Anyone heard of msses.exe?
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Anyone heard of msses.exe?

  1. #1
    Junior Member
    Join Date
    May 2004
    Posts
    6

    Question Anyone heard of msses.exe?

    Hello. Just found this site (would have helped if I had known it was here a few months ago ) Anyway, I've been fighting adware/spyware/malware for a while. Recently I got a new small popup window (dsl always on connection running xp through a netgear gateway/firewall and McAfee firewall software) trying to get me to follow a link for... you guessed it... software to prevent popups, adware... (at least they have a sense of humor).

    The link leads to a likesurfing.com site that I have included in my HOSTS file. I think I have isolated this to an app called msses.exe. I have deleted it from the system32 folder and from the windows\prefetch folder. I have searched for it in the registry and found one key (that I didn't note the name of ) which I deleted. I thought I had removed it at first... it stayed away for several hours, but it comes back. I can delete it again, and it will go away for 5 - 6 hours, but keeps coming back... right back in the windows\system32 folder and the window\prefetch folder.

    Anyone heard of this thing or have any ideas how I can prevent it from continuing to load? I can't find any reference to it on the web. None of my spy/adware anti-hijack software even picks up that anything has happened... so it makes me think something else is in the registry that I can't find.

    thanks

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Try getting the latest version of SpyBot Search & Destroy open it in advanced mode and go into tools............check out what is in the various sections there......BHOs etc.

    Also get WinSonar and run it, it should catch the program running in the background when it kicks off.

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Junior Member
    Join Date
    May 2004
    Posts
    6
    Already tried this option through SpyBot, but haven't used WinSonar. I'll give that a go!
    Thanks nihil!

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    MsMittens is suspecting it's either "Microsoft Security Services blah blah" or "McAfee Security Services blah blah" relating to the firewall.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Junior Member
    Join Date
    May 2004
    Posts
    6
    Originally posted here by MsMittens
    MsMittens is suspecting it's either "Microsoft Security Services blah blah" or "McAfee Security Services blah blah" relating to the firewall.
    I wondered that at first and figured if I deleted anything "important" it would just ask to be re-installed. But when I deleted it... the popup program did stop for a while. Are you thinking that this is some type of exploit maybe?

  6. #6
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    Although the "Big Guns" are already trying to help, I was wondering if you poked through your registry looking for anything related to likesurfing.com?

    Then the next question (although it may seem dumb) is does the pop-up occur when you are surfing? I had one that would pop every few hours whether I was on the net or not...it took blocking everything at the firewall and reviewing the logs to finally track it down.



    You didn't say what type of browser you had (at least I didn't see it listed). Does it happen if you use another browser?

    My suspicion is that it is a messenger service pop-up...unless you already have that disabled of course.

  7. #7
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    personally, I think it's malware.. if you search google on it you will find a number of hijackthis logs and not many answers.. the logs look mostly like one of the coolwebsearch's latest variations (and this one doesn't get fixed by cwshredder)

    sample of what I mean about CWS will have something like this..

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\cjo.dll/sp.html (obfuscated)

    with the cjo.dll being a semi-random dll name followed by the sp.dll

    the only thread I found that looked like it had answers (but not in english) and had this file was here.

    you could go looking through threads for answers in this google search and you'll see that this hijack is most commonly seen as the "about:blank" (another thing to search upon)

    I think we should start off by having you post your hijackthis log.

  8. #8
    Junior Member
    Join Date
    May 2004
    Posts
    6
    I have looked through the registry for likesurfing references. Popup occurs when surfing, when not surfing either way. Even if system is idle it has happened. I've tried hijackthis, I've gotten rid of ms virtual machine in favor of Suns java app, messenger services and activeX controls I will have to check on.

    I will post hijackthis log tomorrow morning (I'm GMT -5)

    thanks already for all your great advice!

  9. #9
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Hrmm.. the popups might be because of the Messenger Service. Have you disabled that?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Too bad you have removed it. You could have used process explorer to perhaps see a little more info on exactly what it was up to. Personally, I haven't heard of this process but I can tell you that it isn't a standard windows process.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides