Question on HJT log item - winhost.exe

Discussion in 'Malware Help (A Specialist Will Reply)' started by moondaddy, Feb 3, 2005.

  1. moondaddy

    moondaddy Private E-2

    As advised I went to the HJT tutorial in this site first (http://forums.majorgeeks.com/showthread.php?t=38752) and found it very informative. I pulled a log using HJT and reviewed the log items with the help from this tutorial and found some definite bad items ‘nvsc32.exe’ which I got just today via an attachment in IM. The only other thing that I found that was listed as bad was:

    O4 - HKLM\..\Run: [win32] winhost.exe
    O4 - HKLM\..\RunServices: [win32] winhost.exe

    As recommended in the turoatial for O4 items, I went to the PacMan’s Startup List to look these items up. When I did a search on winhost.exe this is the response at PacMan (actually its this-http://www.sysinfo.org/startuplist.php?filter=winhost.exe):

    “Microsoft Update Machine X winhost.exe Added by the RBOT-GK WORM!
    Svchost X winhost.exe Added by the LOLAWEB.A TROJAN! Note - this is not the legitimate svchost.exe process which should NOT appear in Msconfig/Startup!”

    According to this I should have HJT remove the winhost.exe items. I’m concerned about this and would like to know what the odds are that this is something legitimate for windows. Can anyone advise on this?

    Thanks.
     
    moondaddy, Feb 3, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No it is not legit! It is:

    Process Name: Win32.Lolaweb Hijacker

    Description:
    winhost.exe is a hijacker which means it will intermittently change your Internet Explorer settings / Desktop to the link of it’s author’s sponsors. This program is usually installed through consent, however is sometimes packaged as another product.

    You need to end the process is running by using Task Manager to kill it. Then fix the lines with HJT (with no browsers open) and then boot into safe mode and delete the file. You never gave you OS so I don't know where it is. Possibly in c:\windows or c:\windows\system32

    Normally this file comes from pron (yes spelled like that on purpose) sites so be careful what you click on.
     
    chaslang, Feb 3, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You really should run through the whole Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal >

    When this file is found on PCs, there are normally many more problems.

    After doing all of the above I would also recommend the below:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Feb 3, 2005
    #3
  4. TheOldThug

    TheOldThug First Sergeant

    Chaslang is correct on this as usual. If you want piece of mind go here.

    Winhost.exe
     
    TheOldThug, Feb 3, 2005
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds