syschost.exe wants internet access...

Lately, every time I access the internet, the following file tries to access the internet C:\WINDOWS\system32\syschost.exe. My firewall, of course asks me whether or not I should let it through. At first, I thought about it, knowing that if this file was necessary for windows, the firewall wouldn't be asking me about it. After I deny access, an error message appears: Title: Syschost Message: can't create new socket. So now I don't know what to do. I also seem to have another problem...

My antivirus program detects two viruses every time I open the program Kazaa Lite ++ Te path is C:\My Shared Folder\filename.jpg.exe (x2) When i open my shared folder, however, these two files do not exsist! Can anyone please help me with this problem???

 

Syschost.exe is not a legitimate windows file.
You need to do an online scan for that virus, especially any with a double extension that you have posted.
RAV Online Scan
Use the Auto Clean, and post it's log if anything found is not removed.

 

OK, I ran the online antivirus, and it did not find any viruses. Does this mean that the syschost.exe file is safe? Also, my AVG antivirus keeps telling me every 5 minutes that same two viruses have been found(c:\my shared folder\filename.jpg.exe), however, I erased those files the very first time they were detected.

Another interesting aspect of the syschost.exe file is that it is running in the processes tab in the task manager. When I end this process, my computer seems to function normally, does this mean it is safe to erase the file? Finally, there is a file with a similar name running in the taks manager svchost.exe. This file does not seem to be threatening or trying to enter the internet. Is svchost.exe a legitimate windows file? Well, I hope this information can help solve my problem.

thanks for your time

 

I would say that file "syschost.exe" is not safe, I would delete it.
The file "svchost.exe" if located in the C:\Windows\System32 folder, is legitimate, and windows would not function without it. The location of this file in any other folder is suspect.
You should go to the Quicklinks page below and get Spybot, Ad-Aware, and HijackThis.
After installing Spybot and Ad-Aware, update them both.
Run Ad-Aware with the Custom Full Scan.
When you have Spybot check for problems, let it fix whatever is already checked off.
Then use HijackThis to create a log, and post it on here.

 

log...

Logfile of HijackThis v1.99.0
Scan saved at 10:56:13 PM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
F:\My Documents\Applications\Programs\Security\hijackthis\HijackThis.exe
C:\Program Files\Winamp\winamp.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [winsys] syschost.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\RunOnce: [mcagntps.dll] rundll32.exe advpack.dll,RegisterOCX c:\PROGRA~1\mcafee.com\agent\mcagntps.dll
O4 - HKLM\..\RunOnce: [mcvsescn.exe] c:\PROGRA~1\mcafee.com\vso\mcvsescn.exe -regserver
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O15 - Trusted Zone: http://us.mcafee.com
O15 - Trusted Zone: http://www.ravantivirus.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D0F3163-FC76-4F58-B082-EDF077404619}: NameServer = 198.81.16.134
O23 - Service: McAfee Firewall - Network Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

 

up to date...

I looked over the log, and it seems like the syschost.exe program is no longer in my system. This does not meant it never existed, however. The reason for this is that right before I scaned with hijack this, I installed, scaned, and cleaned my computer with McAfee antivirus. I'm guessing it worked. Notice that both RAV online antivirus and AVG antivirus missed this syschots.exe file, along with 16 other files!! And yes, my avg WAS up to date. And the McAfee found 17 infected files and erased them all. Hopefully, this cleaned out all of my problems, please let me know it there is any other garbage in my hijack log...

 

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

O4 - HKLM\..\Run: [winsys] syschost.exe

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. DO NOT allow restart.

Download The Killbox from here: http://tools.zerosrealm.com/killbox.zip

Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\system32\syschost.exe

Click on the Action menu and choose "Delete on Reboot ". On the next screen (log), click on the File menu and choose "Add File ". The filename and path should show up in the window. If that's successful, click Action on the log screen menu and select "Process and Reboot ". Allow it to reboot.

Now in safe mode, logon to your user account. You will need to show hidden files and folders, as well as system files and extensions for known file types.

Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content. Then open the Java Plug-in, click the cache tab and then clear. This will only apply if you have installed Sun Java.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

You can use your own judgement on the Acceleration Software that is associated with the 010 Winsock entries, but most feel it is unwanted adware. More info in the link below.

http://www.kephyr.xaviermedia.us/spywarescanner/library/accelerationsoft/index.phtml

Should you decide to remove it, download LSPFix.zip, unzip the file to it's own folder and open. Add the asiclayer.dll entries to the remove side, check the box I know what I'm doing, close ALL IE windows and click finish. Then remove all known associated files/folders.

Let us know how it goes.