|
??choste.exe.....need some help with this
|
|
|
jediboy
Junior Member
|
3. December 2004 @ 11:41 |
Link to this message
|
|
Everytime my Ad-Aware runs it finds "??chost.exe" in the system32 folder. Obviously you can't have a file name, etc., with a '?' in it, or so I'm told. It's identifed as a shopnav tracker and I'm finding trouble getting rid of it. I also have Spybot, and that does nothing, and my McAfee doesn't pick it up. Using search I find some 'snchost' or 'svchost' etc, but I looked these up and some are saying (like microsoft) that they aren't adware. Also, I can't even find ??chost.exe to begin with...
|
|
Advertisement
|
|
|
|
|
ddp
Moderator
|
3. December 2004 @ 11:49 |
Link to this message
|
|
what version of ad-aware are you using & try program in safe mode. but clean out the windows temp, temporary internet, local settings/temporary internet(if you have it) & cookies before running program
|
|
jediboy
Junior Member
|
3. December 2004 @ 12:21 |
Link to this message
|
|
I have ad-aware se, and I was just about to try wiping out my Temp. Internet files and such. I also found "??chost" in my registry and deleted that, so maybe that will help.
|
|
jediboy
Junior Member
|
7. December 2004 @ 15:08 |
Link to this message
|
|
My ad-aware se is still picking it up...and then when it says it can't delete it and asks to run before start up, when I do run it, it doesn't find it. But whether I choose to run it or not, after ad-aware is closed, My Documents window pops up.
|
|
ianski7
Suspended due to non-functional email address
|
7. December 2004 @ 18:30 |
Link to this message
|
|
Hey
Try booting into safe mode and delete it from the system32 folder and the registry.......reboot and see if it's still there.
When you delete the temp files be sure to empty Recycle Bin.
This message has been edited since posting. Last time this message was edited on 7. December 2004 @ 18:32
|
|
jediboy
Junior Member
|
11. December 2004 @ 12:29 |
Link to this message
|
|
I couldn't find it in safe mode.....in system32 folder, but found some files in registry, then when I rebooted it still showed up. Also, I found Windows\System32\svchost.exe in the registry...which I'm told is normal. It's name was (default). Then I also found the exact same .exe, though it was named 'wifdiivw'. I read that the ??chost.exe is supposed to be the same as svchost....could that be it?
I'm also finding a Search Assistant folder in the registry, with 'vorbisfile.dll and a chost value I think.Wondering if that is normal. Also, in my startup when I run msconfig, it says that windows/system32/svchost.exe is running. Should it be?
Lastly, I believe I also found ttuh.exe, this is related to spyware, right?
This message has been edited since posting. Last time this message was edited on 11. December 2004 @ 12:33
|
|
ianski7
Suspended due to non-functional email address
|
11. December 2004 @ 12:51 |
Link to this message
|
|
Hey
If your using XP disable Ststem Restore and delete the file and then empty the Recycle Bin....try that.
|
|
jediboy
Junior Member
|
11. December 2004 @ 13:06 |
Link to this message
|
Delete the 'wifdiivw' file? Also, I just ran Hijackthis and found 'ttuh.exe' and '??chost.exe'....
Logfile of HijackThis v1.98.2
Scan saved at 4:41:21 PM, on 12/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\??chost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\Aaron\My Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gaiaonline.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SDWin32 Class - {F407530E-F2B5-4B1A-B9C0-9A235AC6E06D} - C:\WINDOWS\System32\gszqt.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Aaron\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Wifdiivw] C:\WINDOWS\System32\??chost.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094269847578
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
This message has been edited since posting. Last time this message was edited on 11. December 2004 @ 13:07
|
|
ianski7
Suspended due to non-functional email address
|
11. December 2004 @ 13:51 |
Link to this message
|
|
Hey
Delete both 'ttuh.exe' and '??chost.exe' from system folder and registry. If you can't find them do a search with the advanced options to look in system folders. The wifdiivw has no info. Are you sure that is the file name? You should be able to delete in Safe Mode if you change options to see all system files.
|
|
jediboy
Junior Member
|
11. December 2004 @ 13:59 |
Link to this message
|
|
Yes, that is the name of the file. And I've used Search and can't find it. I was going to delete them from the registry and also fix them using hijackthis. Would that be the best thing to do? Even though I can't find ??chost.exe in my registry, fixing it with hijackthis is the only other option for that. Also, any reason why I have 3 svchost.exes in my hijackthis log? I'm thinking 2 are legit, and the other with the wacky name is part of the ??chost.exe thing. And I just noticed this in my hijackthis log:
[Wifdiivw] C:\WINDOWS\System32\??chost.exe
Meaning, I think that deleting that wacky svchost.exe file might help.
This message has been edited since posting. Last time this message was edited on 11. December 2004 @ 14:05
|
|
jediboy
Junior Member
|
11. December 2004 @ 14:25 |
Link to this message
|
|
One more thing: When I do a search, it comes up with svchost.exe and rdchost.dll in system 32, and the exact same exe and dll show up in Window\SofwareDistribution\Download
|
|
ianski7
Suspended due to non-functional email address
|
11. December 2004 @ 14:26 |
Link to this message
|
|
Hey
Its normal to have multiple svchost.exe running its a Microsoft pack of services for .dll. Use the Highjack This to get rid of the two known nasties but I would leave the unknown one alone untill you get more info.
Is you machine unstable?
|
|
ianski7
Suspended due to non-functional email address
|
11. December 2004 @ 14:32 |
Link to this message
|
|
Hey
That is normal as far as I have seen -- concentrate on the ones that spyware programs identify.
|
Senior Member
|
11. December 2004 @ 18:44 |
Link to this message
|
Hey, from what i can see having a quick glance of your log, put a tick in and remove the following:
C:\WINDOWS\System32\??chost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gaiaonline.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: SDWin32 Class - {F407530E-F2B5-4B1A-B9C0-9A235AC6E06D} - C:\WINDOWS\System32\gszqt.dll (file missing)
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Aaron\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Wifdiivw] C:\WINDOWS\System32\??chost.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
CJC
|
|
jediboy
Junior Member
|
12. December 2004 @ 18:33 |
Link to this message
|
|
Problem seems to be solved. ??chost.exe is not showing up in ad-aware. I'll take out the other things as well. Thanks.
|
Senior Member
|
12. December 2004 @ 19:39 |
Link to this message
|
|
I hope its all sorted for you now...
CJC
|
|
Advertisement
|
|
|
|
Zeone
Junior Member
|
13. December 2004 @ 03:24 |
Link to this message
|
|
Goodluck
Soyo KT333 Lite AMD 2000+ OC 2200+
512 PC2700 PNY Ram(crap i know)
Geforce TI 4400 OC 4600
|
