How on earth do I remove this http://wmctuv.outhost.info/ from my homepage! It's driving me nuts. I go into tools/internet options and change it back and hit apply try my home page again and the damn thing comes back immediately. I've removed all cookies temp internet files cleared history then ran webroot's spy sweeper and the stupid thing keeps coming back. I hate it and anyone that can help me get rid of it I would gladly appreciate it.

Open spysweeper >> options >> active shield. Change your homepage back to what it used to be, apply the changes then turn the homepage shield on and apply again.

____________________________
The greatest risk is not taking one

Report Offensive Follow Up For Removal

Have you tried to run Adaware and spybot Cw shredder.

Get this What ever this comptuer has won't let me install or even copy spybot search and destroy or cw shredder! I can change the name and it will read it so I go to install it and it still shuts the install down! How can I possibly get this dang thing to quit????????

hi guyz...I also had the same problem. I tried everything on earth but this f---er succeded to appear again. I tried with all the antispy s/w you people mentioned here.
But all attempt was in vain. Atlast I found a suspicious exe file in the windows directory. That was "svchost.exe" . This executable will edit the startup files and get into the memory.Steps I followed to avoid this nasty thing are
1. Change your accecibilty option in internet settings (uncheck Format using my style sheet)
2. Go to task manager(ALT+CRL+DEL will bring it) and kill the process or executable called svchost.exe.
3. Go to Windows root directory and delete the file svchost.exe. and all the files starting with svchost (I think a log file will be there)
4. Search for entries called "outhost.info" in registry and clear them all.(You should clear all...search throughout)
5. Delete all files which contains string called "outhost.info"
6.Restart the pc.
7.Install a good hacker defender.(Anti spyware wont do much)

thats all guys.....and relax......and never try anything like formatting your hard disk....::)

svchost maybe is not the cause of what you guys have, have you installed the patch for the welcha worm, if yes then your svchost should have been fine, if you have multible svchost running in your task manager then you might have the welcha worm(blaster).

SUMMARY
This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).
MORE INFORMATION
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging.

Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

To view the list of services that are running in Svchost:
Click Start on the Windows taskbar, and then click Run.
In the Open box, type CMD, and then press ENTER.
Type Tasklist /SVC, and then press ENTER.
Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For further information about a process, type the following command, and then press ENTER:
Tasklist /FI "PID eq processID" (with the quotation marks)

The following example of Tasklist output shows two instances of Svchost.exe that are running. Image Name PID Services
========================================================================
System Process 0 N/A
System 8 N/A
Smss.exe 132 N/A
Csrss.exe 160 N/A
Winlogon.exe 180 N/A
Services.exe 208 AppMgmt,Browser,Dhcp,Dmserver,Dnscache,
Eventlog,LanmanServer,LanmanWorkstation,
LmHosts,Messenger,PlugPlay,ProtectedStorage,
Seclogon,TrkWks,W32Time,Wmi
Lsass.exe 220 Netlogon,PolicyAgent,SamSs
Svchost.exe 404 RpcSs
Spoolsv.exe 452 Spooler
Cisvc.exe 544 Cisvc
Svchost.exe 556 EventSystem,Netman,NtmsSvc,RasMan,
SENS,TapiSrv
Regsvc.exe 580 RemoteRegistry
Mstask.exe 596 Schedule
Snmp.exe 660 SNMP
Winmgmt.exe 728 WinMgmt
Explorer.exe 812 N/A
Cmd.exe 1300 N/A
Tasklist.exe 1144 N/A

The registry setting for the two groupings for this example are as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost:
Netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc
RApcss :Reg_Multi_SZ: RpcSs
---------------
How Does the Welchia Worm Infect My Computer?

Copies itself to the Wins directory in the System or System32 folder in Windows usually

C:\Windows\System32\Wins\Dllhost.exe for Windows XP or
C:\WinNT\System32\Wins\Dllhost.exe for Windows NT/2000

There is a legitimate file called Dllhost.exe (about 5-6K) in the System32 directory.

Makes a copy of the TFTP server (TFTPD.exe) from the Dllcache directory to the following directories.

C:\Windows\System32\Wins\svchost.exe for Windows XP or
C:\WinNT\System32\Wins\svchost.exe for Windows NT/2000

NOTE: Svchost.exe is a legitimate program, which is not malicious, found in the System32 directory

Creates the following services:

Service Name: RpcTftpd
Display Name: Network Connections Sharing
File: %System%\wins\svchost.exe

This service will be set to start manually.

Service Name: RpcPatch
Display Name: WINS Client
File: %System%\wins\dllhost.exe

This service will be set to start automatically.

