I CANNOT stress how important it is that you DO NOT delete anything else that you DO NOT understand in the registry. This CAN result in permant damage. )
This should get rid of the file permantly. It worked great for me and I hope anyone else with this problem will be able to fix it as easily as I did.
BTW I am running Windows XP Professional.
ASKER