Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.
Dale schreef: Hi guys, and Holly, :D I'm on dial-up and try to watch my traffic and every once in a while I see a little blip on gkrellm. I fired up ethreal and started to sniff around. Parden the pun there. LOL This is what it says though which is strange. It's really the last two lines that matter but I am putting the whole thing here just in case. Sorry so long. snip Microsoft Messenger Service, NetrSendMessage Operation: NetrSendMessage (0) Server Max Count: 10 Offset: 0 Actual Count: 10 Server: Microsoft Client Max Count: 35 Offset: 0 Actual Count: 35 Client: inform you about a virus detection Message Max Count: 497 Offset: 0 Actual Count: 497 Message [truncated]: Windows has detected a virus on your system. In order to remove it please follow this steps:\n\n1. Start Microsoft Internet Explorer or your default web browser.\n2. Type into the navigation bar: http://www.cleanmyreg. What is this? Is this some spam and it pops up a window if I were using windoze? I went to the site and it looks like they want to sell something, which I ain't buying by the way. ;-) Yes-- not that I know anything about this, but it looks like a trick popup. The site does not seem to be checking your browser ID (which would say Linux), but instead assumes that 1) you are a Windows user (after all, isn't everybody?) 2) you use IE (after all, doesn't everybody?) 3) you do not have a competent admin on your system -- the message uses Microsoft Messenger Service, which is turned on by default under Windows, and enables these kind of popup messages across LAN and WAN, sort of like a mini MSN-- which I believe it connects to as well-- and is not only quite useless except to people like this, but also quite insecure because it lets unknown people like this send you messages without your active consent. Any Windows user I know with even a grain of competence turns it off first thing after installation. But of course Joe and Jane Average User don't know to do this because their OS is supposed to competently administer their system for them. Oh, well keeps my bf in barter trade goods for cleaning the PCs of Joe and Jane out again every 3 months or so. How can I tell them to stop this? 1) Don't go to the site. 2) If you must go to the site, don't do so with IE (if you're using Windows for whatever reason) 3) If you must go to the site using IE, for heaven's sake, don't click that link (though that may not protect you; some sites will also transfer their payload when you try to close the popup even if you don't click the link) 4) If you must go to the site using Windows, then have a good a) firewall, 2) ad-blocker, 3) spyware blocker/cleaner, and 4) antivirus scanner present on the system. You could also complain to 1) the site 2) the hosting admin 3) the authorities, but it's clearly a commercial deal for somebody -- either the host or the admin has coded/allowed this pass-through to be present on their site, and /somebody/ has either been paid to do so or expects to get paid for doing so in terms of click-through revenues or advertising view revenues or, more unpleasantly, virus or trojan proliferation, and imo, regular users are unlikely to stop the flow of compensation except by not participating. But you don't have Windows or the Microsoft Messenger Service on a Gentoo box; this foolishness is not actively dangerous to you; especially since you don't have a Registry either, so there's no reason for you to follow the link to any supposed Registry-cleaning program. GKrellm is just reporting that somebody tried to send you a message through this non-existent service. Oh, only my main rig does this. My three servers which have no GUI stuff or browsers installed do not get this, that I can see anyway. Another thing a bit off topic. I noticed earlier that there was a post in some foreign language, looked like Japaneese or Chinese and looked like spam to me. Later I got one in my personal email. Can someone get my email address from this list? I have got a few emails from people, which is OK as long as it is not spam. Just curious. I like the list but I didn't know my private email would become public, if this is true. I never understand about how people think their email address is private, when it's meant to allow communication between the public network (the Internet) and you. You can take your number out of the phone book too, which means that _most_ random people will be unlikely to call you, but anyone can simply punch a series of numbers--even accidentally-- and call you, because you are connected to the public telephone network by your phone number. In the early days of telemarkting, that used to happen a lot; even now, there are computer-generated phone calls that call and when you pick up the phone, you get a computer talking to you (often telling you to hold on for a live person who's going to try to sell you something). Such setups
Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.
