What are ??rss and ??chost? (Pop up in e-mail and Internet Explorer from Internet)

I have Zone Alarm installed, and it OFTEN throws up this type of pop-up which I have to accept or deny:

"process 2068 (or1516; 1766;1628; 1576) is trying to access the Internet."
Validation: none
App: ??chost.exe (this can also be ??rss.exe)
DestinationIP: 4.2.x.x.DNS (my IPS I am sure)
When I go for more info on the ??chost.exe or ??rss.exe it states it is not in WINNT)

The process 1516 popped up when I came here now and then. I deny these things, but they keep coming. What are they and what are the ??s? Wouldn't that be svchost.exe and csrss.exe?


Thanks for helps.

Lindsay37Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SheharyaarSaahilCommented:
Hello Lindsay37 =)

No they are malwares\viruses thingies....

Run this online virus scan >> http://housecall.trendmicro.com/
and Stinger Stinger in Safemode ==> http://vil.nai.com/vil/stinger

And then run these tools in safemode

AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
0
SheharyaarSaahilCommented:
Also get msconfig for win2000 from here >> http://www.perfectdrivers.com/howto/msconfig.html
and disable all un-needed and unwanted applications except Antivirus and firewall in its startup list !!

Then use hijackthis to know abt ur starting and running applications,
Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
sunray_2003Commented:
Hi Lindsay37,

What you are seeing with respect to Zonealarm asking you permission to allow those exe files is normal.
Those exe processes when connected for the first time are trying to connect to the local network and hence have to connect to internet..  You donot have to block them through zonealarm to start with..


SR..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Lindsay37Author Commented:
Whoa!!! Too much brain space rented out now!!!! I can't even see for looking at all I'm supposed to do. All I want to know is (see my very first question) WHAT ARE THEY?

They are NONexistent when I look for them so how can they go onto the Internet, and why are they asking IF THEY ARE NONEXISTENT?

It doesn't seem to matter if I allow or deny, but neither of those two files (*.exe) are present. Nothing with ??s in front of them!

I'm not going to do all this stuff because I just recently ran spybot and the adware thingee. Those are the programs (I have them but not installed any longer) that really, really make my system slog through wet cement. I got everything out then. I suppose they would find more, but it took me days of off and on work to get the system going fast again (I'm on DSL) whether just here on the computer or out on the Internet. I decided NO MORE. I have PestPatrol. It's excellent (cousin or sibling of ZoneAlarm).

I NEVER shut down my antivirus software EVER. I've been hit within seconds of not having it running. This can be very costly. My firewall and antivirus are one and the same. They are either ON or OFF, and I prefer them to be ON or unplug and modem.

Back to my original questions, please. ;) No new software if we can help it. I prefer to work by hand and KNOW what we are talking about. Speak v-e-r-y slowly using "little words" and separate stuff frequently by paragraphs. ;)

I couldn't come back fast enough to catch the answers one by one. The only way I could handle this (if I chose to) would be to print it all out and do everything one by one by one including ANOTHER Safe Mode thang. HELP!!!!

Thanks all. And if these crazy processes are "nothing" at all and just "normal," I'll ignore and let them all hit the Internet for all I care! ;) I was just curious about them. ZoneAlarm has no info. PestPatrol sees nothing wrong there (and it's catching a LOT of stuff lately).

Lindsay
0
SheharyaarSaahilCommented:
the very best way to know abt them is to search on Google
u will not need any tools or software and will get all the information abt these processes to decide what to do them :)
OR as zonealarm is picking them up, contact zonealarm and ask them what the hell is its picking, may be they can tell u what are they !! :)
0
Lindsay37Author Commented:
Not sure what I'll ask Google, but I "google" all the time so maybe I can figure that one out.

ZoneAlarm states right in the "popup" they use to ask my allow/deny answers that they have no further information on these processes. I CAN contact them, but I just thought someone might know about the ??... and the other ??... since those two are getting to be very bad habits that make me want to smack them on the head especially since they are NOT in WINNT! Oy vey es mehr. ;)

Thanks again. You've tried so very hard and it's much appreciated. However, I still don't know what exactly it is I'm supposed to do. :( I'll try another time (i.e., Sunday) when I'm not so tired, okay?

Lindsay
0
Lindsay37Author Commented:
I downloaded the TrendMicro scanner. When I tried to find the main program I clicked on one of several, and I got the response that my time was up (before I began).

However, the online scan began and took forever finally (I was not at the computer). When I came back it had found one pest in the registry and said it was treated.

It (downloaded version) also demands that I uninstall Zone Alarm. No way, Jose! So I can't use the program I downloaded.

I went to Control Panel to uninstall. Trend is not there. Nothing remotely related is there. There is no uninstall command so now I have this large program onboard and no way to uninstall.

Comments? Helps? I don't need it if it won't work. Sorry bout that!!

Thanks.

Lindsay
0
sunray_2003Commented:
Lindsay,

The reason why the process is shown as ??chost.exe is probably because there are several svchost.exe processes that connect to the internet or the local network once you start the system . Zonealarm is asking you a general question to allow all the svchost.exe processes. If you are free of virus and spyware then donot worry about it.  

You said something about something asking you to uninstall zone alarm. That is probably because of the clash between the anti-virus firewall and zonealarm or the Anti-virus protection that zonealarm has and the usual anti-virus that you downloaded..

Keep in mind Zonealarm now-a-days comes with Anti-virus protection and having 2 Anti-virus in the system is not advisable.

If Trendmicro scanner is your only Anti-virus then donot remove it. You can turn off Anti-virus protection feature inside Zonelarm.

This question according to me is very straightforward as to why zonealarm is allowing those process. You can allow those process and check for yourself in the task manager how many processes are running ..

0
Lindsay37Author Commented:
Thanks. I'll just let ZA doe its thing. I can't have TrendMicro on here because of ZoneAlarm! I kinda knew that as I once had Symantec and got ZA's upgrade which included antivirus. Boy, they tangled. Symantec is a HUGE thang. It invaded and ate up the Registry. ZA is very simply (but VERY good) as far as Registry goes. I think I'll just let this go now and close it off. If something else comes up with regard to this I'll reopen.

Thanks again to all.

Lindsay
0
Zaheer IqbalTechnical Assurance & ImplementationCommented:
Ok well I dont recommend only zonelarm security suite, I dont like the virus scaner its not very goos @ t moment..
Go for this its free and brilliant... www.free-av.com
0
Lindsay37Author Commented:
Thanks anyway, but I paid too much for ZoneAlarm (I have an annual sub). It works beautifully and has not ever let me down! Sorry you don't like it.

Lindsay
0
Lindsay37Author Commented:
See below for quote from WAAAY up above and then I have comments under this:

------------------> Comment from SheharyaarSaahil  feedback
Date: 10/30/2004 03:35PM PDT
 Comment  

Also get msconfig for win2000 from here >> http://www.perfectdrivers.com/howto/msconfig.html
and disable all un-needed and unwanted applications except Antivirus and firewall in its startup list !!

Then use hijackthis to know abt ur starting and running applications,
Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

===================================================

Okay, so I did all this but I'm none the wiser. I see I have 8 nasties but need to REALLY know what I'm doing if I get them off (and how do I get them?). I have a bunch of question marks throughout. I saved the log to Notepad. Can you look at it for me? I didn't save it on site. I did get rid of some stuff that I knew I was safe in removing as I have to uninstall and reinstall a program I frequently use which got messed up somehow.

Thanks.

Donna
 
 
0
Zaheer IqbalTechnical Assurance & ImplementationCommented:
Where is it post the log here...
0
SheharyaarSaahilCommented:
nopes plzz dont post the full log..... when u will analyse ur log at the above sit,e in the end of the page, u will see a SAVE ANALYSE button, hit it and it will open the analysed log in a new page, just paste here the address of that new page :)
0
Zaheer IqbalTechnical Assurance & ImplementationCommented:
alright clever clogs....:)
0
Lindsay37Author Commented:
Shehar,

I have the log saved in notepad. I can't save analyze with that. So what do I do? Run that whole thing again and look for this "analyze" link? Seems it was a LONG search as I best recall. I thought I was to save it to txt and submit it here somewhere. Sorry I messed up. I still need to fix these "nasties." ;)

Now I KNOW I'll never ask more than one question at a time ever! I'm juggling at least three of the four or five I opened. Crunch!!! ;)

I'll try to figure out by backtracking, but I'm still in overwhelm with a bunch of stuff including these questions. Oy!!!!

Thanks,

Lindsay
0
SheharyaarSaahilCommented:
its not that difficult... u run hijackthis scan, u save its log file in notepad, u goto analyser site, u post the contents of log gile, hit analyse, it will analyse ur whole log, u scroll down, u see a Save Analyse button, u hit it, and it will open a new page, and this page i need :)
0
Lindsay37Author Commented:
Okay. Done. How do I give you the page. It's just right down there in my tray all ready to go! ;) I can pull it into Acrobat, but someone said (maybe you?) that they did NOT want to see the log posted here (guess due to size). So I have NO ideas how to get it unless you want it e-mailed! >???

