I am having pop up messages come up as follows:

"Message from ALERT SERVICE to Windows User on 24/04/03 00.16

WARNING - YOUR COMPUTER IS AT RISK!
You have just received this message through an open port on youir computer. This means that anyone can send a message like this, or even use the open port to theor advantage to invade your privac.

Please visit www,BYEBYEADS.com to secure this port and never receive messages like this again.
MAKE SURE YOU WRITE THIS ADDRESS DOWN BEFORE YOU PRESS OK. PRESSING OK WILL NOT AUTOMATICALLY TAKE YOU TO THE WEBSITE.

Go to www.BYEBYEADS.com to stop pop-ups now!"

(I never click on OK but just close them.)

I have Norton Internet Security, have done online port scan checks with Symantec which said all were OK, have checked my Start up programs (only 4 legit ones + 4 desktop.ini ) At the moment I have a trial of TDS but not yet the full version.
Should I have anything to worry about with these messages (a similar one came up in French today) or could it be I still have a buried program somewhere? They are a pain in the ass and have had at least 4 come up in 2 hrs. Iam on Win XP and Broadband.
Thanks for any advice / help!

Hi Mcville80,

The messenger service runs on 95, 98, Me win2k and XP.

Using the Messenger Service anyone in the world can send pop up messages to your computer, you can disable the Messenger service. Its easy to reverse at a later time.

For Windows 2000 and XP this is a way to disable it:

* Go to start and click Run
* Type services.msc
* Double-click on Messenger.
* In the messenger Properties window, select Stop, then choose Disable as the Startup Type.
* Click OK.

This service is indeed being used to spam IP ranges.
No malware needs to be on your computer.

Regards,

Pieter

Have you been hit with unwanted advertising or Spam? The message you received is the newest form of internet spam. You don't have to have an email account or even a web browser. You received this message due to a buit in feature that Microsoft included in Windows XP, 2000, and NT.

That the way they start their page on byebyeads...

Hell Mcville80,
Pieter is correct in his reply but please do not confuse the Messenger Service with MS Instant Messenger. ;D
The messenger service is an Admin service NOT the Instant messenger service used to chat to your friends. This has confused many people

Hi Mcville80

You should also check your NIS firewall configuration. It should be blocking these. Unless you have a rule allowing it/them.

Regards,

CrazyM

Hi Mcville80!

If you already start deactivating the Messenger Service, also deactivate the Telnet service as described above by Pieter. You don't need this service... If it's enabled it is a great danger for your security, many hackers try to breach the system by attacking this vulnerable service! ;)

Best regards!

Patrice

Hello,

There are a lot of ways to prevent those messages ;)

on Win2k/XP :

Local Security Strategy : User rights Attribution : Contact this PC from the Network - Select Anybody and delete it. Reboot
(sorry, I translate from French GUI, the terms might differ)

If your need de service on your LAN :
with you Fw Block incoming traffic for non trusted IP :

135, 137 UDP and 139 TCP

Rgds,

Thanks folks - Ive disabled Messenger, and thanks for clarifying its not Windows Messenger!!
Ill have a look at firewall, but any help with that will be appreciated!
Could JacK clarify the process of his advice. Thanks. Or is disabling messenger enough?

At least its eased any worries about trojans....
Forums like this are a blessing!
:)

PS - Sorry!
Re: Patrice's advice - deactivating Telnet also - is this also in services.msc as I couldnt find it listed there.
Thanks.

Hi mcville,

>> Re: Patrice's advice - deactivating Telnet also - is this also in services.msc as I couldnt find it listed there.

The Telnet service is not on Windows XP Home Edition, if that is what you are running. It is on WinXP Pro.

HTH,
LowWaterMark

I was wondering if you can do something nice here with the firewall (blocking the ports 137-139 of course) and your TDS.
It's working little different, but you can broadcast and TCP connect with friends of course; see for that part the thread Pierre posted in the TDS forum.

The winpopup service as it's called on win9* systems seems need to be active to receive messages at all and port 139 not blocked, as far as my own testing went till now. (thanks to Pieter's explanation recently in the other thread!) Will do some more testing with that in due time.

-{ Quote: " quoting: mcville80 link=board=9;threadid=8732;start=0#56696 date=1051292070]
Thanks folks - Ive disabled Messenger, and thanks for clarifying its not Windows Messenger!!
Ill have a look at firewall, but any help with that will be appreciated!
Could JacK clarify the process of his advice. Thanks. Or is disabling messenger enough?

At least its eased any worries about trojans....
Forums like this are a blessing!
:)
" }-

Yo mcville80,

If you are running a rules based firewall, just create rules
any App
local port 135, 137, 139, 445
Direction IN
Protocol TCP/UDP
Remote address ANY
Remote Port ANY

You might if on a LAN to make rules allowing traffic for the PC on your LAN above this rule.