On 26 Dec 2005, at 11:17, Dale wrote: Well, I did go to the site but it was *after* I got the traffic. How did they find me to begin with? I assume it was just a random hit. Sort of like a shot in the dark. They just automate sending of these messenger service spams. Send them to every IP in a range, that sort of thing. It might be a wake- up call to take a look at your security setup in general, but don't worry about this particular aspect. On 26 Dec 2005, at 10:51, Holly Bostick wrote: ... the message uses Microsoft Messenger Service, which is turned on by default under Windows, and enables these kind of popup messages across LAN and WAN, sort of like a mini MSN-- which I believe it connects to as well-- and is not only quite useless except to people like this, but also quite insecure because it lets unknown people like this send you messages without your active consent. The Messenger Service is different from Windows Messenger - it's all a bit of a confusing hodgepodge of names. XP comes supplied with an MSN Messenger program which isn't called MSN Messenger but instead Windows Messenger, I think; apart from the name it's identical to old versions of MSN messenger in that you add buddies by email address. The Messenger Service is something else completely - you're right that it allows people to send you little pop-up windows without your consent, but it's kinda a bigger story than that. Unlike buddy messengers, there's no reply box or any buttons other than OK and to send one of these messages you have to use the Windows File Printer Sharing command line `net /send computer name text of your message`. Back in the days of Windows 3.1 or 95 this undoubtedly seemed like a great idea, as no-one using Windows networks had heard of the Internet, this was essentially a free service with Windows File Printer Sharing and the only abuse it was really open to was employees kidding about with each other. I suspect the reason Messenger Service is enabled by default because third-party developers use it. I've seen it used by the likes of cheap database apps to say Blimey! You're out of stock! Order some more. For those who think that Microsoft writes bad software, you really should see some of the sewage written by small independent developers for the Windows platform; some meeting this description are undoubtedly doing a great job, but I've seen some horrors from those aiming at small business niche markets. These guys seem to have no incentive to consider quality or security - basically anyone with a programmer a salesman can set up in these markets and as long as the product meets a need and appears to work then it goes out the door. I'd guess that Messenger Service could safely be disabled out the box these days, but I wouldn't be surprised that there were many applications that would have suffered from that at the time XP was released. Stroller. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.
The majority of *crap* hitting my firewall (in Oz) comes from China. Use geoip iptables to block China for a more peaceful life. Its not as though there's any valuable sites there unless you have relatives or a reason to access something there! Taiwan and Hong Kong have also been suggested as sources, but so far they are not even close to the biggie. As a side effect, as well as messenger spam, it blocks large numbers of other malicious scans/probes/*crap* - enough do this and it might convince the relevant authorities to clean up their own backyard ... BillK On Mon, 2005-12-26 at 12:43 +, Stroller wrote: On 26 Dec 2005, at 11:17, Dale wrote: Well, I did go to the site but it was *after* I got the traffic. How did they find me to begin with? I assume it was just a random hit. Sort of like a shot in the dark. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.
I have a Yahoo account. I wish I could check it in Mozilla-mail though. Why not? I get about one spam from them per month but that means they let me access via pop. You can certainly activate pop in yahoo. Maybe you can't access via pop with hotmail but yahoo, gmail and probably most others will let you... Cheers Antoine ps. unless you refuse if you don't have imap that is... -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.
FYI, the messenger service is disabled by default as of Windows XP SP2On 12/26/05, Antoine [EMAIL PROTECTED] wrote: I have a Yahoo account.I wish I could check it in Mozilla-mail though.Why not? I get about one spam from them per month but that means theylet me access via pop. You can certainly activate pop in yahoo. Maybeyou can't access via pop with hotmail but yahoo, gmail and probably most others will let you...CheersAntoineps. unless you refuse if you don't have imap that is...--gentoo-user@gentoo.org mailing list -- Steven Susbauer
Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.
