Valhalla Legends Forums Archive | General Discussion | [Resolved] Weird Random Dialog

AuthorMessageTime
Myndfyr
This pops up randomly.  Spy++ says that it's part of the explorer.exe process!

[img]http://www.jinxbot.net/pub/entnetpw.gif[/img]

When I press escape:

[img]http://www.jinxbot.net/pub/blank.gif[/img]

Any thoughts?
May 26, 2005, 8:42 AM
Ban
Did you check for any strange backround processes?
May 26, 2005, 2:51 PM
LW-Falcon
How long has it been doing this?
May 26, 2005, 3:57 PM
iago
Probably a dumb question, but have you done a spyware/virus scan lately? If not, do it :P
May 26, 2005, 9:14 PM
Myndfyr
Hrm, that's odd, I thought I'd mentioned that.

The system checks clean for virii and spyware.

Yes, I checked the background for any odd processes.  I found none.  Like I said, it appears that the window is coming from explorer.exe, although I suppose something could be using code injection.
May 26, 2005, 10:09 PM
iago
Yeah, explorer.exe can be infected with spyware and stuff.  Tried Googling the text in the messagebox?  What happens if you type in a username/password and hit ok? Have you tried packetlogging it?
May 26, 2005, 11:54 PM
Myndfyr
[quote author=iago link=topic=11706.msg113879#msg113879 date=1117151664]
Yeah, explorer.exe can be infected with spyware and stuff.  Tried Googling the text in the messagebox?  What happens if you type in a username/password and hit ok? Have you tried packetlogging it?
[/quote]

I've googled it and come up with nothing.

Packetlogs reveal some kind of XML-encoded message.  I'm at work and can't remember where it goes to offhand, and I can't make the box appear at will.
May 26, 2005, 11:55 PM
K
What OS are you running? If your OS supports it, delete or rename explorer.exe and let system restore do its thing.
May 27, 2005, 12:08 AM
Myndfyr
[quote author=K link=topic=11706.msg113883#msg113883 date=1117152525]
What OS are you running? If your OS supports it, delete or rename explorer.exe and let system restore do its thing.
[/quote]

XP SP2.

Interesting thought.  I'll have to look into that.
May 27, 2005, 12:56 AM
Null
Its defiently a 'jack' or a 'hook' of somesorts. malicious.
May 27, 2005, 3:32 AM
Myndfyr
Okay, I think I figured it out, and oddly, I think it's almost by design.

I noticed that it would happen when I navigated to specific folders.  It frequently happened when I'd navigate to my home folder on my other Windows partition.  I also noticed that the display of the folder would change (it was in thumbnails view) after I closed the dialog.  The folder that changed appearance was "My Documents."  There were two thumbnails it displayed -- one image that I had made myself, and another one that I didn't really recognize, but thought looked like a CD case.

I navigated to the My Music folder within My Documents, where I stored some music.  I didn't see anything, so I turned off the "Hide Protected Operating System Files" option, and sure enough, one of the ultra-hidden files was the CD cover for Paul Coleman - Let it Go.

Anyway, I still don't know why it was doing this.  I have some idea, though -- a couple packet dumps in SSL indicated something to do with Passport.  Since I don't have Windows Messenger on this Windows installation, and I've never integrated my Passport account with this Windows installation, I think it's some attempt to transfer *some* data to Passport, or something.

Here's a partial dump.  Sorry I didn't include to/from or the Passport SSL stuff.  It's just weird.  But I managed to make it stop.

[code]
0000  00 13 10 1b aa 97 00 12  17 64 71 81 08 00 45 00  ........ .dq...E.
0010  00 cf bd db 40 00 80 06  b2 4d c0 a8 01 64 41 36  ....@... .M...dA6
0020  86 bd 05 c2 00 50 28 89  5f 8a 8a f5 32 f2 50 18  .....P(. _...2.P.
0030  44 70 aa 0f 00 00 4f 50  54 49 4f 4e 53 20 2f 20  Dp....OP TIONS /
0040  48 54 54 50 2f 31 2e 31  0d 0a 55 73 65 72 2d 41  HTTP/1.1 ..User-A
0050  67 65 6e 74 3a 20 4d 69  63 72 6f 73 6f 66 74 20  gent: Mi crosoft
0060  44 61 74 61 20 41 63 63  65 73 73 20 49 6e 74 65  Data Acc ess Inte
0070  72 6e 65 74 20 50 75 62  6c 69 73 68 69 6e 67 20  rnet Pub lishing
0080  50 72 6f 76 69 64 65 72  20 43 61 63 68 65 20 4d  Provider  Cache M
0090  61 6e 61 67 65 72 0d 0a  48 6f 73 74 3a 20 77 77  anager.. Host: ww
00a0  77 2e 6d 73 6e 75 73 65  72 73 2e 63 6f 6d 0d 0a  w.msnuse rs.com..
00b0  43 6f 6e 74 65 6e 74 2d  4c 65 6e 67 74 68 3a 20  Content- Length:
00c0  30 0d 0a 43 6f 6e 6e 65  63 74 69 6f 6e 3a 20 4b  0..Conne ction: K
00d0  65 65 70 2d 41 6c 69 76  65 0d 0a 0d 0a            eep-Aliv e.... 

0000  00 12 17 64 71 81 00 13  10 1b aa 97 08 00 45 00  ...dq... ......E.
0010  02 7f aa 34 40 00 34 06  10 45 41 36 86 bd c0 a8  ...4@.4. .EA6....
0020  01 64 00 50 05 c2 8a f5  32 f2 28 89 60 31 50 18  .d.P.... 2.(.`1P.
0030  43 c9 42 ae 00 00 48 54  54 50 2f 31 2e 31 20 32  C.B...HT TP/1.1 2
0040  30 30 20 4f 4b 0d 0a 53  65 72 76 65 72 3a 20 4d  00 OK..S erver: M
0050  69 63 72 6f 73 6f 66 74  2d 49 49 53 2f 35 2e 30  icrosoft -IIS/5.0
0060  0d 0a 44 61 74 65 3a 20  46 72 69 2c 20 32 37 20  ..Date:  Fri, 27
0070  4d 61 79 20 32 30 30 35  20 30 39 3a 30 38 3a 35  May 2005  09:08:5
0080  31 20 47 4d 54 0d 0a 53  72 76 3a 47 52 50 57 42  1 GMT..S rv:GRPWB
0090  44 41 56 31 36 0d 0a 50  33 50 3a 43 50 3d 42 55  DAV16..P 3P:CP=BU
00a0  53 20 43 55 52 20 43 4f  4e 6f 20 46 49 4e 20 49  S CUR CO No FIN I
00b0  56 44 6f 20 4f 4e 4c 20  4f 55 52 20 50 48 59 20  VDo ONL  OUR PHY
00c0  53 41 4d 6f 20 54 45 4c  6f 0d 0a 43 6f 6e 6e 65  SAMo TEL o..Conne
00d0  63 74 69 6f 6e 3a 20 63  6c 6f 73 65 0d 0a 53 65  ction: c lose..Se
00e0  74 2d 43 6f 6f 6b 69 65  3a 20 4d 43 31 3d 56 3d  t-Cookie : MC1=V=
00f0  32 26 47 55 49 44 3d 39  37 39 36 38 43 31 43 35  2&GUID=9 7968C1C5
0100  45 34 39 34 36 33 45 39  35 42 34 45 37 45 43 33  E49463E9 5B4E7EC3
0110  42 33 45 32 41 33 41 3b  20 64 6f 6d 61 69 6e 3d  B3E2A3A;  domain=
0120  2e 6d 73 6e 75 73 65 72  73 2e 63 6f 6d 3b 20 65  .msnuser s.com; e
0130  78 70 69 72 65 73 3d 53  61 74 2c 20 30 34 2d 4f  xpires=S at, 04-O
0140  63 74 2d 32 30 30 33 20  30 30 3a 30 30 3a 30 30  ct-2003  00:00:00
0150  20 47 4d 54 3b 20 70 61  74 68 3d 2f 0d 0a 45 78    GMT; pa th=/..Ex
0160  70 69 72 65 73 3a 20 4d  6f 6e 2c 20 31 31 20 4a  pires: M on, 11 J
0170  61 6e 20 31 39 39 39 20  30 31 3a 32 33 3a 34 35  an 1999  01:23:45
0180  20 47 4d 54 0d 0a 43 61  63 68 65 2d 43 6f 6e 74    GMT..Ca che-Cont
0190  72 6f 6c 3a 20 6e 6f 2d  63 61 63 68 65 0d 0a 50  rol: no- cache..P
01a0  72 61 67 6d 61 3a 20 4e  6f 2d 43 61 63 68 65 0d  ragma: N o-Cache.
01b0  0a 4d 53 2d 41 75 74 68  6f 72 2d 56 69 61 3a 20  .MS-Auth or-Via:
01c0  44 41 56 0d 0a 41 63 63  65 70 74 2d 52 61 6e 67  DAV..Acc ept-Rang
01d0  65 73 3a 20 6e 6f 6e 65  0d 0a 44 41 56 3a 20 31  es: none ..DAV: 1
01e0  2c 20 32 0d 0a 4d 53 2d  53 74 6f 72 61 67 65 3a  , 2..MS- Storage:
01f0  20 31 0d 0a 50 75 62 6c  69 63 3a 20 4f 50 54 49    1..Publ ic: OPTI
0200  4f 4e 53 2c 20 54 52 41  43 45 2c 20 47 45 54 2c  ONS, TRA CE, GET,
0210  20 48 45 41 44 2c 20 44  45 4c 45 54 45 2c 20 50    HEAD, D ELETE, P
0220  55 54 2c 20 50 4f 53 54  2c 20 43 4f 50 59 2c 20  UT, POST , COPY,
0230  4d 4f 56 45 2c 20 4d 4b  43 4f 4c 2c 20 50 52 4f  MOVE, MK COL, PRO
0240  50 46 49 4e 44 2c 20 50  52 4f 50 50 41 54 43 48  PFIND, P ROPPATCH
0250  2c 20 4c 4f 43 4b 2c 20  55 4e 4c 4f 43 4b 0d 0a  , LOCK,  UNLOCK..
0260  43 61 63 68 65 2d 43 6f  6e 74 72 6f 6c 3a 20 70  Cache-Co ntrol: p
0270  72 69 76 61 74 65 0d 0a  43 6f 6e 74 65 6e 74 2d  rivate.. Content-
0280  4c 65 6e 67 74 68 3a 20  30 0d 0a 0d 0a            Length:  0.... 

