szchost.exe - Dangerous
szchost.exe
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
When it is executed, it performs the following actions:
Drops the following files:
%System%\Szchost.exe
%System%\Szchostc.exe (A legitimate proxy utility named 3[APA3A]tiny proxy)
Adds the value: "Olive System"="%System%\Szchost.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds the value: "winid"=[date and time of infection]
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Mrdodf
Adds the value: "Datu"=[IP address]
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Mctest
Executes %System%\Szchostc.exe, which runs a proxy on a port number calculated from the current system time.
Connects to the IP address 205.188.156.249 on TCP port 25 to receive instructions from the attacker.
Attempts to download the file, %System%\system.ing, from a remote host that is hard-coded in the Trojan.
Gathers various pieces of system information based on the content of %System%system.ing.
This may include IP address, Computer Name, folder listings, and so on.
Submits information gathered to a PHP page at www.mercuryloungecasino.com, along with the port number on which the proxy runs.
Manual removal:
Please remove all keys that described above.