Lindsay
0
Zaheer IqbalTechnical Assurance & ImplementationCommented:
A new page is generated according to Shery.. So just post the whole of the url generated in the address bar :)
0
SheharyaarSaahilCommented:
yeah right,,,, paste the address of that page here, means the "link" :)
0
Lindsay37Author Commented:
Oops! It's saved to Notepad! I don't have the URL. I can run it yet again, however. I'll maybe do this Saturday if I am too sleepy tonight. K? I "think" I know what you mean. I sure know how to post a URL. It's getting that particular item that runs to come up for you that concerns me. But if it stays on there, okey dokey. I just thought it went away once I saved it (in notepad).

Let me know before I try this yet again, please. Or i fi get smarter in a bit I figure it out! ;)

Thanks.

Lindsay
0
SheharyaarSaahilCommented:
hmmm lets explain it again for u :)

You hit Scan button in hijackthis, it scans your system
u hit Save Log and saves the notepad file
you go here >> http://www.hijackthis.de/index.php?langselect=english
and posts that notepad file's contents there and hit analyse
it analyses and refreshes that page, now you will go at the bottom
you see a Save Analyse link, you hit it
a new page opens,,,,,, that's the page which we need :)

copy the address of this page, and paste it here, we will examine it for u =)
0
Lindsay37Author Commented:
I had done it twice before. Just didn't remember! It's at:

>>http://www.hijackthis.de/index.php<< but I have no other way to identify it as it was not given a name except "hijackthis.log"! Hope you can find it. I'd think anyone who uses it would be able to overwrite whatever I put in.

So it's there. Let me know if you find it okay. I just don't understand how anything so generic and without my "name" on it or whatever I entitled it can stay long enough for you to see. However, I also have the notepad version AND I saved the analysis to Adobe Acrobat which can be attached somewhere.

Let me know and thanks again.

Lindsay
0
Lindsay37Author Commented:
Aha! I think I figured it out. THIS is where it's saved!

>>http://www.hijackthis.de/logfiles/39e9ed08a73a8c907ab5893300de4261.html<<

Sorry I was so dense.

Lindsay
0
SheharyaarSaahilCommented:
OK i have found the culprit ones :)
So first Run hijackthis scan again, and check the following lines, and then click on Fix Checked !!

==================================================
O2 - BHO: (no name) - {4DA83804-C661-57B5-8751-165578F4296C} - C:\WINNT\system32\ftekzv.dll
O4 - HKLM\..\Run: [Microsoft Update Manager] sbhost.exe
O4 - HKLM\..\Run: [System32-Driver] csrs32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Manager] sbhost.exe
O4 - HKLM\..\RunServices: [System32-Driver] csrs32.exe
O4 - HKCU\..\Run: [win updates] wugrds.exe
O4 - HKCU\..\Run: [Auto updat] SysDebug.exe
O4 - HKCU\..\Run: [Auto updat] SysDebug.exe
O4 - HKCU\..\Run: [Microsoft Update Manager] sbhost.exe
O4 - HKCU\..\Run: [System32-Driver] csrs32.exe
O4 - HKCU\..\Run: [Baoh] C:\Documents and Settings\Donna Lindsay\Application Data\ptcs.exe
O4 - HKCU\..\Run: [Zol] C:\WINNT\system32\??chost.exe
O8 - Extra context menu item: &Search - ;http://bar.mywebsearch.com/menusearch.html?p=ZNxdm396XXUS
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
==================================================

After Fixing the above entries, boot ur system in safemode, and look for these files in these folders, and if they are present there, then delete them !!

C:\WINNT\system32\sbhost.exe
C:\Documents and Settings\Donna Lindsay\Application Data\ptcs.exe
C:\WINNT\system32\csrs32.exe

After that restart in Normal Mode and check if they are still running :-?
0
Lindsay37Author Commented:
Okay! I'll do that soonest.

Do you ever sleep? ;)

Lindsay
0
SheharyaarSaahilCommented:
lol... yeps, after posting my last comment, i went to sleep and now have came back after doing all other works... back in action.... !! ;-)

so what is the progress :)
0
Lindsay37Author Commented:
Hi! I can't tell if those things are running or not. I found two of them in 2-3 places. I saved copies to disc (just in case they do belong in C:\) You were specific where to remove them so I did and then some.

I have to work here a bit to see if they are truly gone. Just before I removed them the sbhost popped up to access to Internet! Hope it's over.

I'll leave this open until I have run stuff here a day or two to see if I'm still "haunted."

Thanks a million.

Lindsay
0
SheharyaarSaahilCommented:
>> I'll leave this open until I have run stuff here a day or two to see if I'm still "haunted."

lol.... you have already closed it ;-)
well just kiddin.... u can satisfy urself, and if it will popup again just comment back and we will be there =)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.