0000  00 13 10 1b aa 97 00 12  17 64 71 81 08 00 45 00  ........ .dq...E.
0010  02 90 bd e1 40 00 80 06  b0 86 c0 a8 01 64 41 36  ....@... .....dA6
0020  86 bd 05 c3 00 50 ac 1a  cf 88 33 ab 05 9a 50 18  .....P.. ..3...P.
0030  44 70 11 6b 00 00 50 52  4f 50 46 49 4e 44 20 2f  Dp.k..PR OPFIND /
0040  20 48 54 54 50 2f 31 2e  31 0d 0a 41 63 63 65 70    HTTP/1. 1..Accep
0050  74 2d 4c 61 6e 67 75 61  67 65 3a 20 65 6e 2d 75  t-Langua ge: en-u
0060  73 0d 0a 43 6f 6e 74 65  6e 74 2d 54 79 70 65 3a  s..Conte nt-Type:
0070  20 74 65 78 74 2f 78 6d  6c 0d 0a 54 72 61 6e 73    text/xm l..Trans
0080  6c 61 74 65 3a 20 66 0d  0a 43 6f 6e 74 65 6e 74  late: f. .Content
0090  2d 4c 65 6e 67 74 68 3a  20 33 38 30 0d 0a 44 65  -Length:  380..De
00a0  70 74 68 3a 20 31 0d 0a  55 73 65 72 2d 41 67 65  pth: 1.. User-Age
00b0  6e 74 3a 20 4d 69 63 72  6f 73 6f 66 74 20 44 61  nt: Micr osoft Da
00c0  74 61 20 41 63 63 65 73  73 20 49 6e 74 65 72 6e  ta Acces s Intern
00d0  65 74 20 50 75 62 6c 69  73 68 69 6e 67 20 50 72  et Publi shing Pr
00e0  6f 76 69 64 65 72 20 44  41 56 20 31 2e 31 0d 0a  ovider D AV 1.1..
00f0  48 6f 73 74 3a 20 77 77  77 2e 6d 73 6e 75 73 65  Host: ww w.msnuse
0100  72 73 2e 63 6f 6d 0d 0a  43 6f 6e 6e 65 63 74 69  rs.com.. Connecti
0110  6f 6e 3a 20 4b 65 65 70  2d 41 6c 69 76 65 0d 0a  on: Keep -Alive..
0120  0d 0a 3c 3f 78 6d 6c 20  76 65 72 73 69 6f 6e 3d  ..<?xml  version=
0130  22 31 2e 30 22 20 3f 3e  0d 0a 3c 70 72 6f 70 66  "1.0" ?> ..<propf
0140  69 6e 64 20 78 6d 6c 6e  73 3d 22 44 41 56 3a 22  ind xmln s="DAV:"
0150  3e 0d 0a 3c 70 72 6f 70  3e 0d 0a 3c 6e 61 6d 65  >..<prop >..<name
0160  2f 3e 0d 0a 3c 70 61 72  65 6e 74 6e 61 6d 65 2f  />..<par entname/
0170  3e 0d 0a 3c 68 72 65 66  2f 3e 0d 0a 3c 69 73 68  >..<href />..<ish
0180  69 64 64 65 6e 2f 3e 0d  0a 3c 69 73 63 6f 6c 6c  idden/>. .<iscoll
0190  65 63 74 69 6f 6e 2f 3e  0d 0a 3c 69 73 72 65 61  ection/> ..<isrea
01a0  64 6f 6e 6c 79 2f 3e 0d  0a 3c 67 65 74 63 6f 6e  donly/>. .<getcon
01b0  74 65 6e 74 74 79 70 65  2f 3e 0d 0a 3c 63 6f 6e  tenttype />..<con
01c0  74 65 6e 74 63 6c 61 73  73 2f 3e 0d 0a 3c 67 65  tentclas s/>..<ge
01d0  74 63 6f 6e 74 65 6e 74  6c 61 6e 67 75 61 67 65  tcontent language
01e0  2f 3e 0d 0a 3c 63 72 65  61 74 69 6f 6e 64 61 74  />..<cre ationdat
01f0  65 2f 3e 0d 0a 3c 6c 61  73 74 61 63 63 65 73 73  e/>..<la staccess
0200  65 64 2f 3e 0d 0a 3c 67  65 74 6c 61 73 74 6d 6f  ed/>..<g etlastmo
0210  64 69 66 69 65 64 2f 3e  0d 0a 3c 67 65 74 63 6f  dified/> ..<getco
0220  6e 74 65 6e 74 6c 65 6e  67 74 68 2f 3e 0d 0a 3c  ntentlen gth/>..<
0230  72 65 73 6f 75 72 63 65  74 79 70 65 2f 3e 0d 0a  resource type/>..
0240  3c 69 73 73 74 72 75 63  74 75 72 65 64 64 6f 63  <isstruc tureddoc
0250  75 6d 65 6e 74 2f 3e 0d  0a 3c 64 65 66 61 75 6c  ument/>. .<defaul
0260  74 64 6f 63 75 6d 65 6e  74 2f 3e 0d 0a 3c 64 69  tdocumen t/>..<di
0270  73 70 6c 61 79 6e 61 6d  65 2f 3e 0d 0a 3c 69 73  splaynam e/>..<is
0280  72 6f 6f 74 2f 3e 0d 0a  3c 2f 70 72 6f 70 3e 0d  root/>.. </prop>.
0290  0a 3c 2f 70 72 6f 70 66  69 6e 64 3e 0d 0a        .</propf ind>.. 

