Solved

What are ??rss and ??chost? (Pop up in e-mail and Internet Explorer from Internet)

Posted on 2004-10-30
248 Views
Last Modified: 2010-04-14
I have Zone Alarm installed, and it OFTEN throws up this type of pop-up which I have to accept or deny:

"process 2068 (or1516; 1766;1628; 1576) is trying to access the Internet."
Validation: none
App: ??chost.exe (this can also be ??rss.exe)
DestinationIP: 4.2.x.x.DNS (my IPS I am sure)
When I go for more info on the ??chost.exe or ??rss.exe it states it is not in WINNT)

The process 1516 popped up when I came here now and then. I deny these things, but they keep coming. What are they and what are the ??s? Wouldn't that be svchost.exe and csrss.exe?


Thanks for helps.

0
Question by:Lindsay37
    29 Comments
     
    LVL 65

    Assisted Solution

    by:SheharyaarSaahil
    Hello Lindsay37 =)

    No they are malwares\viruses thingies....

    Run this online virus scan >> http://housecall.trendmicro.com/
    and Stinger Stinger in Safemode ==> http://vil.nai.com/vil/stinger

    And then run these tools in safemode

    AdAware ==> http://www.spychecker.com/program/adaware.html
    SpyBot  ==> http://www.spychecker.com/program/spybot.html
    CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    Also get msconfig for win2000 from here >> http://www.perfectdrivers.com/howto/msconfig.html
    and disable all un-needed and unwanted applications except Antivirus and firewall in its startup list !!

    Then use hijackthis to know abt ur starting and running applications,
    Download HijackThis v1.98.2 from here, run it and Save the LOG file:
    http://tools.radiosplace.com/HijackThis.exe

    Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
    and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
    To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

    HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

    CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
    0
     
    LVL 49

    Accepted Solution

    by:
    Hi Lindsay37,

    What you are seeing with respect to Zonealarm asking you permission to allow those exe files is normal.
    Those exe processes when connected for the first time are trying to connect to the local network and hence have to connect to internet..  You donot have to block them through zonealarm to start with..


    SR..
    0
     

    Author Comment

    by:Lindsay37
    Whoa!!! Too much brain space rented out now!!!! I can't even see for looking at all I'm supposed to do. All I want to know is (see my very first question) WHAT ARE THEY?

    They are NONexistent when I look for them so how can they go onto the Internet, and why are they asking IF THEY ARE NONEXISTENT?

    It doesn't seem to matter if I allow or deny, but neither of those two files (*.exe) are present. Nothing with ??s in front of them!

    I'm not going to do all this stuff because I just recently ran spybot and the adware thingee. Those are the programs (I have them but not installed any longer) that really, really make my system slog through wet cement. I got everything out then. I suppose they would find more, but it took me days of off and on work to get the system going fast again (I'm on DSL) whether just here on the computer or out on the Internet. I decided NO MORE. I have PestPatrol. It's excellent (cousin or sibling of ZoneAlarm).

    I NEVER shut down my antivirus software EVER. I've been hit within seconds of not having it running. This can be very costly. My firewall and antivirus are one and the same. They are either ON or OFF, and I prefer them to be ON or unplug and modem.

    Back to my original questions, please. ;) No new software if we can help it. I prefer to work by hand and KNOW what we are talking about. Speak v-e-r-y slowly using "little words" and separate stuff frequently by paragraphs. ;)

    I couldn't come back fast enough to catch the answers one by one. The only way I could handle this (if I chose to) would be to print it all out and do everything one by one by one including ANOTHER Safe Mode thang. HELP!!!!

    Thanks all. And if these crazy processes are "nothing" at all and just "normal," I'll ignore and let them all hit the Internet for all I care! ;) I was just curious about them. ZoneAlarm has no info. PestPatrol sees nothing wrong there (and it's catching a LOT of stuff lately).

    Lindsay
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    the very best way to know abt them is to search on Google
    u will not need any tools or software and will get all the information abt these processes to decide what to do them :)
    OR as zonealarm is picking them up, contact zonealarm and ask them what the hell is its picking, may be they can tell u what are they !! :)
    0
     

    Author Comment

    by:Lindsay37
    Not sure what I'll ask Google, but I "google" all the time so maybe I can figure that one out.

    ZoneAlarm states right in the "popup" they use to ask my allow/deny answers that they have no further information on these processes. I CAN contact them, but I just thought someone might know about the ??... and the other ??... since those two are getting to be very bad habits that make me want to smack them on the head especially since they are NOT in WINNT! Oy vey es mehr. ;)

    Thanks again. You've tried so very hard and it's much appreciated. However, I still don't know what exactly it is I'm supposed to do. :( I'll try another time (i.e., Sunday) when I'm not so tired, okay?

    Lindsay
    0
     

    Author Comment

    by:Lindsay37
    I downloaded the TrendMicro scanner. When I tried to find the main program I clicked on one of several, and I got the response that my time was up (before I began).

    However, the online scan began and took forever finally (I was not at the computer). When I came back it had found one pest in the registry and said it was treated.

