| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 85689 | 2007-12-18 21:48:00 | schost.exe - Help Please! | Rumba (13183) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 622617 | 2007-12-19 01:50:00 | That one wouldn't go away, I keep ticking it, fix, scan again but it doesn't move. | Rumba (13183) | ||
| 622618 | 2007-12-19 01:52:00 | That one wouldn't go away, I keep ticking it, fix, scan again but it doesn't move. Boot into safe mode then and delete it. You may have to show all files. Bet it wont come back then. Make sure system restore is still disabled. |
Speedy Gonzales (78) | ||
| 622619 | 2007-12-19 01:53:00 | I'm pretty sure system restore is, but when I checked (right click on my comp) it tells me two times that I can't and talk to the admin etc. And I just tried it in safe mode, was I meant to be doing the same thing? I ticked it etc, and look on CCleaner for anything. |
Rumba (13183) | ||
| 622620 | 2007-12-19 02:02:00 | I would install Avast Home (files.avast.com) <-- this is the direct link Its free, but you have to register (www.avast.com) it to get a 18 mth licence / serial. Install it then update it. Then do a scan. See what else that picks up, after u delete wowfx.dll in safe mode (if it deletes). |
Speedy Gonzales (78) | ||
| 622621 | 2007-12-19 02:05:00 | I'm pretty sure system restore is, but when I checked (right click on my comp) it tells me two times that I can't and talk to the admin etc. And I just tried it in safe mode, was I meant to be doing the same thing? I ticked it etc, and look on CCleaner for anything. No go to start/search. Search for wowfx.dll If its there delete it. It wont be in startup in ccleaner. |
Speedy Gonzales (78) | ||
| 622622 | 2007-12-19 02:21:00 | Troj/Agent-GIX is a Trojan for the Windows platform . When first run Troj/Agent-GIX copies itself to <System>\wowfx . dll . The file wowfx . dll is added the registry entry under: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProv iders\SecurityProviders WOWFX . DLL can also use the following file names: 53261691 . DAT 42836685 . SVD 26235911 . DAT 30074248 . SVD 75547737 . DLL The filename WOWFX . DLL refers to many versions of a dynamic link library . They share a common file size of 18,944 bytes . The filename is associated with the malware group . These files have no vendor, product or version information specified in the file header . |
bevy121 (117) | ||
| 622623 | 2007-12-19 02:37:00 | I tried it in Safe mode like you said, searched for it, deleted it. Then it came up again when I searched for it. So can it not be deleted? Or is there something else I need to do? |
Rumba (13183) | ||
| 622624 | 2007-12-19 02:47:00 | Boot into safe mode, go to start/run, type regedit. Go to where bevy said it loads. HKLM\SYSTEM\CurrentControlSet\Control\SecurityProv iders\SecurityProviders If wowfx.dll apears under here. Double click on the SecurityProviders entry in the right window, and delete its filename DON'T delete the SecurityProviders entry itself (in the left window) as it looks like this entry contains other files (like these, dont delete these msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll). Also look for the files Bevy posted 53261691.DAT 42836685.SVD 26235911.DAT 30074248.SVD 75547737.DLL Delete them HKLM is HKEY_LOCAL_MACHINE |
Speedy Gonzales (78) | ||
| 622625 | 2007-12-19 03:15:00 | Done. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 03:15:42, on 19/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\slmdmsr.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\VTtrayp.exe C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MESSEN~1\Msmsgs.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Teleca Shared\Generic.exe C:\Program Files\Sony Ericsson\Mobile2\Connection Wizard\ConnectionWizard.exe C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtim e.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\Msmsgs.exe" /background O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - messenger.zone.msn.com O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - upload.facebook.com O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - messenger.zone.msn.com O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - messenger.zone.msn.com O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - static.photobox.co.uk O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe -- End of file - 6745 bytes |
Rumba (13183) | ||
| 622626 | 2007-12-19 03:24:00 | Looks clean now. Is everything working now? | Speedy Gonzales (78) | ||
| 1 2 3 4 5 6 | |||||