0000  00 12 17 64 71 81 00 13  10 1b aa 97 08 00 45 00  ...dq... ......E.
0010  03 0f 9d 61 40 00 34 06  1c 88 41 36 86 bd c0 a8  ...a@.4. ..A6....
0020  01 64 00 50 05 c3 33 ab  05 9a ac 1a d1 f0 50 18  .d.P..3. ......P.
0030  42 08 ab 17 00 00 48 54  54 50 2f 31 2e 31 20 33  B.....HT TP/1.1 3
0040  30 32 20 4f 62 6a 65 63  74 20 6d 6f 76 65 64 0d  02 Objec t moved.
0050  0a 53 65 72 76 65 72 3a  20 4d 69 63 72 6f 73 6f  .Server:  Microso
0060  66 74 2d 49 49 53 2f 35  2e 30 0d 0a 44 61 74 65  ft-IIS/5 .0..Date
0070  3a 20 46 72 69 2c 20 32  37 20 4d 61 79 20 32 30  : Fri, 2 7 May 20
0080  30 35 20 30 39 3a 30 38  3a 35 32 20 47 4d 54 0d  05 09:08 :52 GMT.
0090  0a 53 72 76 3a 47 52 50  57 42 44 41 56 31 33 0d  .Srv:GRP WBDAV13.
00a0  0a 50 33 50 3a 43 50 3d  42 55 53 20 43 55 52 20  .P3P:CP= BUS CUR
00b0  43 4f 4e 6f 20 46 49 4e  20 49 56 44 6f 20 4f 4e  CONo FIN  IVDo ON
00c0  4c 20 4f 55 52 20 50 48  59 20 53 41 4d 6f 20 54  L OUR PH Y SAMo T
00d0  45 4c 6f 0d 0a 53 65 74  2d 43 6f 6f 6b 69 65 3a  ELo..Set -Cookie:
00e0  20 4d 43 31 3d 56 3d 32  26 47 55 49 44 3d 46 32    MC1=V=2 &GUID=F2
00f0  37 35 44 30 41 36 37 34  42 32 34 42 33 46 39 42  75D0A674 B24B3F9B
0100  33 43 32 41 41 33 41 30  34 34 34 35 43 44 3b 20  3C2AA3A0 4445CD;
0110  64 6f 6d 61 69 6e 3d 2e  6d 73 6e 75 73 65 72 73  domain=. msnusers
0120  2e 63 6f 6d 3b 20 65 78  70 69 72 65 73 3d 53 61  .com; ex pires=Sa
0130  74 2c 20 30 34 2d 4f 63  74 2d 32 30 30 33 20 30  t, 04-Oc t-2003 0
0140  30 3a 30 30 3a 30 30 20  47 4d 54 3b 20 70 61 74  0:00:00  GMT; pat
0150  68 3d 2f 0d 0a 43 6f 6e  74 65 6e 74 2d 54 79 70  h=/..Con tent-Typ
0160  65 3a 20 74 65 78 74 2f  68 74 6d 6c 0d 0a 4c 6f  e: text/ html..Lo
0170  63 61 74 69 6f 6e 3a 20  68 74 74 70 3a 2f 2f 6c  cation:  http://l
0180  6f 67 69 6e 2e 70 61 73  73 70 6f 72 74 2e 63 6f  ogin.pas sport.co
