malware! svchost.exe-advapi32.dll max out 100% CPU, need help to diagnose and fix

Hi there

I've looked through this site and others, seen similar but not identical situations and tried some of the suggested solutions to no avail.
Please Help!!! Here's my problem:

Current Symptoms -
100% CPU utilization by svchost.exe process - specifically the advapi32.dll thread
System Information doesn't work - shows a blank when identifying what should be the system name in the "...can't find _... check network and path" error message
No drag-drop
No Paste operations (disabled from hotkeys, cntrl-v, and menus)
Child windows only display on occassion (not exactly sure when/why)
Some hyperlinks don't work, including ones that aren't supposed to open child windows
MS Outlook (XP) displays "can't find this file. Make sure path and file name are correct" when trying to Send/Receive. However defined email accounts pass tests. Can't open Define Send/Receive Groups, but maybe due to child window status.
All MS Office (XP) tools display "document could not be registered" error message.
Windows Search disabled through Start menu
Windows Installer errors - "either in Safe mode.." which I'm not "or installation not finished"
Active X appears to be completely disabled (at least through browsers)
Unable to download antivirus updates
Windows Media Player displays "out of memory" and won't start

Initial condition -

Windows 2000 Professional - 5.00.2195 - SP4

I ran windowsupdate about 2 weeks ago, my antivirus (NA Virusscan) definitions had been updated the day before, I use AdAware and Spysweeper constantly (with udpates), and Microsoft AntiSpyware beta.

First signs of trouble -
While surfing the net, the NA AntiVirus killed the following within a 15 min timeframe:
Deleted %Profile directory%\GXUZCHM7\test[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\A1E3M7KP\index[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\TA984A66\index[1].htm JS/Exploit-HelpXSite
Deleted %Profile directory%\3JZT1X5E\counter[1].htm Exploit-CodeBase
Deleted %Profile directory%\3JZT1X5E\counter[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\GXUZCHM7\classload[1].jar Exploit-ByteVerify
Deleted %Profile directory%\3JZT1X5E\loader2[1].htm Exploit-HelpZonePass
Deleted %Profile directory%\GXUZCHM7\exploit[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\SD0NG94P\loader7[1].htm VBS/Psyme
Deleted %Profile directory%\WHO7KBOJ\classload[1].jar Exploit-ByteVerify
Deleted %Profile directory%\GXUZCHM7\loader6[1].htm VBS/Psyme
Deleted %Profile directory%\UX4R2165\1[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\WHO7KBOJ\BlackBox[1].class Exploit-ByteVerify
Deleted %Profile directory%\GXUZCHM7\Dummy[1].class Exploit-ByteVerify
Deleted %Profile directory%\W12B4HIV\VerifierBug[1].class Exploit-ByteVerify
Deleted %Profile directory%\01CDUJGL\x3[1].htm JS/Exploit-DragDrop
Deleted %Profile directory%\UX4R2165\5[1].htm VBS/Psyme
Deleted %Profile directory%\GXUZCHM7\goatse[1].jar Exploit-ByteVerify
Deleted %Profile directory%\SD0NG94P\loader2[1].htm Exploit-HelpZonePass
Deleted %Profile directory%\01CDUJGL\loader6[1].htm VBS/Psyme
Deleted %Profile directory%\GXUZCHM7\loader7[1].htm VBS/Psyme
Deleted %Profile directory%\UX4R2165\exploit[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\WHO7KBOJ\count5[1].htm VBS/Psyme
Deleted %Profile directory%\GXUZCHM7\files[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\SD0NG94P\in[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\A1E3M7KP\test[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\SD0NG94P\1[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\TA984A66\BlackBox[1].class Exploit-ByteVerify
Deleted %Profile directory%\ARUBMDY7\Dummy[1].class Exploit-ByteVerify
Deleted %Profile directory%\01CDUJGL\VerifierBug[1].class Exploit-ByteVerify
Deleted %Profile directory%\A1E3M7KP\BlackBox[1].class Exploit-ByteVerify
Deleted %Profile directory%\6QA278MB\Dummy[1].class Exploit-ByteVerify
Deleted %Profile directory%\ARUBMDY7\VerifierBug[1].class Exploit-ByteVerify
Deleted %Profile directory%\SD0NG94P\BlackBox[1].class Exploit-ByteVerify
Deleted %Profile directory%\UX4R2165\Dummy[1].class Exploit-ByteVerify
Deleted %Profile directory%\WHO7KBOJ\VerifierBug[1].class Exploit-ByteVerify
Deleted %Profile directory%\GXUZCHM7\win32[1].exe Generic Downloader.f
Deleted %Profile directory%\GXUZCHM7\index[3].htm JS/Exploit-HelpXSite
Deleted %Profile directory%\W12B4HIV\counter[1].htm Exploit-CodeBase
Deleted %Profile directory%\W12B4HIV\counter[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\TA984A66\classload[1].jar Exploit-ByteVerify
Deleted %Profile directory%\GXUZCHM7\start[1].htm JS/Exploit-HelpXSite
Deleted %Profile directory%\A1E3M7KP\msjld[1].jar Exploit-ByteVerify
Deleted %Profile directory%\01CDUJGL\goatse[1].jar Exploit-ByteVerify
Deleted %Profile directory%\UX4R2165\x3[1].htm JS/Exploit-DragDrop
Deleted %Profile directory%\WHO7KBOJ\5[1].htm VBS/Psyme
Deleted %Profile directory%\A1E3M7KP\BlackBox[1].class Exploit-ByteVerify
Deleted %Profile directory%\UX4R2165\Dummy[1].class Exploit-ByteVerify
Deleted %Profile directory%\WHO7KBOJ\VerifierBug[1].class Exploit-ByteVerify
Deleted %Profile directory%\SD0NG94P\files[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\6QA278MB\files[1].htm Exploit-MhtRedir.gen
Deleted %Profile directory%\WHO7KBOJ\BlackBox[1].class Exploit-ByteVerify
Deleted %Profile directory%\W12B4HIV\Dummy[1].class Exploit-ByteVerify
Deleted %Profile directory%\SD0NG94P\VerifierBug[1].class Exploit-ByteVerify
Deleted %Profile directory%\SD0NG94P\BlackBox[1].class Exploit-ByteVerify
Deleted %Profile directory%\UX4R2165\Dummy[1].class Exploit-ByteVerify
Deleted %Profile directory%\DTJ6E417\VerifierBug[1].class Exploit-ByteVerify
Deleted %Profile directory%\6QA278MB\win32[1].exe Generic Downloader.f