    It (downloaded version) also demands that I uninstall Zone Alarm. No way, Jose! So I can't use the program I downloaded.

    I went to Control Panel to uninstall. Trend is not there. Nothing remotely related is there. There is no uninstall command so now I have this large program onboard and no way to uninstall.

    Comments? Helps? I don't need it if it won't work. Sorry bout that!!

    Thanks.

    Lindsay
    0
     
    LVL 49

    Expert Comment

    by:sunray_2003
    Lindsay,

    The reason why the process is shown as ??chost.exe is probably because there are several svchost.exe processes that connect to the internet or the local network once you start the system . Zonealarm is asking you a general question to allow all the svchost.exe processes. If you are free of virus and spyware then donot worry about it.  

    You said something about something asking you to uninstall zone alarm. That is probably because of the clash between the anti-virus firewall and zonealarm or the Anti-virus protection that zonealarm has and the usual anti-virus that you downloaded..

    Keep in mind Zonealarm now-a-days comes with Anti-virus protection and having 2 Anti-virus in the system is not advisable.

    If Trendmicro scanner is your only Anti-virus then donot remove it. You can turn off Anti-virus protection feature inside Zonelarm.

    This question according to me is very straightforward as to why zonealarm is allowing those process. You can allow those process and check for yourself in the task manager how many processes are running ..

    0
     

    Author Comment

    by:Lindsay37
    Thanks. I'll just let ZA doe its thing. I can't have TrendMicro on here because of ZoneAlarm! I kinda knew that as I once had Symantec and got ZA's upgrade which included antivirus. Boy, they tangled. Symantec is a HUGE thang. It invaded and ate up the Registry. ZA is very simply (but VERY good) as far as Registry goes. I think I'll just let this go now and close it off. If something else comes up with regard to this I'll reopen.

    Thanks again to all.

    Lindsay
    0
     
    LVL 19

    Expert Comment

    by:1stITMAN
    Ok well I dont recommend only zonelarm security suite, I dont like the virus scaner its not very goos @ t moment..
    Go for this its free and brilliant... www.free-av.com
    0
     

    Author Comment

    by:Lindsay37
    Thanks anyway, but I paid too much for ZoneAlarm (I have an annual sub). It works beautifully and has not ever let me down! Sorry you don't like it.

    Lindsay
    0
     

    Author Comment

    by:Lindsay37
    See below for quote from WAAAY up above and then I have comments under this:

    ------------------> Comment from SheharyaarSaahil  feedback
    Date: 10/30/2004 03:35PM PDT
     Comment  

    Also get msconfig for win2000 from here >> http://www.perfectdrivers.com/howto/msconfig.html
    and disable all un-needed and unwanted applications except Antivirus and firewall in its startup list !!

    Then use hijackthis to know abt ur starting and running applications,
    Download HijackThis v1.98.2 from here, run it and Save the LOG file:
    http://tools.radiosplace.com/HijackThis.exe

    Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
    and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
    To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

    HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

    ===================================================

    Okay, so I did all this but I'm none the wiser. I see I have 8 nasties but need to REALLY know what I'm doing if I get them off (and how do I get them?). I have a bunch of question marks throughout. I saved the log to Notepad. Can you look at it for me? I didn't save it on site. I did get rid of some stuff that I knew I was safe in removing as I have to uninstall and reinstall a program I frequently use which got messed up somehow.

    Thanks.

    Donna
     
     
    0
     
    LVL 19

    Expert Comment

    by:1stITMAN
    Where is it post the log here...
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    nopes plzz dont post the full log..... when u will analyse ur log at the above sit,e in the end of the page, u will see a SAVE ANALYSE button, hit it and it will open the analysed log in a new page, just paste here the address of that new page :)
    0
     
    LVL 19

    Expert Comment

    by:1stITMAN
    alright clever clogs....:)
    0
     

    Author Comment

    by:Lindsay37
    Shehar,

    I have the log saved in notepad. I can't save analyze with that. So what do I do? Run that whole thing again and look for this "analyze" link? Seems it was a LONG search as I best recall. I thought I was to save it to txt and submit it here somewhere. Sorry I messed up. I still need to fix these "nasties." ;)

    Now I KNOW I'll never ask more than one question at a time ever! I'm juggling at least three of the four or five I opened. Crunch!!! ;)

    I'll try to figure out by backtracking, but I'm still in overwhelm with a bunch of stuff including these questions. Oy!!!!

    Thanks,

    Lindsay
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    its not that difficult... u run hijackthis scan, u save its log file in notepad, u goto analyser site, u post the contents of log gile, hit analyse, it will analyse ur whole log, u scroll down, u see a Save Analyse button, u hit it, and it will open a new page, and this page i need :)
    0
     

    Author Comment

    by:Lindsay37
    Okay. Done. How do I give you the page. It's just right down there in my tray all ready to go! ;) I can pull it into Acrobat, but someone said (maybe you?) that they did NOT want to see the log posted here (guess due to size). So I have NO ideas how to get it unless you want it e-mailed! >???

