LSASS & RPC

Hi there,

Thanks for reading. I am working on a friend's computer (I guess that kind of sounds like a teenager saying "it was my friend's marijuana"). Anyway, his pc has unexpected slowness (2.4GHz processor) and we get the automatic shutdown when we kill one of the svchost.exe's.

I applied the Symantec Blaster, Welchia and Sasser worm tools without any results. He's using XP, I assume SP1. I have burned SP2 to disk and will install that to his pc.

Do you have any other ideas?

Thanks in advance,
Bob

 

well, if you kill the right svchost, that's what will happen. Did you find out what child process is causing the high cpu usage?

Sysinternals Freeware - Process Explorer

 

Hi Kodo. Thanks for responding.

I am using Sysinternals' processExplorer and can easily see the parent process in the properties, but am not sure how to determine the child process.

Thanks,
Bob

 

it's a tree hierarchy.. so if there is nothing to expand on the svchost then there is no child.

 

I don't think that's right about killing svchosts and getting an automatic shutdown. I have used ProcessExplorer many times as part of cleaning spyware and adware off machines. I regularly kill all resident svchosts (without auto-restart), spooler, media keyboard, blah blah blah, etc. til nothing's running but
system idle
interrupts
dpc
system
smss
csrss
winlogon
services
lsass
antivirus (and associated processes)
explorer
ad-aware or spybot and
process explorer

This computer's an exception. I kill the last svchost (the virus) and enter shutdown -a when the shutdown popup appears. After 60 seconds, two svchosts restart spontaneously and I can repeat. So if the SP2 install I'm planning doesn't fix what I hope is an attack on lsass or dcom/rpc vulnerability, I'm out of answers.

Thanks again for your feedback,
Bob