I had this happen also several times, about 2 months ago, I did everything you mentioned below. A friend had me download a utility called spybot, which found a cookie in my internet explorer that launches popup ad's automatically. Once I removed this, I haven't seen any since. http://spybot.safer-networking.de
This month in PC magazine, they also talk about this sneaky, thing they are doing with ad cookies. You surf some web sites and it loads this in the background automatically. --------------------------------------- Steven Cmajdalka [EMAIL PROTECTED] The Graphics Group, Dallas, TX 75226 --------------------------------------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Purtell Sent: Monday, March 31, 2003 4:11 PM To: Declude JunkMail (E-mail) Subject: [Declude.JunkMail] Possible exploit on mail server Don't know if this is related to spam or not... This morning I logged onto the NT4 server where we host both our web and mail server. Immediately noticed a Messenger Service box (like you get with "net send" from dos prompt) containing a typical spam message (edited): "From our Research Dept ... Work From Home ... Type this address in your browser ..." First I went into the Task Manager where confirmed it really was the Messenger Service (csrss) being used. Then I made sure the service executable had not been modified. Then I ran F-Prot to make sure there were no known viruses. Then I ran a tracert on the IP address mentioned in the spam. Then I checked the event log, but didn't have any relevant entries. Then I ran a recent Critical Update from the Microsoft site, just in case it applied to what I was seeing. I rebooted and the message is gone, but I don't know how they got in. There are only a few accounts on this server. IUSR and IWAM, administrator, myself and my boss, and a special account for FTP access. Any ideas? Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) Email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
