What is creating these????

Discussion in 'ProcessGuard' started by CigarBoy, Jul 22, 2006.

Thread Status:
Not open for further replies.
  1. CigarBoy

    CigarBoy Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    1
    I noticed a lot of background dloading going on.. checked processes and noticed many many svchosts running...
    installed ProcessGurad and caught all this crap... what the heck is creating all these in my temp dir, then executing them..
    00:42:45 [EXECUTION] "c:\documents and settings\my-name-here\local settings\temp\33exssd32e.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\svchost.exe" [4044]
    [EXECUTION] Commandline - [ c:\docume~1\my-name-here_p~1.cor\locals~1\temp\33exssd32e.exe 777 ]
    00:42:46 [EXECUTION] "c:\documents and settings\my-name-here\local settings\temp\60exmodex2.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\svchost.exe" [4044]
    [EXECUTION] Commandline - [ c:\docume~1\my-name-here_p~1.cor\locals~1\temp\60exmodex2.exe http://out.catchonlife.com/nw/r2.txt?jeaa-1_2790_1061 ]
    00:42:46 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
    [EXECUTION] Started by "c:\docume~1\my-name-here_p~1.cor\locals~1\temp\33exssd32e.exe" [4060]
    [EXECUTION] Commandline - [ svchost.exe ]
    00:42:46 [MODIFY] c:\documents and settings\my-name-here\local settings\temp\33exssd32e.exe [4060] was blocked from modifying c:\windows\system32\svchost.exe [2628]
    00:42:47 [EXECUTION] "c:\documents and settings\my-name-here\local settings\temp\33exmhdd.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\svchost.exe" [4044]
    [EXECUTION] Commandline - [ c:\docume~1\my-name-here_p~1.cor\locals~1\temp\33exmhdd.exe 777 ]
    00:42:47 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
    [EXECUTION] Started by "c:\docume~1\my-name-here_p~1.cor\locals~1\temp\60exmodex2.exe" [2204]
    [EXECUTION] Commandline - [ svchost.exe ]
    00:42:47 [MODIFY] c:\documents and settings\my-name-here\local settings\temp\60exmodex2.exe [2204] was blocked from modifying c:\windows\system32\svchost.exe [3832]
    00:42:47 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
    [EXECUTION] Started by "Unknown Process" [1528]
    [EXECUTION] Commandline - [ svchost.exe
     
    CigarBoy, Jul 22, 2006
    #1
  2. StriderSkorpion

    StriderSkorpion Registered Member

    Joined:
    Feb 24, 2006
    Posts:
    54
    You have a trojan downloader that's using svchost to download malware from the web. I'm guessing it's using svchost to circumvent any firewall you may have since svchost is usually allowed as it's used for Automatic Updates. The trojan is used to make your machine a spambot. The site it tried to connect to contains a text document with links to the spam message and e-mail addresses to spam. I recommend posting to the part of this forum dealing with malware infections for help solving the problem.
     
    StriderSkorpion, Jul 22, 2006
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...