    Lindsay
    0
     
    LVL 19

    Expert Comment

    by:1stITMAN
    A new page is generated according to Shery.. So just post the whole of the url generated in the address bar :)
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    yeah right,,,, paste the address of that page here, means the "link" :)
    0
     

    Author Comment

    by:Lindsay37
    Oops! It's saved to Notepad! I don't have the URL. I can run it yet again, however. I'll maybe do this Saturday if I am too sleepy tonight. K? I "think" I know what you mean. I sure know how to post a URL. It's getting that particular item that runs to come up for you that concerns me. But if it stays on there, okey dokey. I just thought it went away once I saved it (in notepad).

    Let me know before I try this yet again, please. Or i fi get smarter in a bit I figure it out! ;)

    Thanks.

    Lindsay
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    hmmm lets explain it again for u :)

    You hit Scan button in hijackthis, it scans your system
    u hit Save Log and saves the notepad file
    you go here >> http://www.hijackthis.de/index.php?langselect=english
    and posts that notepad file's contents there and hit analyse
    it analyses and refreshes that page, now you will go at the bottom
    you see a Save Analyse link, you hit it
    a new page opens,,,,,, that's the page which we need :)

    copy the address of this page, and paste it here, we will examine it for u =)
    0
     

    Author Comment

    by:Lindsay37
    I had done it twice before. Just didn't remember! It's at:

    >>http://www.hijackthis.de/index.php<< but I have no other way to identify it as it was not given a name except "hijackthis.log"! Hope you can find it. I'd think anyone who uses it would be able to overwrite whatever I put in.

    So it's there. Let me know if you find it okay. I just don't understand how anything so generic and without my "name" on it or whatever I entitled it can stay long enough for you to see. However, I also have the notepad version AND I saved the analysis to Adobe Acrobat which can be attached somewhere.

    Let me know and thanks again.

    Lindsay
    0
     

    Author Comment

    by:Lindsay37
    Aha! I think I figured it out. THIS is where it's saved!

    >>http://www.hijackthis.de/logfiles/39e9ed08a73a8c907ab5893300de4261.html<<

    Sorry I was so dense.

    Lindsay
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    OK i have found the culprit ones :)
    So first Run hijackthis scan again, and check the following lines, and then click on Fix Checked !!

    ==================================================
    O2 - BHO: (no name) - {4DA83804-C661-57B5-8751-165578F4296C} - C:\WINNT\system32\ftekzv.dll
    O4 - HKLM\..\Run: [Microsoft Update Manager] sbhost.exe
    O4 - HKLM\..\Run: [System32-Driver] csrs32.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Manager] sbhost.exe
    O4 - HKLM\..\RunServices: [System32-Driver] csrs32.exe
    O4 - HKCU\..\Run: [win updates] wugrds.exe
    O4 - HKCU\..\Run: [Auto updat] SysDebug.exe
    O4 - HKCU\..\Run: [Auto updat] SysDebug.exe
    O4 - HKCU\..\Run: [Microsoft Update Manager] sbhost.exe
    O4 - HKCU\..\Run: [System32-Driver] csrs32.exe
    O4 - HKCU\..\Run: [Baoh] C:\Documents and Settings\Donna Lindsay\Application Data\ptcs.exe
    O4 - HKCU\..\Run: [Zol] C:\WINNT\system32\??chost.exe
    O8 - Extra context menu item: &Search - ;http://bar.mywebsearch.com/menusearch.html?p=ZNxdm396XXUS
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
    ==================================================

    After Fixing the above entries, boot ur system in safemode, and look for these files in these folders, and if they are present there, then delete them !!

    C:\WINNT\system32\sbhost.exe
    C:\Documents and Settings\Donna Lindsay\Application Data\ptcs.exe
    C:\WINNT\system32\csrs32.exe

    After that restart in Normal Mode and check if they are still running :-?
    0
     

    Author Comment

    by:Lindsay37
    Okay! I'll do that soonest.

    Do you ever sleep? ;)

    Lindsay
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    lol... yeps, after posting my last comment, i went to sleep and now have came back after doing all other works... back in action.... !! ;-)

    so what is the progress :)
    0
     

    Author Comment

    by:Lindsay37
    Hi! I can't tell if those things are running or not. I found two of them in 2-3 places. I saved copies to disc (just in case they do belong in C:\) You were specific where to remove them so I did and then some.

    I have to work here a bit to see if they are truly gone. Just before I removed them the sbhost popped up to access to Internet! Hope it's over.

    I'll leave this open until I have run stuff here a day or two to see if I'm still "haunted."

    Thanks a million.

    Lindsay
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    >> I'll leave this open until I have run stuff here a day or two to see if I'm still "haunted."

    lol.... you have already closed it ;-)
    well just kiddin.... u can satisfy urself, and if it will popup again just comment back and we will be there =)
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    Before you start a podcast of your own, you’ll need to get the right equipment. To help you get started off on the right foot, here’s a list of the four critical items you’ll need to start your own podcast.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

    877 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now