PDA

View Full Version : Adware problems please help!



verachion
04-03-2004, 05:26 AM
Hi,

I have installed Spybot search and destroy,spysweeper. I have run these applications and deleted lots of spyware. However, I am still getting nasty pop ups that appear everytime I log on the internet they are exactly the same popups recurring.

I have this feeling that something isn't right with my Windows Task Manger, I have checked out everything that is running behind the scenes and I am suspicious of the fact that SVCHOST.EXE is running FOUR times, I have recently removed a few viruses from my computer NACHI.B,MSLAUGH,TEEKIDS. However I am not entirely convinced that they have completely gone, ANY FEED BACK WOULD BE APPRECIATED.

Here is what is running behind the scenes that I am dubious about and can't get any firm info on:

SVCHOST.EXE LOCAL SERVICE 120K MEMORY USAGE
SVCHOST.EXE NETWORK SERVICE 1300K MEMORY USAGE
SVCHOST.EXE SYSTEM 7660K MEMORY USAGE
SVCHOST.EXE SYSTEM 60K MEMORY USAGE

IEEXPLORE EXE 5260K
IEEXPLORE.EXE 88K

Darren

pave_spectre
04-03-2004, 05:58 AM
What is SVCHOST (http://ask-leo.com/archives/000030.html).
Microsoft, what is svchost (http://support.microsoft.com/?kbid=314056).

It does perform legitimate tasks and will have multiple instances running, so if you only have four instances it is probably not the problem.

Do you have the messenger service enabled since that can be a cause of pop-ups.? (not msn messenger which is different). To check go to Start -- Run --services.msc and look for messenger service. If it is running you can right-click and select properties and change its status to disabled.

shanmuga
04-03-2004, 06:14 AM
Is the system different from the one mentioned in this (http://www.pcguide.com/vb/showthread.php?threadid=28881) thread ? If yes post a HJT log. Multiple instance of svchost is normal operation of Windows and it is common to see three or four svchost.exe in the Task Manager processes.If you want to see what services are run by each Svchost process,type "Tasklist /svc >C:\TaskList.txt" in command prompt. The TaskList.txt will contain the services list.

Yes worms like welchia, assarm uses the same name. Try scanning the particular file with AV scanner in addition to a full scan. You can also spot the invalid ones by using Process Explorer from Sysinternals (http://www.sysinternals.com/) .

Again multiple instances of iexplore.exe is also normal (Is that a typo ieexplore.exe ?).

Paul Komski
04-03-2004, 09:18 AM
And have you patched your system for the Nachi and Blaster exploits by installing the critical updates from the MS Update Site? If not you are just waiting to be reinfected.

verachion
04-03-2004, 10:49 AM
Hi,

Thanks for all the advice, I downloaded the SP1 updates and guess what! I located NACHI.B again? it must of been lying dormant in the system AVG 6.0 picked it up after I installed the SP1 pack somehow it was in the windows WKS patch? I have run the scanner and it duly removed them? I have also disabled Messenger from services.msc. I have also been to the Blackviper site and followed his instructions by removing unecessary processes.

I am still convinced I have one adware/spyware programme on my computer system hanging in there, reason being is that when I log on to the internet my firewall (zone alarm) asks me if it is ok for svchost.exe to log on to the net as soon as I say yes pop ups appear little grey boxes with time and date stamps sample below:
logforge.com,getmysmoke.com,freesportstat.com,spyw 3a.com,freepornprizes.com,daredare.com the same pop ups seem to appear over and over again.

Also since I downloaded the sp1 pack my virtual memory has been drained any ideas? I am running out.

Thanks again for all your advice

Darren