What is creating these????

Discussion in 'ProcessGuard' started by CigarBoy, Jul 22, 2006.

Thread Status:
Not open for further replies.
  1. CigarBoy

    CigarBoy Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    1
    I noticed a lot of background dloading going on.. checked processes and noticed many many svchosts running...
    installed ProcessGurad and caught all this crap... what the heck is creating all these in my temp dir, then executing them..
    00:42:45 [EXECUTION] "c:\documents and settings\my-name-here\local settings\temp\33exssd32e.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\svchost.exe" [4044]
    [EXECUTION] Commandline - [ c:\docume~1\my-name-here_p~1.cor\locals~1\temp\33exssd32e.exe 777 ]
    00:42:46 [EXECUTION] "c:\documents and settings\my-name-here\local settings\temp\60exmodex2.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\svchost.exe" [4044]
    [EXECUTION] Commandline - [ c:\docume~1\my-name-here_p~1.cor\locals~1\temp\60exmodex2.exe http://out.catchonlife.com/nw/r2.txt?jeaa-1_2790_1061 ]
    00:42:46 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
    [EXECUTION] Started by "c:\docume~1\my-name-here_p~1.cor\locals~1\temp\33exssd32e.exe" [4060]
    [EXECUTION] Commandline - [ svchost.exe ]
    00:42:46 [MODIFY] c:\documents and settings\my-name-here\local settings\temp\33exssd32e.exe [4060] was blocked from modifying c:\windows\system32\svchost.exe [2628]
    00:42:47 [EXECUTION] "c:\documents and settings\my-name-here\local settings\temp\33exmhdd.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\svchost.exe" [4044]
    [EXECUTION] Commandline - [ c:\docume~1\my-name-here_p~1.cor\locals~1\temp\33exmhdd.exe 777 ]
    00:42:47 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
    [EXECUTION] Started by "c:\docume~1\my-name-here_p~1.cor\locals~1\temp\60exmodex2.exe" [2204]
    [EXECUTION] Commandline - [ svchost.exe ]
    00:42:47 [MODIFY] c:\documents and settings\my-name-here\local settings\temp\60exmodex2.exe [2204] was blocked from modifying c:\windows\system32\svchost.exe [3832]
    00:42:47 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
    [EXECUTION] Started by "Unknown Process" [1528]
    [EXECUTION] Commandline - [ svchost.exe
     
  2. StriderSkorpion

    StriderSkorpion Registered Member

    Joined:
    Feb 24, 2006
    Posts:
    54
    You have a trojan downloader that's using svchost to download malware from the web. I'm guessing it's using svchost to circumvent any firewall you may have since svchost is usually allowed as it's used for Automatic Updates. The trojan is used to make your machine a spambot. The site it tried to connect to contains a text document with links to the spam message and e-mail addresses to spam. I recommend posting to the part of this forum dealing with malware infections for help solving the problem.
     
Thread Status:
Not open for further replies.