Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

malware! svchost.exe-advapi32.dll max out 100% CPU

Started by TravelingJoel , Apr 08 2005 09:43 AM

  • Please log in to reply

#1
TravelingJoel
Posted 08 April 2005 - 09:43 AM

TravelingJoel

    New Member

  • Member
  • Pip
  • 2 posts
Hi there

Please Help!!! Here's my problem:

Current Symptoms -
100% CPU utilization by svchost.exe process - specifically the advapi32.dll thread
System Information doesn't work - shows a blank when identifying what should be the system name in the "...can't find _... check network and path" error message
No drag-drop
No Paste operations (disabled from hotkeys, cntrl-v, and menus)
Child windows only display on occassion (not exactly sure when/why)
Some hyperlinks don't work, including ones that aren't supposed to open child windows
MS Outlook (XP) displays "can't find this file. Make sure path and file name are correct" when trying to Send/Receive. However defined email accounts pass tests. Can't open Define Send/Receive Groups, but maybe due to child window status.
All MS Office (XP) tools display "document could not be registered" error message.
Windows Search disabled through Start menu
Windows Installer errors
Active X appears to be completely disabled (at least through browsers)
Unable to download antivirus updates

Initial condition -

Windows 2000 Professional - 5.00.2195 - SP4

I ran windowsupdate about 2 weeks ago, my antivirus (NA Virusscan) definitions had been updated the day before, I use AdAware and Spysweeper constantly (with udpates), and Microsoft AntiSpyware beta.

First signs of trouble -
While surfing the net, the NA AntiVirus killed the following within a 15 min timeframe:
Deleted %Profile directory%\GXUZCHM7\test[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\A1E3M7KP\index[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\TA984A66\index[1].htm JS/Exploit-HelpXSite
Deleted %Profile directory%\3JZT1X5E\counter[1].htm Exploit-CodeBase
Deleted %Profile directory%\3JZT1X5E\counter[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\GXUZCHM7\classload[1].jar Exploit-ByteVerify
Deleted %Profile directory%\3JZT1X5E\loader2[1].htm Exploit-HelpZonePass
Deleted %Profile directory%\GXUZCHM7\exploit[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\SD0NG94P\loader7[1].htm VBS/Psyme
Deleted %Profile directory%\WHO7KBOJ\classload[1].jar Exploit-ByteVerify
Deleted %Profile directory%\GXUZCHM7\loader6[1].htm VBS/Psyme
Deleted %Profile directory%\UX4R2165\1[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\WHO7KBOJ\BlackBox[1].class Exploit-ByteVerify
Deleted %Profile directory%\GXUZCHM7\Dummy[1].class Exploit-ByteVerify
Deleted %Profile directory%\W12B4HIV\VerifierBug[1].class Exploit-ByteVerify
Deleted %Profile directory%\01CDUJGL\x3[1].htm JS/Exploit-DragDrop
Deleted %Profile directory%\UX4R2165\5[1].htm VBS/Psyme
Deleted %Profile directory%\GXUZCHM7\goatse[1].jar Exploit-ByteVerify
Deleted %Profile directory%\SD0NG94P\loader2[1].htm Exploit-HelpZonePass
Deleted %Profile directory%\01CDUJGL\loader6[1].htm VBS/Psyme
Deleted %Profile directory%\GXUZCHM7\loader7[1].htm VBS/Psyme
Deleted %Profile directory%\UX4R2165\exploit[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\WHO7KBOJ\count5[1].htm VBS/Psyme
Deleted %Profile directory%\GXUZCHM7\files[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\SD0NG94P\in[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\A1E3M7KP\test[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\SD0NG94P\1[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\TA984A66\BlackBox[1].class Exploit-ByteVerify
Deleted %Profile directory%\ARUBMDY7\Dummy[1].class Exploit-ByteVerify
Deleted %Profile directory%\01CDUJGL\VerifierBug[1].class Exploit-ByteVerify
Deleted %Profile directory%\A1E3M7KP\BlackBox[1].class Exploit-ByteVerify
Deleted %Profile directory%\6QA278MB\Dummy[1].class Exploit-ByteVerify
Deleted %Profile directory%\ARUBMDY7\VerifierBug[1].class Exploit-ByteVerify
Deleted %Profile directory%\SD0NG94P\BlackBox[1].class Exploit-ByteVerify
Deleted %Profile directory%\UX4R2165\Dummy[1].class Exploit-ByteVerify
Deleted %Profile directory%\WHO7KBOJ\VerifierBug[1].class Exploit-ByteVerify
Deleted %Profile directory%\GXUZCHM7\win32[1].exe Generic Downloader.f
Deleted %Profile directory%\GXUZCHM7\index[3].htm JS/Exploit-HelpXSite
Deleted %Profile directory%\W12B4HIV\counter[1].htm Exploit-CodeBase
Deleted %Profile directory%\W12B4HIV\counter[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\TA984A66\classload[1].jar Exploit-ByteVerify
Deleted %Profile directory%\GXUZCHM7\start[1].htm JS/Exploit-HelpXSite
Deleted %Profile directory%\A1E3M7KP\msjld[1].jar Exploit-ByteVerify
Deleted %Profile directory%\01CDUJGL\goatse[1].jar Exploit-ByteVerify
Deleted %Profile directory%\UX4R2165\x3[1].htm JS/Exploit-DragDrop
Deleted %Profile directory%\WHO7KBOJ\5[1].htm VBS/Psyme
Deleted %Profile directory%\A1E3M7KP\BlackBox[1].class Exploit-ByteVerify
Deleted %Profile directory%\UX4R2165\Dummy[1].class Exploit-ByteVerify
Deleted %Profile directory%\WHO7KBOJ\VerifierBug[1].class Exploit-ByteVerify
Deleted %Profile directory%\SD0NG94P\files[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\6QA278MB\files[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\WHO7KBOJ\BlackBox[1].class Exploit-ByteVerify
Deleted %Profile directory%\W12B4HIV\Dummy[1].class Exploit-ByteVerify
Deleted %Profile directory%\SD0NG94P\VerifierBug[1].class Exploit-ByteVerify
Deleted %Profile directory%\SD0NG94P\BlackBox[1].class Exploit-ByteVerify
Deleted %Profile directory%\UX4R2165\Dummy[1].class Exploit-ByteVerify
Deleted %Profile directory%\DTJ6E417\VerifierBug[1].class Exploit-ByteVerify
Deleted %Profile directory%\6QA278MB\win32[1].exe Generic Downloader.f

