I need help locating an executable file on my machine which pops up an
advertisement for University Diplomas. It does this once per day or
session. I assume I installed something by mistake but I don't see
anything strange in my Add/Remove Programs list. Neither my anti-virus
software or Ad-aware pick it up. If I go to Windows Task Manager, I
can see it running as an application called "Messenger Service". If I
select "go to process", it shows that it's using  the "csrss.exe"
process. Is there a utility which I can use to locate the executable
files causing this? Something which maps running
applications/processes to executables? I'm on WINXP Home.

chasnyc,

Unfortunately, this new form of scumware invades your computer through
you Windows Messenger Service. To get rid of it, you need to disable
and stop using Microsoft Messenger, at least until Microsoft and/or
the firewall software companies develop a fix for it.

"Spam Masquerades as Admin Alerts" by Brian McWilliams, Wired News
(October 15, 2002)
"A new breed of pop-up ads is appearing mysteriously on Microsoft
Windows users' computers. The so-called "Messenger spams" have
security experts and system administrators scratching their heads --
and recipients fuming... Flynn said the recent pop-ups appear to use
port 135, which is often left unprotected by a firewall because it's a
vital conduit for communicating with a Microsoft service called RPC...
Carvey and other security experts said users can protect themselves
from unwanted pop-ups by disabling the Windows Messenger service
and/or properly configuring their firewalls."
http://www.wired.com/news/technology/0,1282,55795,00.html

"Spammers crack through Windows" by Robert Lemos, Special to ZDNet
News (October 18, 2002)
"Spammers have co-opted an administration feature in Microsoft's
Windows operating systems and are using it to bring up intrusive
advertisements on Internet-connected computers."
http://zdnet.com.com/2100-1105-962483.html

Example of the offending pop-up, from the Computer Security Department
at James Madison University in Harrisonburg, VA (October 29, 2002):
Instructions for "Disabling the Messenger Service" appear about
halfway down the page, followed by "Blocking Network Access to the
Messenger Service".
http://www.jmu.edu/computing/security/info/winmsg.shtml


Search Strategy

"university diplomas" pop-up
://www.google.com/search?q=%22university+diplomas%22+pop-up&hl=en&lr=&ie=UTF-8&oe=UTF-8&start=10&sa=N


Before Rating my Answer, if you have any questions, please post a
Request for Clarification, and I will do what I can to get you what
you need.

I hope this information enables you to solve your problem!

Regards,

aceresearcher

Make sure you don't have "gator" installed in add/remove.

There's a new kind of "pop-up" that's really not a pop up at all, it
uses Windows (XP included) own ability to receive network messages.

Does the university diploma message have any color or buttons or is it
text only with a bar across the top that says something like "network
message"?

To stop pop-ups, you might try a shareware program like "pop-up
stopper pro." www.tucows.com has lots of these, if you are going to
get one from tucows, sort by your OS (WinXP) and by rating (number of
stars).

Here's the article about the network messanging spam I mentioned in an
earlier comment: http://www.techtv.com/screensavers/answerstips/story/0,24330,3374542,00.htm

Try the anti spyware at www.lavasoftusa.com

---HOW TO TURN OFF MESSANGER SERVICE IN XP/NT/Win2k---

The easiest way, if you are running a firewall is to block port 139.
Otherwise:

1. Click on the Start button and open the control panel.
2. Open the Performance and Maintenance control panel and go to
Administrative Tools.
3. Now double-click on Services, then scroll to Messenger.
4. Double-click Messenger and click Stop to stop the service.
5. Change the startup type to Disable.