Advice on popups needed.

[BradBo]

I am getting popup adds on my desktop even when I am not browsing.

I have a full time DSL connection.

I have determined that the program these people are using is "csrss.exe" and its in my c:\windows\system32 directory.

My proble is I can seem to delete the exe file,I get a "disk full/acess refused"warning from windows.

Also I think it is using a program called Microsft Console Based Script Host which I cant

delete either.

How can i get rid if these files?

I when "safe mode" and I still counldnt delete the files.

Do you think I have to get into my registry?

Thanks

[rstryker]

to see how to stop this go to

http://www.jmu.edu/computing/security/info...fo/winmsg.shtml

Background

The Windows Messenger service allows programs to inform a computer's operator of an event. For example, printer software may use it to pop up print job status, Exchange may use it to pop up "new mail" notifications, and anti-virus software may use it to pop up virus warnings. The trouble lies in that it also allows programs running on other computers to do the same thing without any restrictions or authentication. While this may be useful in some environments, it is also easily exploited and abused.

Why people waited until now to start exploiting the feature is not known. It has been available since Windows NT or before and is enabled on every shipping Windows 2000 and XP computer. Recently a company started selling a tool making it easy and now others may be copying their methods.

Several people have suggested that the recipients of these messages are at fault for not having a firewall. Indeed, Microsoft's security bulletin MS01-048 says "Standard security recommendations call for port 135 – the port on which the RPC endmapper operates – to be blocked at the firewall". This suggests that the Messenger and underlying RPC service is inappropriate, unreliable, or unsafe in some way making its exposure to a network risky. One has to wonder why a network door to such a service is open by default on every shipping Windows computer when a large percentage of them will almost assuredly be connected to the Internet...many as "personal" computers.

Computers shipping with unnecessary services having open network doors have been causing harm on the Internet for some time. Several of these services have been found to have serious security defects. This results in systems that are freshly installed from CDs being vulnerable as soon as they are connected to the network. Some are exploited within minutes.

While, at present, no such defects in the Messenger service are known to exist, the current harassment activity should be lesson enough for all vendors. Don't ship systems with unnecessary network doors open. Particularly on consumer computers.

That said, a properly configured personal firewall, including the Internet Connection Firewall shipped with Windows XP, will prevent abuse of the Messenger service from remote computers.

The Center for Internet Security recommends disabling the Messenger service in its Windows 2000 Level I benchmarks.

Microsoft has published Knowledgebase article 330904 addressing this abuse in which they recommend use of a firewall to block the communications port used by the Messenger service along with other risky ports instead of disabling the Messenger service.

Disabling the Messenger Service

You can disable the Messenger service if you want to although doing so may result in Windows not being able to alert you to some conditions. A list of circumstances when Windows will use the Messenger service to pop up informative windows isn't available right now but may include things like "print job complete", anti-virus, and event logger status messages. Also, "new mail" notifications may not be available in an Exchange/Outlook environment.

Windows 2000

Click Start->Programs->Administrative Tools->Services

Scroll down and highlight "Messenger"

Right-click the highlighted line and choose Properties.

Click the STOP button.

Select Disable in the Startup Type scroll bar

Click OK

Windows XP

Click Start->Control Panel

Click Performance and Maintenance

Click Administrative Tools

Double click Services

Scroll down and highlight "Messenger"

Right-click the highlighted line and choose Properties.

Click the STOP button.

Select Disable in the Startup Type scroll bar

Click OK

You can verify the service is disabled by typing the following at a command prompt. If no message appears, the Messenger service has been disabled.

net send 127.0.0.1 "test"

[Drewdatrip]

BradBo Sounds like you got some nasty spyware client on your system. First i would reccomend going to http://www.lavasoft.de/ and getting Ad-Aware, make sure to get the update once u install the app, let it search ur computer, it may be able to kill the peskey little fecker. If not then i would reccomend resarting in safe mode, and trying to delete the file from there. If worse come to worse and you still cant get it deleted, use the recovery console to delete the exe. as long as you know Dos commmands you should be fine.

=Drew

[gamehead200]

Pop-up ads as with advertisements with pics and links, or just ads with text and an OK button? If its the second kind of ad, you have to disable the Messenger service...

[BradBo]

how the heck do people learn this stuff!

Thanks for the help.

Brad

[rstryker]

i just did a msn search for "csrss.exe pop-ups"

[XPerties]

how the heck do people learn this stuff!

Thanks for the help.

Brad

http://www.google.com/

[rstryker]

yea ... google is better. i just had msn up already.