W.Kenworthy wrote: The majority of *crap* hitting my firewall (in Oz) comes from China. Use geoip iptables to block China for a more peaceful life. Its not as though there's any valuable sites there unless you have relatives or a reason to access something there! Taiwan and Hong Kong have also been suggested as sources, but so far they are not even close to the biggie. As a side effect, as well as messenger spam, it blocks large numbers of other malicious scans/probes/*crap* - enough do this and it might convince the relevant authorities to clean up their own backyard ... BillK On Mon, 2005-12-26 at 12:43 +, Stroller wrote: On 26 Dec 2005, at 11:17, Dale wrote: Well, I did go to the site but it was *after* I got the traffic. How did they find me to begin with? I assume it was just a random hit. Sort of like a shot in the dark. Well, I did a whois for the link that was provided in the traffic. It is hosted by godaddy so I sent them a email at abuse-godaddy. They seem to be a reputable company so maybe they will look into it. The rest of the sites it links to are somewhere else, inside the US though. I do know our local district attorney though, He knows some of the feds so if I keep getting them, I may bug him a bit. Sometimes it hits every minute or two one right after the other. I thought it was ntp at first but it was not real consistant like ntp is. I went to a site once and I think everything is set to stealth. I can't remember where it was though. This is a new install so I guess I need to find that site that tests it and see what it says. I run iptables to share my internet with the 3 servers connected here but I have no clue how it is set up. I don't understand iptables really. Anyway, the ball is rolling now. Let's see who gets hit. Dale :-) -- To err is human, I'm most certainly human. I have four rigs: 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives. Named Smoker 2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive. Named Swifty 3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive. Named Pokey 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive. Named Putput All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.
Steven Susbauer wrote: FYI, the messenger service is disabled by default as of Windows XP SP2 On 12/26/05, *Antoine* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I have a Yahoo account. I wish I could check it in Mozilla-mail though. Why not? I get about one spam from them per month but that means they let me access via pop. You can certainly activate pop in yahoo. Maybe you can't access via pop with hotmail but yahoo, gmail and probably most others will let you... Cheers Antoine ps. unless you refuse if you don't have imap that is... -- gentoo-user@gentoo.org mailto:gentoo-user@gentoo.org mailing list -- Steven Susbauer I had to disable it in my brothers windoze. It is SP2 by now but it was not then. I don't know who to blame for that one. Windoze for having it or the spammers for using it for something other than what it was intended for. I wonder if those people would like a visit from the feds though. o_O It wouldn't suprise me if they are also sending out spam email. I did download the file listed on their site but it is a .exe file. I have no idea what it does though. It's not like I can install it. LOL Where's my rope again?? I have a lot of trees. ;-) Dale :-) -- To err is human, I'm most certainly human. I have four rigs: 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives. Named Smoker 2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive. Named Swifty 3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive. Named Pokey 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive. Named Putput All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.
On 26 Dec 2005, at 4:51, Antoine wrote: I have a Yahoo account. I wish I could check it in Mozilla-mail though. Why not? I get about one spam from them per month but that means they let me access via pop. You can certainly activate pop in yahoo. Maybe you can't access via pop with hotmail but yahoo, gmail and probably most others will let you... Yahoo make this a premium (paying) service in some of their domains. If you register for Yahoo with a UK physical address you get an [EMAIL PROTECTED] POP3 access is free; if you register with a US physical address you get a [EMAIL PROTECTED] but you have to pay $20 or so for POP3 access. At least that has been my experience. Strangely, although I registered for my yahoo.com ID with my *cough* US address, when I check under options it seems to recognise that I'm connecting via a UK IP address or to their UK data centre, or something. The upgrade price is listed as £11.99 UK Pounds Sterling. Like I say, I access my yahoo.co.uk mail via POP3 all the time. Stroller. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.
