Jump to content


Photo

Need help with SVCHOST.EXE & LSASS.EXE bugs


  • Please log in to reply
9 replies to this topic

#1 ounch

ounch

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 06 July 2004 - 01:11 PM

My computer is highly infected and is randomly shutting itself down. When it does a shutting down box comes up that says win/system32/lsass.exe terminated or something and gives status code 2147483645. It says that was initiated by NT authority/system. Then after the computer reboots I give error messages saying that both SVCHOST and LSA SHELL (EXPORT VERSION) have encountered problems and casused the computer to screw up. I would really appreciate some help here. Thanks.

And one other thing. I don't know if this is a virus or not, but when I'm on the internet the windows update icon automatically comes up and starts downloading. The only reason I'm suspicious of this is because it never prompts me, it just starts on it's own. Before windows update always would prompt me and download through the website. Just wondering whether or not this may be something.

#2 guacamel

guacamel

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 288 posts

Posted 06 July 2004 - 01:22 PM

Hmm, it sounds like it could possible be the sasser worm.

I don't know that I'll work on this case yet, but if you hit ctrl-alt-delete, is there a process running called avserve2?

#3 guacamel

guacamel

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 288 posts

Posted 06 July 2004 - 01:24 PM

Oh, and FYI, if you get a message that the computer is about to shutdown in X amount of time (X being a variable for however many seconds), then you can go to the run command and type in "shutdown -a" (without the quotes)

#4 ounch

ounch

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 06 July 2004 - 02:37 PM

no avserve2, just a bunch of svchost.exe's. Here is my highjackthis log if it helps.

Logfile of HijackThis v1.97.2
Scan saved at 12:36:57 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svohost.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\lsac.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WUTemp\com_microsoft.835732_XP_SP1Only_WinSE_84206_Express\WINDOWSXP-KB835732-X86-ENU-express.EXE
c:\341f55b60e181adfe31e5bc11b\update\update.exe
C:\WINDOWS\System32\winsys32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Microsoft Update] winsys32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\vmxtq.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
O4 - HKLM\..\RunServices: [Microsoft Message Machine] msmesg32.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Microsoft Update] winsys32.exe
O4 - HKCU\..\Run: [Microsoft Message Machine] msmesg32.exe
O4 - Startup: svchost.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?37901.6459375
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8C67CDB-E5D3-449B-AB79-F05897F35497}: NameServer = 64.40.40.51 66.54.140.10

#5 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 06 July 2004 - 02:49 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - HKLM\..\Run: [Microsoft Update] winsys32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\vmxtq.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
O4 - HKLM\..\RunServices: [Microsoft Message Machine] msmesg32.exe
O4 - HKCU\..\Run: [Microsoft Update] winsys32.exe
O4 - HKCU\..\Run: [Microsoft Message Machine] msmesg32.exe
O4 - Startup: svchost.exe

Reboot and delete

files
winsys32.exe
C:\WINDOWS\System32\vmxtq.exe
msmesg32.exe

These may be hidden files. See HERE for how to show hidden files.

As a double check, get an on line scan at either Housecall or Panda A/V, and let it fix anything it finds.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#6 ounch

ounch

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 06 July 2004 - 04:40 PM

Thanks alot dave. I'll do that and post my log shortly.

#7 ounch

ounch

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 06 July 2004 - 05:41 PM

ok. I did as you said and deleted the files. but I've run into a problem. I can't get the online virus scanners to work. I think theres a problem with my java or activex stuff. I dont know what to do next. Heres my current hijackthis log. by the way the little fake(?) windows update logo still pops up and starts to download still and I still see the svchost.exe's on my system processes.

Logfile of HijackThis v1.97.2
Scan saved at 3:37:48 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msmesg32.exe
C:\WINDOWS\system32\setupex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\svohost.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\svohost.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\RunServices: [Microsoft Message Machine] msmesg32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] lsac.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Microsoft Message Machine] msmesg32.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?37901.6459375
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8C67CDB-E5D3-449B-AB79-F05897F35497}: NameServer = 64.40.40.51 66.54.140.10

#8 ounch

ounch

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 07 July 2004 - 06:23 PM

sorry, not to be impatient or anything, but my problems havent gone away one bit. theyve actually increased. the svchost.exe processes (about 5 of them) come back no matter how many times I delete them with hijackthis. and also now i get this 100percentanal.adultbouncer page that comes up everytime I open IE. also about half of the time IE doesnt even work. I'm really really lost here. Sorry if this comes of a bit desperate, but this is the first time IE has worked for me in the past few days. I dont know how long it will last. Thanks for any help.

#9 barabbas

barabbas

    Member

  • New Member
  • Pip
  • 1 posts

Posted 07 July 2004 - 07:21 PM

http://uk.trendmicro...MARIN.H&VSect=T

This is a keylogging trojan. TROJ_DUMARIN.H. It blocks your antivirus by putting 127.0.0.1 redirects in the HOSTS file.

Details:

Installation and Autostart Technique

Upon execution, this memory-resident Trojan drops the following copies of itself in the Windows system folder:

* SVOHOST.EXE
* SWCHOST.EXE

It also drops the following files in the Windows startup and Windows folders, respectively:

* SVCHOST.EXE - a copy of itself
* PRNTSVR.DLL - a keylogger component file, which is detected as TROJ_DUMARIN.G

Then, it creates the following registry entry so that it executes at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
load32 = "C:\WINNT\System32\swchost.exe"

As part of its autostart mechanism, it modifies the SYSTEM.INI and appends its name in the shell key of the boot section as follows:

[boot]
shell=explorer.exe %s\System%\svohost.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

On Windows NT, 2000, and XP, however, the .INI file is not modified. The following registry entry is changed instead:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\Currentversion\Winlogon
Shell = “explorer.exe %System%\svohost.exe”

(Note: The original value is “explorer.exe”.)

Information Theft

This malware creates the following files in the Windows Temporary folder:

* FA4537EF.HTM
* FE43E701.HTM
* FEFF35A0.HTM

The said files contain the following information, which it posts to a specific site:

* Internet Explorer (IE) version
* IP address of an infected machine
* Windows version

The site is as follows:

http://www.whatp<BLO.../css/logger.php

It then drops the file RUNDLLN.SYS, which serves as its log file, in the Windows folder.

It also gathers account information of any online transaction made through WEBMONEY and E-GOLD.

Disabling Access to Antivirus Web Sites

To prevent a user from upgrading antivirus pattern files, this Trojan adds entries to the HOSTS file of the infected system. The said routine redirects the Internet browser to the local machine 127.0.0.1 whenever the following Web sites are accessed:

* avp.com
* ca.com
* customer.symantec.com
* dispatch.mcafee.com
* download.mcafee.com
* f-secure.com
* kaspersky.com
* liveupdate.symantec.com
* liveupdate.symantecliveupdate.com
* mast.mcafee.com
* mcafee.com
* my-etrust.com
* nai.com
* networkassociates.com
* rads.mcafee.com
* secure.nai.com
* securityresponse.symantec.com
* sophos.com
* symantec.com
* trendmicro.com
* update.symantec.com
* updates.symantec.com
* us.mcafee.com
* viruslist.com
* www.avp.com
* www.ca.com
* www.f-secure.com
* www.kaspersky.com
* www.mcafee.com
* www.my-etrust.com
* www.nai.com
* www.networkassociates.com
* www.sophos.com
* www.symantec.com
* www.trendmicro.com
* www.viruslist.com

#10 ounch

ounch

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 09 July 2004 - 02:14 PM

ok, I see all about the trojan. but what do I do to rid myself of it?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button