0190  6d 2f 6c 6f 67 69 6e 2e  73 72 66 3f 6c 63 3d 31  m/login. srf?lc=1
01a0  30 33 33 26 69 64 3d 31  39 32 39 26 72 75 3d 68  033&id=1 929&ru=h
01b0  74 74 70 25 33 41 25 32  46 25 32 46 77 77 77 25  ttp%3A%2 F%2Fwww%
01c0  32 45 6d 73 6e 75 73 65  72 73 25 32 45 63 6f 6d  2Emsnuse rs%2Ecom
01d0  25 32 46 44 41 56 25 35  46 4c 6f 67 69 6e 52 65  %2FDAV%5 FLoginRe
01e0  74 75 72 6e 25 32 45 6d  73 6e 77 26 74 77 3d 34  turn%2Em snw&tw=4
01f0  33 32 30 30 26 6b 76 3d  36 26 63 74 3d 31 31 31  3200&kv= 6&ct=111
0200  37 31 38 34 39 33 32 26  6b 70 70 3d 31 26 76 65  7184932& kpp=1&ve
0210  72 3d 32 2e 31 2e 30 31  37 33 2e 31 26 74 70 66  r=2.1.01 73.1&tpf
0220  3d 39 64 64 39 62 36 66  61 36 66 38 32 37 38 36  =9dd9b6f a6f82786
0230  61 31 62 34 63 63 62 66  38 37 30 63 35 64 34 63  a1b4ccbf 870c5d4c
0240  64 0d 0a 43 6f 6e 74 65  6e 74 2d 4c 65 6e 67 74  d..Conte nt-Lengt
0250  68 3a 20 30 0d 0a 57 57  57 2d 41 75 74 68 65 6e  h: 0..WW W-Authen
0260  74 69 63 61 74 65 3a 20  50 61 73 73 70 6f 72 74  ticate:  Passport
0270  31 2e 34 20 6c 63 3d 31  30 33 33 2c 69 64 3d 31  1.4 lc=1 033,id=1
0280  39 32 39 2c 74 77 3d 34  33 32 30 30 2c 72 75 3d  929,tw=4 3200,ru=
0290  68 74 74 70 25 33 41 25  32 46 25 32 46 77 77 77  http%3A% 2F%2Fwww
02a0  25 32 45 6d 73 6e 75 73  65 72 73 25 32 45 63 6f  %2Emsnus ers%2Eco
02b0  6d 25 32 46 44 41 56 25  35 46 4c 6f 67 69 6e 52  m%2FDAV% 5FLoginR
02c0  65 74 75 72 6e 25 32 45  6d 73 6e 77 2c 63 74 3d  eturn%2E msnw,ct=
02d0  31 31 31 37 31 38 34 39  33 32 2c 6b 70 70 3d 31  11171849 32,kpp=1
02e0  2c 6b 76 3d 36 2c 76 65  72 3d 32 2e 31 2e 30 31  ,kv=6,ve r=2.1.01
02f0  37 33 2e 31 2c 74 70 66  3d 65 34 36 65 33 36 35  73.1,tpf =e46e365
0300  63 63 62 33 61 62 62 63  65 30 65 38 35 35 30 61  ccb3abbc e0e8550a
0310  65 37 39 33 64 64 34 61  61 0d 0a 0d 0a            e793dd4a a.... 
[/code]
May 27, 2005, 10:02 AM

Search