Ends the process, MSBLAST, and delete the file %System%\msblast.exe which is dropped by the worm, MSBlast.A. First, it checks the operating system version, then it downloads the appropriate patch from the designated Microsoft Web site. After executing the patch, it reboots the system.
Some of the patches it downloads into the system are as follows:

http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b1e6-cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe
http://download.microsoft.com/download/5/8/f/58fa7161-8db3-4af4-b576-0a56b0a9d8e6/Windows2000-KB823980-x86-CHT.exe
http://download.microsoft.com/download/2/8/1/281c0df6-772b-42b0-9125-6858b759e977/Windows2000-KB823980-x86-CHS.exe
http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
http://download.microsoft.com/download/e/3/1/e31b9d29-f650-4078-8a76-3e81eb4554f6/WindowsXP-KB823980-x86-KOR.exe
http://download.microsoft.com/download/2/3/6/236eaaa3-380b-4507-9ac2-6cec324b3ce8/WindowsXP-KB823980-x86-CHT.exe
http://download.microsoft.com/download/a/a/5/aa56d061-3a38-44af-8d48-85e42de9d2c0/WindowsXP-KB823980-x86-CHS.exe
http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
The downloaded patch has the file name, RpcServicePack.exe. This worm deletes this file after it is run.

Before downloading or installing the patch on the system, this worm first checks if the system has been previously patched by checking for specific registry keys to make sure the patch hasnt been installed.

The worm travels through a computer network or local area network looking for unpatched and vulnerable machines. The worm will use a ping to determine if the active machine is on a network.Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.

Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.

Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.

Damn looks like a lot to do to remove the stinkin thing. I deleted some crap in the registery and at least my homepage is back. Looks like I got 4 svchost's running. Since this isn't my main pc just my downloader i'll try removin it when I get a chance. Am I in any danger of it spreadin across my network?

hi now can someone tell me what should i do? ok under msconfig startup there is svchort.exe - rs- something like that the website as my hp is outhost.info/ i tried deleting svc host doesn't work tried deleting the dll whatever.exe doesn't work um any exe file i click on it just closes that folder and it has hidden my hijackthis and whenever i try to go to some website like for spyware addware it closes them and this thing didn't detect it for that worm and i can't connect to kaza or anything like that and i can't even connect to my xbox from my comp i ran norton antivirus 2004 pro it didn't detect i ran adaware doesn't find so what should i do can someone please help i pretty much can't do anything

ok guys um after all the stuff i went to safe mode and scaned my comp with norton few times and removed everything it could so now i'm able to run hijackthis and other programs now here's my hijack this log i don't know how to get rid of these now

Logfile of HijackThis v1.97.7
Scan saved at 2:09:37 PM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mzsugi.outhost.info/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mzsugi.outhost.info/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mzsugi.outhost.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mzsugi.outhost.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mzsugi.outhost.info/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1
O4 - HKCU\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O8 - Extra context menu item: View Original Image - C:\program files\msn\msnia\wa\getoriginal.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ComcastHSI (HKLM)
O9 - Extra button: Support (HKLM)
O9 - Extra button: Help (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

this one C:\WINDOWS\svhost.exe -sr -1 is this for my cable connection or? cuz each time i remove it, it comes back someone please help

Ripped this off from some guy from another forum. I was attacked twice already. Stupid worm.

/******************************************

I was hacked by this application when I opened a web page in Internet Explorer.
Here is some information on hxdefdrv.sys (HACKERDEFENDER) and the removal instructions.

After noticing that something was wrong, I disconnected my pc off the Internet.

I noticed these changes to my system:

-There was a new shortcut in my desktop, with the name Start and this target:
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

http://www.casinopalazzo.com/index.php?sourceid=100455

-After searching for the files created today, I found these new files in C:\Winnt\
.23052004.exe <-- The name of this file is the date of tomorrow
.hxdefdrv.sys
.sezzbc.ig2
.vzcdaq.2nh

-The Internet Explorer Start Page was modified to
http://rjgzvd.outhost.info/

-When trying to execute RegEdit.exe, this application was closed almost immediately.

-I deleted the file hxdefdrv.sys. After restarting the PC, the file had been recreated.

-To avoid the creation of this file again, open a command prompt and execute NET STOP

HACKERDEFENDER100
Notice that this is the name of the service in the winunins.ini file (See winunins.ini below)

If the service is not in memory, about 45 seconds will pass and you will get a message "The

service is not responding to the control function.
If the service is not in memory, you will be told so.

After removing the service from memory, the hxdefdrv.sys file does not appear again when

restarting the PC. Nevertheless, the application is still in memory, so that doesn't solve the

problem completely.

Please, note that this service is not listed in the Task Manager, because it hides itself, some

other services and files.

-I restarted my PC in safe mode and found another file in C:\Winnt
.svhost.exe
.winunins.exe
.winunins.ini

-When searching for the files modified today, I found that the file
C:\WINNT\system32\drivers\etc\hosts
had been modified to that shown here:

213.159.118.228 collections.inhost.info
213.159.118.228 collections.inhost2.info
213.159.118.228 1-se.com
213.159.118.228 58q.com
213.159.118.228 aifind.cc
213.159.118.228 aifind.info
213.159.118.228 allneedsearch.com
213.159.118.228 approvedlinks.com
213.159.118.228 auto.ie.searchforge.com
213.159.118.228 awebfind.biz
213.159.118.228 best.royalsearch.net
213.159.118.228 cracks.am
213.159.118.228 default-homepage-network.com
213.159.118.228 find.microgirls.com
213.159.118.228 find4u.net
213.159.118.228 freshvideogals.com
213.159.118.228 i-lookup.com
213.159.118.228 ie-search.com
213.159.118.228 in.webcounter.cc
213.159.118.228 itseasy.us
213.159.118.228 just.find-itnow.com
213.159.118.228 link.startmake.com
213.159.118.228 mysearchnow.com
213.159.118.228 nativehardcore.com
213.159.118.228 qwertysearch123.biz
213.159.118.228 search.ieplugin.com
213.159.118.228 search.psn.cn
213.159.118.228 searchbar.findthewebsiteyouneed.com
213.159.118.228 searchcentrix.com
213.159.118.228 searchmyrequest.com
213.159.118.228 super-spider.com
127.0.0.1 hard-virgins.com
127.0.0.1 www.hard-virgins.com
127.0.0.1 petite-virgins.biz
127.0.0.1 wwww.petite-virgins.biz
127.0.0.1 only-virgins.com
127.0.0.1 www.only-virgins.com
213.159.118.228 t.rack.cc
213.159.118.228 teen-biz.com
213.159.118.228 teenhqpics.com
213.159.118.228 tits.hardcore4ever.net
213.159.118.228 webcoolsearch.com
213.159.118.228 wmmse.com
213.159.118.228 www.008i.com
213.159.118.228 www.2fastsearch.net
213.159.118.228 www.8095.com
213.159.118.228 www.alfa-search.com
213.159.118.228 www.boredlife.com
213.159.118.228 www.couldnotfind.com
213.159.118.228 www.cracks.am
213.159.118.228 www.daum.net
213.159.118.228 www.dreamwiz.com
213.159.118.228 www.find-itnow.com
213.159.118.228 www.find-itnow.com
213.159.118.228 www.find4u.net
213.159.118.228 www.firstbookmark.com
213.159.118.228 www.gajai.com
213.159.118.228 www.hand-book.com
213.159.118.228 www.hao123.com
213.159.118.228 www.hotsearchbox.com
213.159.118.228 www.hotwebsearch.com
213.159.118.228 www.hugesearch.net
213.159.118.228 www.iquicksearch.com
213.159.118.228 www.lookfor.cc
213.159.118.228 www.maxxxhosters.com
213.159.118.228 www.naver.com
213.159.118.228 www.nkvd.us
213.159.118.228 www.nova****.com
213.159.118.228 www.ohcorea.com
213.159.118.228 www.omega-search.com
213.159.118.228 www.onet.pl
213.159.118.228 www.power-search.info
213.159.118.228 www.rightfinder.net
213.159.118.228 www.search-1.net
213.159.118.228 www.search-and-go.com
213.159.118.228 www.search-dot.com
213.159.118.228 www.search-space.com
213.159.118.228 www.searchforge.com
213.159.118.228 www.searching-the-net.com
213.159.118.228 www.searchv.com
213.159.118.228 www.searchxl.com
213.159.118.228 www.seznam.cz
213.159.118.228 www.slotch.com
213.159.118.228 www.spidersearch.com
213.159.118.228 www.startium.com
213.159.118.228 www.therealsearch.com
213.159.118.228 www.ttjj.com
213.159.118.228 www.viewpornkey.com
213.159.118.228 www.wazzupnet.com
213.159.118.228 www.websearch.com
213.159.118.228 www.windowws.cc
213.159.118.228 www.xgmm.com
213.159.118.228 xwebsearch.biz
213.159.118.228 yourbookmarks.ws

-After opening RegEdit, I found svhost.exe in the path:
1)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

2)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

-I found on the Internet, the site of the developers of this application in the url:
http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefender1.00.html
There you can get a better idea of its functionality

When I opened the winunins.ini file, I found this information -among other- in the [Settings]

section:
ServiceName=HackerDefender100
DriverFileName=hxdefdrv.sys

To remove this application:
-Restart the PC in safe mode

-Open RegEdit and delete the keys:
1)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

2)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

-Delete these files frm C:\Winnt\
.23052004.exe
.hxdefdrv.sys
.sezzbc.ig2
.vzcdaq.2nh

- In RegEdit, find and Edit every Key containing ".outhost.", leaving them blank. I.e. The key
Default_Page_URL reads "http://ykkgcg.outhost.info/". Right click on it, select modify, delete

the text and select OK. Please, note that you should look for ".outhost." I have noticed that The

first part ("ykkgcg") is variable.

-Edit the host file, deleting everything and leaving only this line:
127.0.0.1 localhost

-Restart Windows in normal mode. Everything should be ok now. :-)