malware! svchost.exe-advapi32.dll max out 100% CPU, need help to diagnose and fix

Discussion in 'Software' started by TravelingJoel, Apr 8, 2005.

  1. TravelingJoel

    TravelingJoel Private E-2

    Hi there

    I've looked through this site and others, seen similar but not identical situations and tried some of the suggested solutions to no avail.
    Please Help!!! Here's my problem:

    Current Symptoms -
    100% CPU utilization by svchost.exe process - specifically the advapi32.dll thread
    System Information doesn't work - shows a blank when identifying what should be the system name in the "...can't find _... check network and path" error message
    No drag-drop
    No Paste operations (disabled from hotkeys, cntrl-v, and menus)
    Child windows only display on occassion (not exactly sure when/why)
    Some hyperlinks don't work, including ones that aren't supposed to open child windows
    MS Outlook (XP) displays "can't find this file. Make sure path and file name are correct" when trying to Send/Receive. However defined email accounts pass tests. Can't open Define Send/Receive Groups, but maybe due to child window status.
    All MS Office (XP) tools display "document could not be registered" error message.
    Windows Search disabled through Start menu
    Windows Installer errors
    Active X appears to be completely disabled (at least through browsers)
    Unable to download antivirus updates

    Initial condition -

    Windows 2000 Professional - 5.00.2195 - SP4

    I ran windowsupdate about 2 weeks ago, my antivirus (NA Virusscan) definitions had been updated the day before, I use AdAware and Spysweeper constantly (with udpates), and Microsoft AntiSpyware beta.

