szchost.exe - Dangerous
szchost.exe
Manual removal instructions:
Antivirus Report of szchost.exe:
szchost.exe
Trojan.Mercurycas.A is a Trojan horse that allows an infected computer to be used as an email relay.
When it is executed, it performs the following actions:
Drops the following files:
%System%\Szchost.exe
%System%\Szchostc.exe (A legitimate proxy utility named 3[APA3A]tiny proxy)
Adds the value: "Olive System"="%System%\Szchost.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds the value: "winid"=[date and time of infection]
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Mrdodf
Adds the value: "Datu"=[IP address]
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Mctest
Executes %System%\Szchostc.exe, which runs a proxy on a port number calculated from the current system time.
Connects to the IP address 205.188.156.249 on TCP port 25 to receive instructions from the attacker.
Attempts to download the file, %System%\system.ing, from a remote host that is hard-coded in the Trojan.
Gathers various pieces of system information based on the content of %System%system.ing.
This may include IP address, Computer Name, folder listings, and so on.
Submits information gathered to a PHP page at www.mercuryloungecasino.com, along with the port number on which the proxy runs.
Manual removal:
Please remove all keys that described above.
szchost.exe | Malware |
szchost.exe | Dangerous |
szchost.exe | High Risk |
When it is executed, it performs the following actions:
Drops the following files:
%System%\Szchost.exe
%System%\Szchostc.exe (A legitimate proxy utility named 3[APA3A]tiny proxy)
Adds the value: "Olive System"="%System%\Szchost.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds the value: "winid"=[date and time of infection]
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Mrdodf
Adds the value: "Datu"=[IP address]
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Mctest
Executes %System%\Szchostc.exe, which runs a proxy on a port number calculated from the current system time.
Connects to the IP address 205.188.156.249 on TCP port 25 to receive instructions from the attacker.
Attempts to download the file, %System%\system.ing, from a remote host that is hard-coded in the Trojan.
Gathers various pieces of system information based on the content of %System%system.ing.
This may include IP address, Computer Name, folder listings, and so on.
Submits information gathered to a PHP page at www.mercuryloungecasino.com, along with the port number on which the proxy runs.
Manual removal:
Please remove all keys that described above.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.