quoth the Dale: I did download the file listed on their site but it is a .exe file. I have no idea what it does though. It's not like I can install it. LOL You can run strings on it, or have a peek in a hex editor... Where's my rope again?? I have a lot of trees. ;-) Dale :-) -d -- To err is human, I'm most certainly human. I have four rigs: 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives. Named Smoker 2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive. Named Swifty 3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive. Named Pokey 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive. Named Putput All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers. -- darren kirby :: Part of the problem since 1976 :: http://badcomputer.org ...the number of UNIX installations has grown to 10, with more expected... - Dennis Ritchie and Ken Thompson, June 1972 pgpCplITXy89f.pgp Description: PGP signature
Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.
darren kirby wrote: You can run strings on it, or have a peek in a hex editor... How I do that? What would I learn from it? hex editor? I think I saw that somewhere. O_O I thought KDE used to have something that I could view it with but since the upgrade I can't find it. Maybe lde-meta missed something??? Anyway, I just would like someone to find out if they are trying to do something they shouldn't and if they are, put a lock on their doors. They can send them to me though. I can go to the local hardware store and get some rope. I have a very large tree about 10 feet from me, good strong limbs too. If this happens enough people would get greed off their mind. I'm disabled and life is not fun but no amount of money would put me on the end of a rope danglin from a tree. :-( Anyway, I haven't heard from godaddy yet. It may be a while since they may be asleep at the wheel, with the holidays and all. Note: I upgraded one of my rigs memory the other day. #3 went from 128MBs to a grand total of 224MBs. Cool huh??? Dale :-) -- To err is human, I'm most certainly human. I have four rigs: 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives. Named Smoker 2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive. Named Swifty 3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive. Named Pokey 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive. Named Putput All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.
On Monday 26 December 2005 05:20 pm, Dale wrote: You can run strings on it, or have a peek in a hex editor... How I do that? What would I learn from it? hex editor? I think I saw that somewhere. O_O I thought KDE used to have something that I could view it with but since the upgrade I can't find it. Maybe lde-meta missed something??? I think KDE Menu Button - Utilities - More Applications - Binary Editor (KHexEdit) is what you're looking for. Ironically enough, I was just using it. -- Eric Bliss systems design and integration, CreativeCow.Net -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.
Eric Bliss wrote: On Monday 26 December 2005 05:20 pm, Dale wrote: You can run strings on it, or have a peek in a hex editor... How I do that? What would I learn from it? hex editor? I think I saw that somewhere. O_O I thought KDE used to have something that I could view it with but since the upgrade I can't find it. Maybe lde-meta missed something??? I think KDE Menu Button - Utilities - More Applications - Binary Editor (KHexEdit) is what you're looking for. Ironically enough, I was just using it. Mine was under File instead of More Apps. Now I have to go download the thing again. I hate windoze and I don't even like storing windoze stuff on my rig. Wonder why? My brother got a digital camera for Christmas. You have to plug in the USB camera then reboot winders for it to work. Is that some crap or what? I updated the drivers for USB too. It wouldn't work at all before I did that. It would see the camera then come up with a hardware error. Stupid windoze. It took me 20 minutes to get it to work in Linux and I spent all day screwing with windoze. Just in the spirit of things, reboot to make it work. That sucks. He's happy that it works at all but I'm not. I may put Linux on that thing yet. If I knew I wouldn't be moving soon, I would. I'd put a bigger heatsink on the CPU and compile away. He has seen my Linux and thinks it is cool. I would have to do the admin stuff though. Ssh comes to mind here. OK. I vented a bit. One more thing to vent though, I HATE WINDOZE!!! makes mad face complete with clenched teeth Thanks Dale :-) -- To err is human, I'm most certainly human. I have four rigs: 1: Home built; Abit NF7 ver 2.0 w/ AMD 2500+ CPU, 1GB of ram and right now two 80GB hard drives. Named Smoker 2: Home built; Iwill KK266-R w/ AMD 1GHz CPU, 256MBs of ram and a 4GB drive. Named Swifty 3: Home built; Gigabyte GA-71XE4 w/ 800MHz CPU, 224MBs of ram and a 2.5GB drive. Named Pokey 4: Compaq Proliant 6000 Server w/ Quad 200MHz CPUs, 128MBs of ram and a 4.3GB SCSI drive. Named Putput All run Gentoo Linux, all run folding. #1 is my desktop, 2, 3, and 4 are set up as servers. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Strange traffic says I am using windoze and have a bug.