followed a couple hours later (when I was no longer using the computer)
Deleted C:\WINNT\system32\anukem.exe Proxy-FBSR
Deleted C:\WINNT\system32\enasa.exe W32/Sdbot.worm.gen


Current Status -

I've done a lot of research on this and other boards, I've tried everything, but don't know what to do now.

Ran antivirus again using day-old definitions - both in safe mode as normal - no virus found
ran adaware - nothing found
ran spybot - nothing found
ran CWshredder - nothing found
ran Spybotsd13 - nothing found
ran Stinger - nothing fouind

using process explorer discovered that the svchost.exe thread using 100% CPU is the advapi32.dll (5.00.2195.6876)

Any ideas?

HJT log -

Logfile of HijackThis v1.99.1
Scan saved at 8:09:38 PM, on 4/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Hummbird\inetd32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\winnt\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PGPsdkServ.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\s3hksrv.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ltcm000c.exe
C:\WINNT\AGRSMMSG.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\WINNT\system32\nutsrv4.exe
C:\Program Files\Network Associates\PGP Keyserver\Bin\PGPcertd.exe
C:\WINNT\system32\RunDll32.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINNT\system32\hphmon04.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINNT\Profiles\Jsisk\Desktop\cleaners\procexp.exe
C:\WINNT\system32\wscript.exe
C:\WINNT\system32\wscript.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\Profiles\Jsisk\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/comcast.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://pcore-w01/core.proxy:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [PROMon.exe] Promon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QCWLICON] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.co...nt/IbmEgath.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.co.../AcpControl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?325
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = siskconsulting.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = siskconsulting.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = siskconsulting.com
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINNT\system32\Hummbird\inetd32.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINNT\system32\nutsrv4.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\Oracle\Ora9\bin\omtsreco.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome9ClientCache - Unknown owner - C:\Oracle\Ora9\BIN\ONRSD.EXE
O23 - Service: PGP Keyserver (PGP Certificate Server) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\PGP Keyserver\Bin\PGPcertd.exe
O23 - Service: PGP Replication Engine - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\PGP Keyserver\Bin\PGPrepd.exe
O23 - Service: PGPapache - Unknown owner - C:\Program Files\Network Associates\PGP Keyserver\Web\PGPapache.exe
O23 - Service: PGPsdkService (PGPsdkServ) - Network Associates Technology, Inc. - C:\WINNT\system32\PGPsdkServ.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\system32\HPHipm11.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: S3HKSrv (S3HkSrv) - S3 Graphics, Inc. - C:\WINNT\System32\s3hksrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  • 0

Advertisements

#2
TravelingJoel
Posted 14 April 2005 - 01:45 PM

TravelingJoel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
OK, so I after trolling through Google for a while, I found something that most closely reflected my situation.

WORM_SDBOT.AXU

See the following site for details:
http://www.trendmicr......AXU&VSect=Sn

A couple things:
1 - I could not find the initial culprit identified in the virus definition (HPPhotoManager.exe), but I assume that it was deleted by one of the many scans I completed.
2 - I did not have either of the registry keys or values indicated by the solution. I created them and assigned the data as directed.
3 - I am in the process of installing/verifying installation of each of the MS security updates. I believe the first 3 already exist on my machine through Win 2000 SP4. The last one on the list KB835732 is not in SP4, and it's on the large side at 6.82 MB.

At the moment I am running through final scans for spyware and we'll see if the network sniffer finds any unusual activity to be sure.

thanks, Chaslang for your help!

Joel
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP