BradBo Posted April 29, 2003 Share Posted April 29, 2003 I am getting popup adds on my desktop even when I am not browsing.I have a full time DSL connection.I have determined that the program these people are using is "csrss.exe" and its in my c:\windows\system32 directory.My proble is I can seem to delete the exe file,I get a "disk full/acess refused"warning from windows.Also I think it is using a program called Microsft Console Based Script Host which I cant delete either.How can i get rid if these files?I when "safe mode" and I still counldnt delete the files.Do you think I have to get into my registry?Thanks Link to comment Share on other sites More sharing options...
rstryker Posted April 29, 2003 Share Posted April 29, 2003 to see how to stop this go to http://www.jmu.edu/computing/security/info...fo/winmsg.shtmlBackgroundThe Windows Messenger service allows programs to inform a computer's operator of an event. For example, printer software may use it to pop up print job status, Exchange may use it to pop up "new mail" notifications, and anti-virus software may use it to pop up virus warnings. The trouble lies in that it also allows programs running on other computers to do the same thing without any restrictions or authentication. While this may be useful in some environments, it is also easily exploited and abused.Why people waited until now to start exploiting the feature is not known. It has been available since Windows NT or before and is enabled on every shipping Windows 2000 and XP computer. Recently a company started selling a tool making it easy and now others may be copying their methods.Several people have suggested that the recipients of these messages are at fault for not having a firewall. Indeed, Microsoft's security bulletin MS01-048 says "Standard security recommendations call for port 135 – the port on which the RPC endmapper operates – to be blocked at the firewall". This suggests that the Messenger and underlying RPC service is inappropriate, unreliable, or unsafe in some way making its exposure to a network risky. One has to wonder why a network door to such a service is open by default on every shipping Windows computer when a large percentage of them will almost assuredly be connected to the Internet...many as "personal" computers.Computers shipping with unnecessary services having open network doors have been causing harm on the Internet for some time. Several of these services have been found to have serious security defects. This results in systems that are freshly installed from CDs being vulnerable as soon as they are connected to the network. Some are exploited within minutes.While, at present, no such defects in the Messenger service are known to exist, the current harassment activity should be lesson enough for all vendors. Don't ship systems with unnecessary network doors open. Particularly on consumer computers.That said, a properly configured personal firewall, including the Internet Connection Firewall shipped with Windows XP, will prevent abuse of the Messenger service from remote computers.The Center for Internet Security recommends disabling the Messenger service in its Windows 2000 Level I benchmarks. Microsoft has published Knowledgebase article 330904 addressing this abuse in which they recommend use of a firewall to block the communications port used by the Messenger service along with other risky ports instead of disabling the Messenger service.Disabling the Messenger ServiceYou can disable the Messenger service if you want to although doing so may result in Windows not being able to alert you to some conditions. A list of circumstances when Windows will use the Messenger service to pop up informative windows isn't available right now but may include things like "print job complete", anti-virus, and event logger status messages. Also, "new mail" notifications may not be available in an Exchange/Outlook environment.Windows 2000Click Start->Programs->Administrative Tools->Services Scroll down and highlight "Messenger" Right-click the highlighted line and choose Properties. Click the STOP button. Select Disable in the Startup Type scroll bar Click OK Windows XPClick Start->Control Panel Click Performance and Maintenance Click Administrative Tools Double click Services Scroll down and highlight "Messenger" Right-click the highlighted line and choose Properties. Click the STOP button. Select Disable in the Startup Type scroll bar Click OK You can verify the service is disabled by typing the following at a command prompt. If no message appears, the Messenger service has been disabled.net send 127.0.0.1 "test" Link to comment Share on other sites More sharing options...
Drewdatrip Posted April 29, 2003 Share Posted April 29, 2003 BradBo Sounds like you got some nasty spyware client on your system. First i would reccomend going to http://www.lavasoft.de/ and getting Ad-Aware, make sure to get the update once u install the app, let it search ur computer, it may be able to kill the peskey little fecker. If not then i would reccomend resarting in safe mode, and trying to delete the file from there. If worse come to worse and you still cant get it deleted, use the recovery console to delete the exe. as long as you know Dos commmands you should be fine.=Drew Link to comment Share on other sites More sharing options...
gamehead200 Posted April 29, 2003 Share Posted April 29, 2003 Pop-up ads as with advertisements with pics and links, or just ads with text and an OK button? If its the second kind of ad, you have to disable the Messenger service... Link to comment Share on other sites More sharing options...
BradBo Posted April 30, 2003 Author Share Posted April 30, 2003 how the heck do people learn this stuff!Thanks for the help.Brad Link to comment Share on other sites More sharing options...
rstryker Posted April 30, 2003 Share Posted April 30, 2003 i just did a msn search for "csrss.exe pop-ups" Link to comment Share on other sites More sharing options...
XPerties Posted April 30, 2003 Share Posted April 30, 2003 how the heck do people learn this stuff!Thanks for the help.Bradhttp://www.google.com/ Link to comment Share on other sites More sharing options...
rstryker Posted May 1, 2003 Share Posted May 1, 2003 yea ... google is better. i just had msn up already. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now