On Sun, Dec 25, 2005 at 11:10:15PM -0600, Dale wrote Source: 215.146.157.191 (215.146.157.191) Destination: 205.208.159.31 (205.208.159.31) User Datagram Protocol, Src Port: 44356 (44356), Dst Port: 1026 (1026) Source port: 44356 (44356) Destination port: 1026 (1026) [...deletia...] What is this? Is this some spam and it pops up a window if I were using windoze? I went to the site and it looks like they want to sell something, which I ain't buying by the way. ;-) How can I tell them to stop this? Oh, only my main rig does this. My three servers which have no GUI stuff or browsers installed do not get this, that I can see anyway. A few notes... 1) It's UDP (User Datagram Protocol). 2) UDP is a connectionless protocol, i.e. no 3-way handshake like TCP. That means that the sending software can put any garbage they want in the source-port and source IP address. *DO NOT* complain to the ISP responsible for 215.146.157.191. UDP forgery is trivial. 3) This garbage is spewed out by zombie bots to port 1026 to pop up messages on your screen if you'r running the Windows Messnger Service. It'll probably show up if you have Samba configured right/wrong (Ain't Windows emulation wonderful?). Everybody gets hit with it, just like port 135 and 1433 and 1434 scans. Here's an hour's worth from my router's log. The router is set to reject unsolicited traffic... Dec 26 18:04:26 221.1.204.251:33054 to UDP port 1026 Dec 26 18:05:46 66.52.125.177:23460 to UDP port 1026 Dec 26 18:06:55 66.188.58.207:4099 to UDP port 1026 Dec 26 18:11:16 221.203.145.54:32939 to UDP port 1026 Dec 26 18:15:55 66.170.205.192:23797 to UDP port 1026 Dec 26 18:17:04 211.172.244.182:9285 to UDP port 1026 Dec 26 18:20:59 218.27.103.206:36380 to UDP port 1026 Dec 26 18:27:02 202.96.87.41:34462 to UDP port 1026 Dec 26 18:27:46 221.1.204.251:33054 to UDP port 1026 Dec 26 18:38:14 202.111.173.85:39549 to UDP port 1026 Dec 26 18:38:17 202.111.173.83:55698 to UDP port 1026 Dec 26 18:38:34 203.39.211.73:7731 to UDP port 1026 Dec 26 18:40:14 218.27.103.206:45829 to UDP port 1026 Dec 26 18:41:07 66.223.176.136:24121 to UDP port 1026 Dec 26 18:42:48 66.138.198.3:7578 to UDP port 1026 Dec 26 18:42:58 66.178.233.47:11540 to UDP port 1026 Dec 26 18:50:08 202.111.173.83:59789 to UDP port 1026 Dec 26 18:55:10 66.35.104.238:27387 to UDP port 1026 Dec 26 18:56:30 202.111.173.85:45304 to UDP port 1026 Dec 26 18:59:42 218.27.103.206:55370 to UDP port 1026 -- Walter Dnes [EMAIL PROTECTED] In linux /sbin/init is Job #1 My musings on technology and security at http://tech_sec.blog.ca -- gentoo-user@gentoo.org mailing list
[gentoo-user] Strange traffic says I am using windoze and have a bug.
