I have had this annoying Messenger Service Pop Up for a couple of months now. Up until all this blaster stuff I have pretty much ignored it. But frankly it is pissing me off now. I have installed new anti virus/trojan/spy/adware software, but nothing seems to remove it.

the latest message:

Message from PAID SURVEYS to 66.203.188.108 on 8/25/2003 6:50:11 AM

Sit Back Relax, and Get Paid for What You think!

http://www.b-opp.com .....(I have attached a screen shot of the message)

Normally I would just shut down the window(s), but this morning I went into task manager and right clicked and went the process. It went straight to CSRSS.exe. I have done a couple searches on google for this file name and have come up with both that it is a required windows file and that it is a virus???

Can anyone shed some light on what this is (both the Messenger Service and CSRSS.exe). I am about to set up a router with a built in firewall between my computer and my wifes but I want to make sure that my computer is completely clean before I do so.

Hi coldog,

There is a legit windows file called CSRSS.exe, but this is probably not the one. The legit one ought to be in the Windows\System32 folder, but there is a hijacker using that name which normally shows up in the Windows folder.

If you'd like me to help you get rid of it and the changes it has made:

Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log as a .txt file, and copy and paste its contents into your next post.

Most of what it lists will be harmless, so do not fix anything yet.

Regards,

Pieter

Hi Coldog and welcome to the forum!
think i'm quoting Pieter from another message to close that messenger service with the option to enable it again if you want:
For Windows 2000 and XP this is a way to disable it:
* Go to start and click Run
* Type services.msc
* Double-click on Messenger.
* In the messenger Properties window, select Stop, then choose Disable as the Startup Type.
* Click OK.

You don't run TDS btw? Which since shortly has a very fine answer on this kind of "service" for registered operators.

But first give Pieter the honor of looking at your HJT log please.

Thanks for the quick responses. You guys and gals in here are truly helpfull and I appreciate that. ;)

FYI about programs I have running:

I have TDS-3, avast!, spybot - search & destoy, AdAwrae6, and none of these programs have caught it, even when I left the offending window open. ???

but here is the list
Thanx in advance
Coldog

Logfile of HijackThis v1.96.2
Scan saved at 10:08:53 AM, on 8/25/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ScreenShot Wizard\sswizard.exe
C:\Program Files\Real\RealJukebox\realjbox.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Colin Uildersma\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.yahoo.com/games/clients/y/dos0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Sheepshead - http://download.games.yahoo.com/games/clients/y/dt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} - http://mirror.worldwinner.com/games/v42/shape/shape.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37385.1412615741
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0312.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BF0814C-EC66-47C3-BFA3-36BBDEF2A363}: NameServer = 199.166.6.2 209.239.11.98
O17 - HKLM\System\CS1\Services\Tcpip\..\{5BF0814C-EC66-47C3-BFA3-36BBDEF2A363}: NameServer = 199.166.6.2 209.239.11.98

Hi coldog,

Looks like your security apps paid off. No nasties left and no hijack succeeded. :)

Just check if C:\WINDOWS\CSRSS.EXE is still present and delete it when you find it.
Remember to leave C:\WINDOWS\system32\csrss.exe alone.

Regards,

Pieter

..... always trusting blindly Pieter's opinions as HJT specialist.
If your TDS is a registered version and you have access to the private TDS forum, look in the scripting area -- you might decide to keep the messenger enabled to see the tool working! (Can't post the link here)

Almost forgot something. What happens when you press the F9 key?

Thanks again.

I have gone into run and found the little critter. this is the file that it is directed to. should I go and hunt it down and delete?

C:\WINDOWS\System32\svchost.exe -k netsvcs

As far TDS goes I am not a registered user yet, I only downloaded the trial version about three days ago. Typically I am not that much of a techie, and until last week I haven't had any problems with my puter. I realize the benefits but unfortuneatly $50 US :-\ is like $100 CDN :o and a little out of my price range.

Thanks again for all of the help

f9 while it is running? I have disabled it now (even if I did have it up and running it only seems to leave messages while my PC is inactive (which was part of my worry since I thought it might be a trojan/worm). Before the only way to shut it down was to click the ok (esc did not work). but thanx again and agian....

... is there an echo in here???

Coldog

Hi coldog,

Do NOT attempt to delete svchost.exe
I don't think/hope you will succeed, and there is no need to delete it.
If your F9 button is back to normal and the C:\Windows\Csrss.exe file is gone, then you are OK.

Regards,

Pieter

If related to the Messenger service, you don't have to delete anything, just disable the service like Jooske said, definitely don't delete svchost.exe, as your computer might not work again

;D no worries did not delete anything...just disabled it...thanx again to all

Coldog

There's a piece of sofware called "Shoot the Messenger". It is simple to use, takes zip resources and you can disable or enable Windows Messenger whenever you wish. Unless you want it completely removed, this is the easy way out and I will always opt out for the easiest route.

http://www.gifs.net/animate/splash.gif

My FAV, start,run] RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove [ ;DOK

Hi VAN WILDER,

That will remove Windows Messenger. Not to be confused with the Messenger Service this thread is about.

Regards,

Pieter

Sorry about that, i really did not know they were not the same. After you telling me that i went and looked at services and saw the description, Learn something new everyday.

So about the confusion folks, carry on :P