Preview AdService
February 22, 2005 7:42 AM   Subscribe

I'm having problems IDing and removing a parasite... where / who / what can sort me out?

After surfing through a particularly pop-up ridden webpage, a new process started running on my system. It looks like adware but I've googled it and checked without luck.

The processes are:
C:\Program Files\Preview AdService\PrevAdServ.exe
C:\Program Files\Preview AdService\PrevAdKeep.exe

I'm not one to hack my own registry for fear of the damage I will cause and these are very sticky. Spyware Doctor couldn't spot it (though it removed a lot of crap I didn't know I had). Ad-Aware was pretty useless (it missed 220 items Spyware doctor removed).

Of course I'm now wiser about Active-X settings but for this particular bug, the damage is done and I need some roachkill. I appreciate this topic has come up before but time has moved on and old solutions aren't working on this pest.

Is this parasite something new? I find it odd google turns up nothing...?
posted by missbossy to Computers & Internet (10 answers total)
Have you tried SpyBot and Microsoft's new anti-spyware tool? They are both free. The MS tool found some stuff on one of my machines that SpyBot couldn't find.
posted by caddis at 7:57 AM on February 22, 2005

Go to HijackThis and download their free software (takes a second) and then go to their forum and post what you find after you run it. You'll be posting what you find on your registry. One of the forum regs will tell you what needs to be deleted from your registry, and exactly how to do it. Then you run HiJack This again, and post your results again on the forum, and hopefully they'll give you a clean bill of health. It's free, and easy.
posted by iconomy at 8:02 AM on February 22, 2005

I really thought you had some sort of medical problem. Please be more specific next time!
posted by agregoli at 8:13 AM on February 22, 2005

What iconomy said--I recommend the forums on, but the essence remains exactly the same--HijackThis log posting per guidelines, and expert custom advice following shockingly fast. Good folks.

Under no circumstances listen to those who will just throw up their hands and say, "I think you should just format and reinstall!" It's rarely actually necessary, just a lot easier on tech support types.
posted by Drastic at 8:17 AM on February 22, 2005

agregoli, he used computers & internet as his category. No snark meant, just a reminder of one of those handy new features Matt has added to help us out with these types of things.
posted by chiababe at 8:20 AM on February 22, 2005

Thanks for the forum tips. I've been using hijack this for some time but didn't know the right forums to take this to. Duh.

Spybot did find more crap but not this one. Very nice app.

... oh yeah... and what chiababe said!
posted by missbossy at 8:33 AM on February 22, 2005

Always use a combination of spyware/adware removal tools. Generally the overlap doesn't hurt anything (although "inoculation" functions may) and between two or, better yet, three, you'll get most of what's possible to find. Consider using whatstheirnames' free web based tool, tool.

It's interesting and frustrating that Googling on the executable results in no hits, but I've seen this happen before. Try using the right-click context menu for "properties" to see if there's any helpful metadata available. Probably not. Use a hex editor to look at the file directly. You'll find various text strings that are big clues as to what the executable is.

Try killing the process and see if you box goes "boom" and dies. If not, see if the process mysterious reappears. If it does, prepare to either be frustrated by an annoying piece of spyware/trojan or frustrated because this is actually an important executable you need to have running.

But to prevent it from running, kill the process and the rename the extension of the file from "exe" to (my usual) "bak" or "zzz". Reboot. Use MS's config tool to track and control what programs are invoked when and how. Learn how to use the commandline program "netstat" to look at what processes are using the network. If your mystery proccess is listed, that's probably a bad sign.

Looking at the file in a hex editor very likely will provide for you some other strings to use for a Google search (assuming you can tell what's specific and what's generic, which a neophyte likely wouldn't).

A software firewall on your box is not a trustworthy firewall—at least use something like a NAT firewalling router to protect your network from the Internet. However, a software firewall can provide one very valuable piece of security: monitoring of outgoing network connections made by your apps and controlling them.
posted by Ethereal Bligh at 9:21 AM on February 22, 2005

Try killing the process and see if you box goes "boom" and dies

I had tried this a few times and the bastard kept springing to life. But it seems I hadn't done the next obvious thing... killing the entire process tree associated with this item (I use Process Explorer which is great).

That was enough to disable it long enough for me to go in for the kill.

What it was remains a mystery but it is now dead. Thanks all... And my overnight spybot run keeps finding parasites.

Always use a combination of spyware/adware removal tools

Noted and well taken! I was only running ad-aware previously and had no idea how weak it was. I've got three on the go now and have removed 250 items ad-aware missed.
posted by missbossy at 3:45 PM on February 22, 2005

And here I was thinking you'd gone swimming in Burkina Faso and picked up some kind of rare worm or something.
posted by ikkyu2 at 6:28 PM on February 22, 2005

Well it did make me itchy!

PS as a follow up, I noticed that Google has now returned an entry for PrevAdKeep. Ony one and it showed up Feb 22nd.
posted by missbossy at 8:45 PM on February 23, 2005

« Older Any suggestions for my email problems?   |   What should I get for friends eloping in Vegas? Newer »
This thread is closed to new comments.