Hi guys, and Holly, :D I'm on dial-up and try to watch my traffic and every once in a while I see a little blip on gkrellm. I fired up ethreal and started to sniff around. Parden the pun there. LOL This is what it says though which is strange. It's really the last two lines that matter but I am putting the whole thing here just in case. Sorry so long. No. TimeSourceDestination Protocol Info 1 0.00215.146.157.191 205.208.159.31 Messenger NetrSendMessage request Frame 1 (710 bytes on wire, 710 bytes captured) Arrival Time: Dec 25, 2005 22:50:19.101533000 Time delta from previous packet: 0.0 seconds Time since reference or first frame: 0.0 seconds Frame Number: 1 Packet Length: 710 bytes Capture Length: 710 bytes Protocols in frame: sll:ip:udp:dcerpc Linux cooked capture Packet type: Unicast to us (0) Link-layer address type: 512 Link-layer address length: 0 Source: MISSING Protocol: IP (0x0800) Internet Protocol, Src: 215.146.157.191 (215.146.157.191), Dst: 205.208.159.31 (205.208.159.31) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 00.. = Differentiated Services Codepoint: Default (0x00) ..0. = ECN-Capable Transport (ECT): 0 ...0 = ECN-CE: 0 Total Length: 694 Identification: 0x7411 (29713) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 53 Protocol: UDP (0x11) Header checksum: 0x2ce4 [correct] Good: True Bad : False Source: 215.146.157.191 (215.146.157.191) Destination: 205.208.159.31 (205.208.159.31) User Datagram Protocol, Src Port: 44356 (44356), Dst Port: 1026 (1026) Source port: 44356 (44356) Destination port: 1026 (1026) Length: 674 Checksum: 0x (none) DCE RPC Request, Seq: 0, Serial: 0, Frag: 0, FragLen: 583 Version: 4 Packet type: Request (0) Flags1: 0x78 Broadcast Idempotent Maybe No Fack 0... = Reserved: Not set .1.. = Broadcast: Set ..1. = Idempotent: Set ...1 = Maybe: Set 1... = No Fack: Set .0.. = Fragment: Not set ..0. = Last Fragment: Not set ...0 = Reserved: Not set Flags2: 0x00 0... = Reserved: Not set .0.. = Reserved: Not set ..0. = Reserved: Not set ...0 = Reserved: Not set 0... = Reserved: Not set .0.. = Reserved: Not set ..0. = Cancel Pending: Not set ...0 = Reserved: Not set Data Representation: 10 (Order: Little-endian, Char: ASCII, Float: IEEE) Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Serial High: 0x00 Object UUID: ---- Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc Activity: ---- Server boot time: Unknown (0) Interface Ver: 1 Sequence num: 0 Opnum: 0 Interface Hint: 0x Activity Hint: 0x Fragment len: 583 Fragment num: 0 Auth proto: None (0) Serial Low: 0x00 Authentication verifier Microsoft Messenger Service, NetrSendMessage Operation: NetrSendMessage (0) Server Max Count: 10 Offset: 0 Actual Count: 10 Server: Microsoft Client Max Count: 35 Offset: 0 Actual Count: 35 Client: inform you about a virus detection Message Max Count: 497 Offset: 0 Actual Count: 497 Message [truncated]: Windows has detected a virus on your system. In order to remove it please follow this steps:\n\n1. Start Microsoft Internet Explorer or your default web browser.\n2. Type into the navigation bar: http://www.cleanmyreg. What is this? Is this some spam and it pops up a window if I were using windoze? I went to the site and it looks like they want to sell something, which I ain't buying by the way. ;-) How can I tell them to stop this? Oh, only my main rig does this. My three servers which have no GUI stuff or browsers installed do not get this, that I can see anyway. Another thing a bit off topic. I noticed earlier that there was a post in some foreign language, looked like Japaneese or Chinese and looked like spam to me. Later I got one in my personal email. Can someone get my email address from this list? I have got a few emails from people, which is OK as long as it is not spam. Just curious. I like the list but I didn't know my private email would become public, if this is true. Thanks for any light you can shed on this. Dale :-) -- To err is human, I'm most certainly human. I have four rigs: 1: Home