    First signs of trouble -
    While surfing the net, the NA AntiVirus killed the following within a 15 min timeframe:
    Deleted %Profile directory%\GXUZCHM7\test[1].htm Exploit-MhtRedir.gen
    Deleted %Profile directory%\A1E3M7KP\index[1].htm Exploit-MhtRedir.gen
    Deleted %Profile directory%\TA984A66\index[1].htm JS/Exploit-HelpXSite
    Deleted %Profile directory%\3JZT1X5E\counter[1].htm Exploit-CodeBase
    Deleted %Profile directory%\3JZT1X5E\counter[1].htm Exploit-MhtRedir.gen
    Deleted %Profile directory%\GXUZCHM7\classload[1].jar Exploit-ByteVerify
    Deleted %Profile directory%\3JZT1X5E\loader2[1].htm Exploit-HelpZonePass
    Deleted %Profile directory%\GXUZCHM7\exploit[1].htm Exploit-MhtRedir.gen
    Deleted %Profile directory%\SD0NG94P\loader7[1].htm VBS/Psyme
    Deleted %Profile directory%\WHO7KBOJ\classload[1].jar Exploit-ByteVerify
    Deleted %Profile directory%\GXUZCHM7\loader6[1].htm VBS/Psyme
    Deleted %Profile directory%\UX4R2165\1[1].htm Exploit-MhtRedir.gen
    Deleted %Profile directory%\WHO7KBOJ\BlackBox[1].class Exploit-ByteVerify
    Deleted %Profile directory%\GXUZCHM7\Dummy[1].class Exploit-ByteVerify
    Deleted %Profile directory%\W12B4HIV\VerifierBug[1].class Exploit-ByteVerify
    Deleted %Profile directory%\01CDUJGL\x3[1].htm JS/Exploit-DragDrop
    Deleted %Profile directory%\UX4R2165\5[1].htm VBS/Psyme
    Deleted %Profile directory%\GXUZCHM7\goatse[1].jar Exploit-ByteVerify
    Deleted %Profile directory%\SD0NG94P\loader2[1].htm Exploit-HelpZonePass
    Deleted %Profile directory%\01CDUJGL\loader6[1].htm VBS/Psyme
    Deleted %Profile directory%\GXUZCHM7\loader7[1].htm VBS/Psyme
    Deleted %Profile directory%\UX4R2165\exploit[1].htm Exploit-MhtRedir.gen
    Deleted %Profile directory%\WHO7KBOJ\count5[1].htm VBS/Psyme
    Deleted %Profile directory%\GXUZCHM7\files[1].htm Exploit-MhtRedir.gen
    Deleted %Profile directory%\SD0NG94P\in[1].htm Exploit-MhtRedir.gen
    Deleted %Profile directory%\A1E3M7KP\test[1].htm Exploit-MhtRedir.gen
    Deleted %Profile directory%\SD0NG94P\1[1].htm Exploit-MhtRedir.gen
    Deleted %Profile directory%\TA984A66\BlackBox[1].class Exploit-ByteVerify
    Deleted %Profile directory%\ARUBMDY7\Dummy[1].class Exploit-ByteVerify
    Deleted %Profile directory%\01CDUJGL\VerifierBug[1].class Exploit-ByteVerify
    Deleted %Profile directory%\A1E3M7KP\BlackBox[1].class Exploit-ByteVerify
    Deleted %Profile directory%\6QA278MB\Dummy[1].class Exploit-ByteVerify
    Deleted %Profile directory%\ARUBMDY7\VerifierBug[1].class Exploit-ByteVerify
    Deleted %Profile directory%\SD0NG94P\BlackBox[1].class Exploit-ByteVerify
    Deleted %Profile directory%\UX4R2165\Dummy[1].class Exploit-ByteVerify
    Deleted %Profile directory%\WHO7KBOJ\VerifierBug[1].class Exploit-ByteVerify
    Deleted %Profile directory%\GXUZCHM7\win32[1].exe Generic Downloader.f
    Deleted %Profile directory%\GXUZCHM7\index[3].htm JS/Exploit-HelpXSite
    Deleted %Profile directory%\W12B4HIV\counter[1].htm Exploit-CodeBase
    Deleted %Profile directory%\W12B4HIV\counter[1].htm Exploit-MhtRedir.gen
    Deleted %Profile directory%\TA984A66\classload[1].jar Exploit-ByteVerify
    Deleted %Profile directory%\GXUZCHM7\start[1].htm JS/Exploit-HelpXSite
    Deleted %Profile directory%\A1E3M7KP\msjld[1].jar Exploit-ByteVerify
    Deleted %Profile directory%\01CDUJGL\goatse[1].jar Exploit-ByteVerify
    Deleted %Profile directory%\UX4R2165\x3[1].htm JS/Exploit-DragDrop
    Deleted %Profile directory%\WHO7KBOJ\5[1].htm VBS/Psyme
    Deleted %Profile directory%\A1E3M7KP\BlackBox[1].class Exploit-ByteVerify
    Deleted %Profile directory%\UX4R2165\Dummy[1].class Exploit-ByteVerify
    Deleted %Profile directory%\WHO7KBOJ\VerifierBug[1].class Exploit-ByteVerify
    Deleted %Profile directory%\SD0NG94P\files[1].htm Exploit-MhtRedir.gen
    Deleted %Profile directory%\6QA278MB\files[1].htm Exploit-MhtRedir.gen
    Deleted %Profile directory%\WHO7KBOJ\BlackBox[1].class Exploit-ByteVerify
    Deleted %Profile directory%\W12B4HIV\Dummy[1].class Exploit-ByteVerify
    Deleted %Profile directory%\SD0NG94P\VerifierBug[1].class Exploit-ByteVerify
    Deleted %Profile directory%\SD0NG94P\BlackBox[1].class Exploit-ByteVerify
    Deleted %Profile directory%\UX4R2165\Dummy[1].class Exploit-ByteVerify
    Deleted %Profile directory%\DTJ6E417\VerifierBug[1].class Exploit-ByteVerify
    Deleted %Profile directory%\6QA278MB\win32[1].exe Generic Downloader.f

    followed a couple hours later (when I was no longer using the computer)
    Deleted C:\WINNT\system32\anukem.exe Proxy-FBSR
    Deleted C:\WINNT\system32\enasa.exe W32/Sdbot.worm.gen


    Current Status -

    I've done a lot of research on this and other boards, I've tried everything, but don't know what to do now.

    Ran antivirus again using day-old definitions - both in safe mode as normal - no virus found
    ran adaware - nothing found
    ran spybot - nothing found
    ran CWshredder - nothing found
    ran Spybotsd13 - nothing found
    ran Stinger - nothing fouind

    using process explorer discovered that the svchost.exe thread using 100% CPU is the advapi32.dll (5.00.2195.6876)

    Any ideas? thanks in advance!

    Joel
     
    TravelingJoel, Apr 8, 2005
    #1
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Post your problem in the Spyware Forum and we will get you fixed up!
     
    bjgarrick, Apr 10, 2005
    #2
  3. TravelingJoel

    TravelingJoel Private E-2

    moved. thanks!
     
    TravelingJoel, Apr 10, 2005
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds