Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

What are ??rss and ??chost? (Pop up in e-mail and Internet Explorer from Internet)

Posted on 2004-10-30
29
Medium Priority
?
301 Views
Last Modified: 2010-04-14
I have Zone Alarm installed, and it OFTEN throws up this type of pop-up which I have to accept or deny:

"process 2068 (or1516; 1766;1628; 1576) is trying to access the Internet."
Validation: none
App: ??chost.exe (this can also be ??rss.exe)
DestinationIP: 4.2.x.x.DNS (my IPS I am sure)
When I go for more info on the ??chost.exe or ??rss.exe it states it is not in WINNT)

The process 1516 popped up when I came here now and then. I deny these things, but they keep coming. What are they and what are the ??s? Wouldn't that be svchost.exe and csrss.exe?


Thanks for helps.

0
Comment
Question by:Lindsay37
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 10
  • 4
  • +1
29 Comments
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 750 total points
ID: 12454118
Hello Lindsay37 =)

No they are malwares\viruses thingies....

Run this online virus scan >> http://housecall.trendmicro.com/
and Stinger Stinger in Safemode ==> http://vil.nai.com/vil/stinger

And then run these tools in safemode

AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12454124
Also get msconfig for win2000 from here >> http://www.perfectdrivers.com/howto/msconfig.html
and disable all un-needed and unwanted applications except Antivirus and firewall in its startup list !!

Then use hijackthis to know abt ur starting and running applications,
Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 750 total points
ID: 12454511
Hi Lindsay37,

What you are seeing with respect to Zonealarm asking you permission to allow those exe files is normal.
Those exe processes when connected for the first time are trying to connect to the local network and hence have to connect to internet..  You donot have to block them through zonealarm to start with..


SR..
0
Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

 

Author Comment

by:Lindsay37
ID: 12455461
Whoa!!! Too much brain space rented out now!!!! I can't even see for looking at all I'm supposed to do. All I want to know is (see my very first question) WHAT ARE THEY?

They are NONexistent when I look for them so how can they go onto the Internet, and why are they asking IF THEY ARE NONEXISTENT?

It doesn't seem to matter if I allow or deny, but neither of those two files (*.exe) are present. Nothing with ??s in front of them!

I'm not going to do all this stuff because I just recently ran spybot and the adware thingee. Those are the programs (I have them but not installed any longer) that really, really make my system slog through wet cement. I got everything out then. I suppose they would find more, but it took me days of off and on work to get the system going fast again (I'm on DSL) whether just here on the computer or out on the Internet. I decided NO MORE. I have PestPatrol. It's excellent (cousin or sibling of ZoneAlarm).

I NEVER shut down my antivirus software EVER. I've been hit within seconds of not having it running. This can be very costly. My firewall and antivirus are one and the same. They are either ON or OFF, and I prefer them to be ON or unplug and modem.

Back to my original questions, please. ;) No new software if we can help it. I prefer to work by hand and KNOW what we are talking about. Speak v-e-r-y slowly using "little words" and separate stuff frequently by paragraphs. ;)

I couldn't come back fast enough to catch the answers one by one. The only way I could handle this (if I chose to) would be to print it all out and do everything one by one by one including ANOTHER Safe Mode thang. HELP!!!!

Thanks all. And if these crazy processes are "nothing" at all and just "normal," I'll ignore and let them all hit the Internet for all I care! ;) I was just curious about them. ZoneAlarm has no info. PestPatrol sees nothing wrong there (and it's catching a LOT of stuff lately).

Lindsay
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12455489
the very best way to know abt them is to search on Google
u will not need any tools or software and will get all the information abt these processes to decide what to do them :)
OR as zonealarm is picking them up, contact zonealarm and ask them what the hell is its picking, may be they can tell u what are they !! :)
0
 

Author Comment

by:Lindsay37
ID: 12455665
Not sure what I'll ask Google, but I "google" all the time so maybe I can figure that one out.

ZoneAlarm states right in the "popup" they use to ask my allow/deny answers that they have no further information on these processes. I CAN contact them, but I just thought someone might know about the ??... and the other ??... since those two are getting to be very bad habits that make me want to smack them on the head especially since they are NOT in WINNT! Oy vey es mehr. ;)

Thanks again. You've tried so very hard and it's much appreciated. However, I still don't know what exactly it is I'm supposed to do. :( I'll try another time (i.e., Sunday) when I'm not so tired, okay?

Lindsay
0
 

Author Comment

by:Lindsay37
ID: 12456129
I downloaded the TrendMicro scanner. When I tried to find the main program I clicked on one of several, and I got the response that my time was up (before I began).

However, the online scan began and took forever finally (I was not at the computer). When I came back it had found one pest in the registry and said it was treated.

It (downloaded version) also demands that I uninstall Zone Alarm. No way, Jose! So I can't use the program I downloaded.

I went to Control Panel to uninstall. Trend is not there. Nothing remotely related is there. There is no uninstall command so now I have this large program onboard and no way to uninstall.

Comments? Helps? I don't need it if it won't work. Sorry bout that!!

Thanks.

Lindsay
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12456436
Lindsay,

The reason why the process is shown as ??chost.exe is probably because there are several svchost.exe processes that connect to the internet or the local network once you start the system . Zonealarm is asking you a general question to allow all the svchost.exe processes. If you are free of virus and spyware then donot worry about it.  

You said something about something asking you to uninstall zone alarm. That is probably because of the clash between the anti-virus firewall and zonealarm or the Anti-virus protection that zonealarm has and the usual anti-virus that you downloaded..

Keep in mind Zonealarm now-a-days comes with Anti-virus protection and having 2 Anti-virus in the system is not advisable.

If Trendmicro scanner is your only Anti-virus then donot remove it. You can turn off Anti-virus protection feature inside Zonelarm.

This question according to me is very straightforward as to why zonealarm is allowing those process. You can allow those process and check for yourself in the task manager how many processes are running ..

0
 

Author Comment

by:Lindsay37
ID: 12458636
Thanks. I'll just let ZA doe its thing. I can't have TrendMicro on here because of ZoneAlarm! I kinda knew that as I once had Symantec and got ZA's upgrade which included antivirus. Boy, they tangled. Symantec is a HUGE thang. It invaded and ate up the Registry. ZA is very simply (but VERY good) as far as Registry goes. I think I'll just let this go now and close it off. If something else comes up with regard to this I'll reopen.

Thanks again to all.

Lindsay
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12472810
Ok well I dont recommend only zonelarm security suite, I dont like the virus scaner its not very goos @ t moment..
Go for this its free and brilliant... www.free-av.com
0
 

Author Comment

by:Lindsay37
ID: 12480393
Thanks anyway, but I paid too much for ZoneAlarm (I have an annual sub). It works beautifully and has not ever let me down! Sorry you don't like it.

Lindsay
0
 

Author Comment

by:Lindsay37
ID: 12480501
See below for quote from WAAAY up above and then I have comments under this:

------------------> Comment from SheharyaarSaahil  feedback
Date: 10/30/2004 03:35PM PDT
 Comment  

Also get msconfig for win2000 from here >> http://www.perfectdrivers.com/howto/msconfig.html
and disable all un-needed and unwanted applications except Antivirus and firewall in its startup list !!

Then use hijackthis to know abt ur starting and running applications,
Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

===================================================

Okay, so I did all this but I'm none the wiser. I see I have 8 nasties but need to REALLY know what I'm doing if I get them off (and how do I get them?). I have a bunch of question marks throughout. I saved the log to Notepad. Can you look at it for me? I didn't save it on site. I did get rid of some stuff that I knew I was safe in removing as I have to uninstall and reinstall a program I frequently use which got messed up somehow.

Thanks.

Donna
 
 
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12481016
Where is it post the log here...
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12484115
nopes plzz dont post the full log..... when u will analyse ur log at the above sit,e in the end of the page, u will see a SAVE ANALYSE button, hit it and it will open the analysed log in a new page, just paste here the address of that new page :)
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12487568
alright clever clogs....:)
0
 

Author Comment

by:Lindsay37
ID: 12499078
Shehar,

I have the log saved in notepad. I can't save analyze with that. So what do I do? Run that whole thing again and look for this "analyze" link? Seems it was a LONG search as I best recall. I thought I was to save it to txt and submit it here somewhere. Sorry I messed up. I still need to fix these "nasties." ;)

Now I KNOW I'll never ask more than one question at a time ever! I'm juggling at least three of the four or five I opened. Crunch!!! ;)

I'll try to figure out by backtracking, but I'm still in overwhelm with a bunch of stuff including these questions. Oy!!!!

Thanks,

Lindsay
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12499292
its not that difficult... u run hijackthis scan, u save its log file in notepad, u goto analyser site, u post the contents of log gile, hit analyse, it will analyse ur whole log, u scroll down, u see a Save Analyse button, u hit it, and it will open a new page, and this page i need :)
0
 

Author Comment

by:Lindsay37
ID: 12501182
Okay. Done. How do I give you the page. It's just right down there in my tray all ready to go! ;) I can pull it into Acrobat, but someone said (maybe you?) that they did NOT want to see the log posted here (guess due to size). So I have NO ideas how to get it unless you want it e-mailed! >???

Lindsay
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12502086
A new page is generated according to Shery.. So just post the whole of the url generated in the address bar :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12505767
yeah right,,,, paste the address of that page here, means the "link" :)
0
 

Author Comment

by:Lindsay37
ID: 12511279
Oops! It's saved to Notepad! I don't have the URL. I can run it yet again, however. I'll maybe do this Saturday if I am too sleepy tonight. K? I "think" I know what you mean. I sure know how to post a URL. It's getting that particular item that runs to come up for you that concerns me. But if it stays on there, okey dokey. I just thought it went away once I saved it (in notepad).

Let me know before I try this yet again, please. Or i fi get smarter in a bit I figure it out! ;)

Thanks.

Lindsay
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12511490
hmmm lets explain it again for u :)

You hit Scan button in hijackthis, it scans your system
u hit Save Log and saves the notepad file
you go here >> http://www.hijackthis.de/index.php?langselect=english
and posts that notepad file's contents there and hit analyse
it analyses and refreshes that page, now you will go at the bottom
you see a Save Analyse link, you hit it
a new page opens,,,,,, that's the page which we need :)

copy the address of this page, and paste it here, we will examine it for u =)
0
 

Author Comment

by:Lindsay37
ID: 12515603
I had done it twice before. Just didn't remember! It's at:

>>http://www.hijackthis.de/index.php<< but I have no other way to identify it as it was not given a name except "hijackthis.log"! Hope you can find it. I'd think anyone who uses it would be able to overwrite whatever I put in.

So it's there. Let me know if you find it okay. I just don't understand how anything so generic and without my "name" on it or whatever I entitled it can stay long enough for you to see. However, I also have the notepad version AND I saved the analysis to Adobe Acrobat which can be attached somewhere.

Let me know and thanks again.

Lindsay
0
 

Author Comment

by:Lindsay37
ID: 12515616
Aha! I think I figured it out. THIS is where it's saved!

>>http://www.hijackthis.de/logfiles/39e9ed08a73a8c907ab5893300de4261.html<<

Sorry I was so dense.

Lindsay
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12515648
OK i have found the culprit ones :)
So first Run hijackthis scan again, and check the following lines, and then click on Fix Checked !!

==================================================
O2 - BHO: (no name) - {4DA83804-C661-57B5-8751-165578F4296C} - C:\WINNT\system32\ftekzv.dll
O4 - HKLM\..\Run: [Microsoft Update Manager] sbhost.exe
O4 - HKLM\..\Run: [System32-Driver] csrs32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Manager] sbhost.exe
O4 - HKLM\..\RunServices: [System32-Driver] csrs32.exe
O4 - HKCU\..\Run: [win updates] wugrds.exe
O4 - HKCU\..\Run: [Auto updat] SysDebug.exe
O4 - HKCU\..\Run: [Auto updat] SysDebug.exe
O4 - HKCU\..\Run: [Microsoft Update Manager] sbhost.exe
O4 - HKCU\..\Run: [System32-Driver] csrs32.exe
O4 - HKCU\..\Run: [Baoh] C:\Documents and Settings\Donna Lindsay\Application Data\ptcs.exe
O4 - HKCU\..\Run: [Zol] C:\WINNT\system32\??chost.exe
O8 - Extra context menu item: &Search - ;http://bar.mywebsearch.com/menusearch.html?p=ZNxdm396XXUS
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
==================================================

After Fixing the above entries, boot ur system in safemode, and look for these files in these folders, and if they are present there, then delete them !!

C:\WINNT\system32\sbhost.exe
C:\Documents and Settings\Donna Lindsay\Application Data\ptcs.exe
C:\WINNT\system32\csrs32.exe

After that restart in Normal Mode and check if they are still running :-?
0
 

Author Comment

by:Lindsay37
ID: 12516358
Okay! I'll do that soonest.

Do you ever sleep? ;)

Lindsay
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12517320
lol... yeps, after posting my last comment, i went to sleep and now have came back after doing all other works... back in action.... !! ;-)

so what is the progress :)
0
 

Author Comment

by:Lindsay37
ID: 12528688
Hi! I can't tell if those things are running or not. I found two of them in 2-3 places. I saved copies to disc (just in case they do belong in C:\) You were specific where to remove them so I did and then some.

I have to work here a bit to see if they are truly gone. Just before I removed them the sbhost popped up to access to Internet! Hope it's over.

I'll leave this open until I have run stuff here a day or two to see if I'm still "haunted."

Thanks a million.

Lindsay
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12528721
>> I'll leave this open until I have run stuff here a day or two to see if I'm still "haunted."

lol.... you have already closed it ;-)
well just kiddin.... u can satisfy urself, and if it will popup again just comment back and we will be there =)
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question