Everytime my Ad-Aware runs it finds "??chost.exe" in the system32 folder. Obviously you can't have a file name, etc., with a '?' in it, or so I'm told. It's identifed as a shopnav tracker and I'm finding trouble getting rid of it. I also have Spybot, and that does nothing, and my McAfee doesn't pick it up. Using search I find some 'snchost' or 'svchost' etc, but I looked these up and some are saying (like microsoft) that they aren't adware. Also, I can't even find ??chost.exe to begin with...
what version of ad-aware are you using & try program in safe mode. but clean out the windows temp, temporary internet, local settings/temporary internet(if you have it) & cookies before running program
I have ad-aware se, and I was just about to try wiping out my Temp. Internet files and such. I also found "??chost" in my registry and deleted that, so maybe that will help.
My ad-aware se is still picking it up...and then when it says it can't delete it and asks to run before start up, when I do run it, it doesn't find it. But whether I choose to run it or not, after ad-aware is closed, My Documents window pops up.
Hey Try booting into safe mode and delete it from the system32 folder and the registry.......reboot and see if it's still there. When you delete the temp files be sure to empty Recycle Bin.
I couldn't find it in safe mode.....in system32 folder, but found some files in registry, then when I rebooted it still showed up. Also, I found Windows\System32\svchost.exe in the registry...which I'm told is normal. It's name was (default). Then I also found the exact same .exe, though it was named 'wifdiivw'. I read that the ??chost.exe is supposed to be the same as svchost....could that be it? I'm also finding a Search Assistant folder in the registry, with 'vorbisfile.dll and a chost value I think.Wondering if that is normal. Also, in my startup when I run msconfig, it says that windows/system32/svchost.exe is running. Should it be? Lastly, I believe I also found ttuh.exe, this is related to spyware, right?
Hey If your using XP disable Ststem Restore and delete the file and then empty the Recycle Bin....try that.
Delete the 'wifdiivw' file? Also, I just ran Hijackthis and found 'ttuh.exe' and '??chost.exe'.... Logfile of HijackThis v1.98.2 Scan saved at 4:41:21 PM, on 12/11/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Dell AIO Printer A940\dlbabmon.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\AIM\aim.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\??chost.exe C:\Program Files\WinZip\WZQKPICK.EXE c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\Documents and Settings\Aaron\My Documents\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gaiaonline.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - SOFTWARE - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SDWin32 Class - {F407530E-F2B5-4B1A-B9C0-9A235AC6E06D} - C:\WINDOWS\System32\gszqt.dll (file missing) O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Aaron\Application Data\ttuh.exe O4 - HKCU\..\Run: [Wifdiivw] C:\WINDOWS\System32\??chost.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU) O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094269847578 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
Hey Delete both 'ttuh.exe' and '??chost.exe' from system folder and registry. If you can't find them do a search with the advanced options to look in system folders. The wifdiivw has no info. Are you sure that is the file name? You should be able to delete in Safe Mode if you change options to see all system files.
Yes, that is the name of the file. And I've used Search and can't find it. I was going to delete them from the registry and also fix them using hijackthis. Would that be the best thing to do? Even though I can't find ??chost.exe in my registry, fixing it with hijackthis is the only other option for that. Also, any reason why I have 3 svchost.exes in my hijackthis log? I'm thinking 2 are legit, and the other with the wacky name is part of the ??chost.exe thing. And I just noticed this in my hijackthis log: [Wifdiivw] C:\WINDOWS\System32\??chost.exe Meaning, I think that deleting that wacky svchost.exe file might help.
One more thing: When I do a search, it comes up with svchost.exe and rdchost.dll in system 32, and the exact same exe and dll show up in Window\SofwareDistribution\Download
Hey Its normal to have multiple svchost.exe running its a Microsoft pack of services for .dll. Use the Highjack This to get rid of the two known nasties but I would leave the unknown one alone untill you get more info. Is you machine unstable?
Hey, from what i can see having a quick glance of your log, put a tick in and remove the following: C:\WINDOWS\System32\??chost.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gaiaonline.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - SOFTWARE - (no file) O2 - BHO: SDWin32 Class - {F407530E-F2B5-4B1A-B9C0-9A235AC6E06D} - C:\WINDOWS\System32\gszqt.dll (file missing) O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Aaron\Application Data\ttuh.exe O4 - HKCU\..\Run: [Wifdiivw] C:\WINDOWS\System32\??chost.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) CJC
Problem seems to be solved. ??chost.exe is not showing up in ad-aware. I'll take out the other things as well. Thanks.