followed a couple hours later (when I was no longer using the computer)
Deleted C:\WINNT\system32\anukem.exe Proxy-FBSR
Deleted C:\WINNT\system32\enasa.exe W32/Sdbot.worm.gen


Current Status -

I've done a lot of research on this and other boards, I've tried everything, but don't know what to do now.

Ran antivirus again using day-old definitions - both in safe mode as normal - no virus found
ran adaware - nothing found
ran spybot - nothing found
ran CWshredder - nothing found
ran Spybotsd13 - nothing found
ran Stinger - nothing fouind

using process explorer discovered that the svchost.exe thread using 100% CPU is the advapi32.dll (5.00.2195.6876)

Any ideas? thanks in advance!

Joel

 

Thanks in advance for your help!!!

Here are the results of the pre-scans: incidentally, running all of them took roughly 18 hours

Network Associates Antivirus - no items found
TrendMicros housecall - no items found
Symantec Security Check - unable to run via the web (see symptoms)
AVERT Stinger - no items found
Ad-aware - no items found (both safe and normal)
SpySweeper - no items found
CWShredder - no items found (both safe and normal)
Sbybot S&D - DSO entries found and cleaned

AboutBuster - no ADS found
HSRemove - ActiveX Distribution Unit registry deleted, followed by out-of-control process, with memory allocation growth >140Mb after 10 mins, ran out of memory after 25 mins. Subsequent scan, 8 items removed.
CCCleaner - removed all temp files, cookies, etc
Trojan scan (online) - no infected files - unable to scan System Volume Information - access denied
Avast! - no virus found - PGP Keyserver (Network Associates) files could not be read (PGPkeyserver-pubring.pkr and PGPkeyserver-secring.skr)
A-squared - C:\WINNT\msbbi.exe - Trojan.Win32.Imiserv.c - removed

HJT file attached!

Let me know what I need to do

 

All the below symptoms still exist. I am completely unable to do anything on the machine until I kill the advapi32.dll thread within the svchost.exe process.

Additional things I've noticed (not necessarily new)
Can't see the "download" link for Firefox
When trying to run Firefox setup - "Program too big to fit in memory" error
Add/Remove programs shows a window with only a heading row and no

As for your other comments, I ran alternatives due to the above problems which did not go away. Under normal load, having all 3 shield-programs running is not using more than 5% CPU total. I am unable to un-install anything that uses windows installer, so can't remove Microsoft AntiSpyware. As well, since I have no move or paste functions, I was not able to change the HJT location or backup folder. I have since discovered a work around, that if I zip and extract I can at least move files.

thanks again for your help with this.

 

No problem fixing the HJT items.

I disabled TeaTimer, but it restarts on startup. Do I need to get rid of the HJT entry?

The proxy is valid for one of the buildings I worked at. Actually, I no longer need it.

Nutcracker is part of the Rational toolset. It's been on the machine for almost 2 years.

Machine is an IBM T30, 2 GHz Pentium-M, 512 MB RAM

Also, last night during nightly SpySweeper run, discovered Ehttp CWS. Not sure how/when that showed up, or why it wasn't caught before. Fixed.

Spybot also detected a DSO Exploit registry entry, fixed 4 entries.

All the symptoms also appear in Safe mode.

 

SUCCESS - malware! svchost.exe-advapi32.dll max out 100% CPU

OK, so I after trolling through Google for a while, I found something that most closely reflected my situation.

WORM_SDBOT.AXU

See the following site for details:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.AXU&VSect=Sn

A couple things:
1 - I could not find the initial culprit identified in the virus definition (HPPhotoManager.exe), but I assume that it was deleted by one of the many scans I completed.
2 - I did not have either of the registry keys or values indicated by the solution. I created them and assigned the data as directed.
3 - I am in the process of installing/verifying installation of each of the MS security updates. I believe the first 3 already exist on my machine through Win 2000 SP4. The last one on the list KB835732 is not in SP4, and it's on the large side at 6.82 MB.

At the moment I am running through final scans for spyware and we'll see if the network sniffer finds any unusual activity to be sure.

thanks, Chaslang for your help!

Joel