Another spyware

**ilyail3** · January 28th, 2005, 16:13 PM

I have a problem with a spyware that is using windows message service. I've tried alot of programs but nothing seems to detect it. I've tried:
Spyware doctor
Ad-Aware pro
Spyware search and destroy
I know it's using msssrv.exe in windir\system32 please check if this is a windows file or I can delete it. How can I get rid of it?

**rik** · January 28th, 2005, 16:21 PM

Well it looks like it is a McAfee file. So don't think I'd delete it. check this:

ModuleName : C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
Command Line : "C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe"
ProcessID : 1472
ThreadCreationTime : 12-26-2004 11:52:36 PM
BasePriority : Normal
FileVersion : 1.00.1117.0
ProductVersion : 1.00.1117.0
ProductName : McAfee AntiSpyware
CompanyName : Network Associates, Inc.
FileDescription : McAfee AntiSpyware RealTime Service
InternalName : MssSrv.exe
LegalCopyright : Copyright © 2004 Networks Associates Technology, Inc. All Rights Reserved.
OriginalFilename : MssSrv.exe

**ilyail3** · January 28th, 2005, 16:26 PM

why in system32 and not in it's folder?

**ilyail3** · January 28th, 2005, 16:37 PM

take a look at that

**rik** · January 28th, 2005, 16:50 PM

That is an advertisement.

**FastGame** · January 28th, 2005, 17:15 PM

haha don't go to that place...

Go to Control Panel> Administrative Tools> Services and disable "Messenger"

Then use CCleaner and CWShredder for good measures.

Also try a2 Free or ewindo Free

What browser are you using ?

**Curio** · January 28th, 2005, 22:07 PM

If you are getting messenger spam like that you either
a) have no firewall
b) have a crap firewall
c) haven't turned your firewall on
You can turn off the messenger service but a proper firewall wouldn't pass those packets anyway.

**ilyail3** · January 29th, 2005, 04:12 AM

It's probably because I allowed almost everything to connect to the Internet but the main qustion is why I can't find it with all the anti-spam program?
and I have mcafee personal firewall.

**oftentired** · January 29th, 2005, 17:43 PM

This is what Microsoft says about it:

Quote:

CAUSE
This issue may occur if you receive a net send message from someone who is using the Messenger service in Windows. The Messenger service is a Windows service that transmits net send messages and messages that are sent through the Alerter service between client computers and servers. For example, network administrators use Messenger service to send administrative alerts to network users. Windows and other software programs can also use the Messenger service. For example, Windows may use it to inform you when a print job is completed or when you lose power to your computer and switch to an uninterruptible power supply (UPS). Your antivirus program may use the Messenger service to send you notifications. The Messenger service is not related to your Web browser, e-mail program, Windows Messenger, or MSN Messenger. This issue may occur if the following conditions exist:

• The Messenger service is started.
• The Remote Procedure Call service is started.
• Inbound NetBIOS (NetBIOS over TCP/IP) and UDP broadcast traffic is turned on for your Internet connection.

RESOLUTION
To resolve this issue, install or turn on a firewall that blocks inbound NetBIOS and UDP broadcast traffic. The method that you use to resolve this issue depends on your operating system and how you connect to the Internet. The following sections provide examples of several different configurations and possible methods of resolution.

What this means is that this is a nice little program that comes with Windows which is intended for a most useful
purpose BUT the @$$%#!!s of the world have figured out how to abuse it and make it popup advertisement spam in your face.

The solution Microsoft presents will work. However, I recommend either disabling or completely removing the service.

To Disable Windows Messenger Service (instructions)

To Delete Windows Messenger Service (ShootTheMessenger Program you can download)

Microsoft Knowledgebase Article 330904 (the quote is from this source)

**cash_site** · January 30th, 2005, 22:25 PM

I use the ShootTheMessengerProgram on all my comps and new installs too, only in my work domain computer cant disable service, but I configure firewall to block

**Curio** · January 30th, 2005, 22:47 PM

Make a registry patch you know exactly what is happening that way.
________________________________________________________________
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Type"=dword:00000020
"Start"=dword:00000004

________________________________________________________________
Not that I don't trust Steve Gibson, but I do wonder why he didn't just make a registry patch instead of a program - what was the point? Still say you should sort your firewall out though because there are exploits which can get through the same hole if you dont.

**FastGame** · January 30th, 2005, 22:57 PM

Moved this thread for our brand new Spyware section

January 28th, 2005, 16:13 PM	#1
ilyail3 Member Join Date: Jun 2004 Posts: 98	Another spyware I have a problem with a spyware that is using windows message service. I've tried alot of programs but nothing seems to detect it. I've tried: Spyware doctor Ad-Aware pro Spyware search and destroy I know it's using msssrv.exe in windir\system32 please check if this is a windows file or I can delete it. How can I get rid of it?

January 28th, 2005, 16:21 PM	#2
rik Old, Cranky and Perverted Super Moderator Join Date: Aug 2003 Location: Watching Your every move... Posts: 5,299	Well it looks like it is a McAfee file. So don't think I'd delete it. check this: ModuleName : C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe Command Line : "C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe" ProcessID : 1472 ThreadCreationTime : 12-26-2004 11:52:36 PM BasePriority : Normal FileVersion : 1.00.1117.0 ProductVersion : 1.00.1117.0 ProductName : McAfee AntiSpyware CompanyName : Network Associates, Inc. FileDescription : McAfee AntiSpyware RealTime Service InternalName : MssSrv.exe LegalCopyright : Copyright © 2004 Networks Associates Technology, Inc. All Rights Reserved. OriginalFilename : MssSrv.exe __________________ Spyware Removal Tips \| Read the Forum Rules

January 28th, 2005, 16:50 PM	#5
rik Old, Cranky and Perverted Super Moderator Join Date: Aug 2003 Location: Watching Your every move... Posts: 5,299	That is an advertisement. __________________ Spyware Removal Tips \| Read the Forum Rules

January 30th, 2005, 22:25 PM	#10
cash_site Security Intelligence TZ Veteran Join Date: Jul 2002 Location: Software Paradise Posts: 4,210	I use the ShootTheMessengerProgram on all my comps and new installs too, only in my work domain computer cant disable service, but I configure firewall to block __________________ --- 0wN3D by 3gG ---

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

January 28th, 2005, 16:26 PM	#3
ilyail3 Member Join Date: Jun 2004 Posts: 98	why in system32 and not in it's folder?

January 28th, 2005, 16:37 PM	#4
ilyail3 Member Join Date: Jun 2004 Posts: 98	take a look at that

January 28th, 2005, 17:15 PM	#6
FastGame Hardware guy Super Moderator Join Date: Apr 2002 Location: Blasters worm farm Posts: 3,674	haha don't go to that place... Go to Control Panel> Administrative Tools> Services and disable "Messenger" Then use CCleaner and CWShredder for good measures. Also try a2 Free or ewindo Free What browser are you using ?

January 28th, 2005, 22:07 PM	#7
Curio Triple Platinum Member Join Date: Nov 2004 Location: London Posts: 907	If you are getting messenger spam like that you either a) have no firewall b) have a crap firewall c) haven't turned your firewall on You can turn off the messenger service but a proper firewall wouldn't pass those packets anyway.

January 29th, 2005, 04:12 AM	#8
ilyail3 Member Join Date: Jun 2004 Posts: 98	It's probably because I allowed almost everything to connect to the Internet but the main qustion is why I can't find it with all the anti-spam program? and I have mcafee personal firewall.

January 30th, 2005, 22:47 PM	#11
Curio Triple Platinum Member Join Date: Nov 2004 Location: London Posts: 907	Make a registry patch you know exactly what is happening that way. ________________________________________________________________ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger] "Type"=dword:00000020 "Start"=dword:00000004 ________________________________________________________________ Not that I don't trust Steve Gibson, but I do wonder why he didn't just make a registry patch instead of a program - what was the point? Still say you should sort your firewall out though because there are exploits which can get through the same hole if you dont.

January 30th, 2005, 22:57 PM	#12
FastGame Hardware guy Super Moderator Join Date: Apr 2002 Location: Blasters worm farm Posts: 3,674	Moved this thread for our brand new Spyware section