Disabling service Messenger is enough for those messages, not enough for your security : ) enable ICF is enough or a rules based firewall even without disabling the service if needed.

Rgds,

-{ Quote: " quoting: mcville80 link=board=9;threadid=8732;start=0#56696 date=1051292070]
Ill have a look at firewall, but any help with that will be appreciated!
" }-

You will have to check your System Wide, Application and Trojan rules for anything that may be allowing inbound to local service/port 135, 137, 139 or 445 from any remote address. If these messenger pop ups are getting through, you likely have a rule somewhere allowing it. You will have to determine what rule is allowing them and where it is first.

If you are running a version of NIS prior to v4.5, you will find a utility called NIS Rules (http://www.capimonitor.nl/index.htm) very helpful in this regard.

Once you find it, you can assess it (how/why that particular rule ended being there) and determine what you need to do from there - remove, modify it to block or create specific block rules as Jack suggested. If you choose to make global block rules, keep in mind your set up and if any specific allows may be needed prior to the block rules. Make sure the firewall is set high.

You might also find this site (http://www.gpick.com/agnisrules/index.html) useful for rules in NIS.

Regards,

CrazyM

Hi Mcville80,
-{ Quote: " quoting: Mcville80 link=board=9;threadid=8732;start=0#56655 date=1051279019]...I have Norton Internet Security, have done online port scan checks with Symantec which said all were OK..." }-

To be honest with you, deinstall NIS and install a new firewall. This firewall isn't protecting you at all!!! I was once myself running NIS and I thought I was secure... There's nothing worse than a firewall which doesn't protect you at all! I did some online test with this firewall and the results were horrible. Let's call it like this: Doors wide open... :o

Last but not least you don't need just outside-inside protection, but also inside-outside protection and that's where NIS is the worst firewall I ever had! Nothing is blocked at all!! >:(

If you wanna know more about software and so called Leak Tests go to this website and check the results:

http://www.pcflank.com/

Read carefully those two articles:

-Personal firewalls vs Leak Tests
-Personal firewalls vs. Stealth Test, part II

After reading of those articles I suppose you deinstall NIS and install Look'n'Stop! ;D

If you have further questions, don't hesitate to ask!

Best regards!

Patrice

P.S. I almost forgot, there are some nice online tests on the PC Flank Homepage!

telnet is in servises but i dont know about you but my telnet is by default disabled

-{ Quote: " quoting: InsaneJester link=board=9;threadid=8732;start=0#msg57854 date=1051723244]
telnet is in servises but i dont know about you but my telnet is by default disabled
" }- ::)

Hi Elaine Manna,

Are you trying to tell us something? ???

Pieter

from Pieter
-{ Quote: "For Windows 2000 and XP this is a way to disable it:

* Go to start and click Run
* Type services.msc
* Double-click on Messenger.
* In the messenger Properties window, select Stop, then choose Disable as the Startup Type.
* Click OK.
" }-

Hi Pieter!

I've just followed your instructions a while ago, although I can see many services in that list, I don't see "messenger". So I'm wondering how could I get to that feature? My Os is Windows XP NT.

Thankx!

Uguel

-{ Quote: " quoting: Uguel707 link=board=9;threadid=8732;start=15#msg81781 date=1061567491]
from Pieter
-{ Quote: "For Windows 2000 and XP this is a way to disable it:

* Go to start and click Run
* Type services.msc
* Double-click on Messenger.
* In the messenger Properties window, select Stop, then choose Disable as the Startup Type.
* Click OK.
" }-

Hi Pieter!

I've just followed your instructions a while ago, although I can see many services in that list, I don't see "messenger". So I'm wondering how could I get to that feature? My Os is Windows XP NT.

Thankx!

Uguel
" }-

Hey Uguel707

If you running Windows XP Pro it should be there unless you used some Anti- utilities which removed that service completely…

Hi Phantom!

No, my OS is windows XP Home Edition Nt.

--that's the way it was set by the tech in case I want to add a new pc connected to it--

But, if I can't see that feature or service from there,
I'm wondering if I can disable it with Look'n' Stop...?
I've just got Look'n' Stop from a week and as a new user, I set it by default, when I'll get more familiar working with it, I may apply more security rules.

Thankx,

Uguel

Hi Uguel,

As long as LnS is blocking all netbios ports TCP& UDP 135-139 + 445 you will not have any problems with the messenger spam that uses this service.

You should see the service listed in the services applet but if you have these ports blocked you are just as safe.

:)

Thankx a lot to both of you for your quick input!

Well, yes, they are listed there. But I can see them from the "log file" I guess that means they have a clear field?
Don't they?

Uguel

Hey ;)

As long as they are listed to block you are fine. If they appear in the log that is just background noise from the net hitting your firewall but not going through. Many of the viruses and worms going about the net at present rely on these ports so it is normal to see a lot of corresponding entries in your log.

HTH,

Dan

-{ Quote: " quoting: Uguel707 link=board=9;threadid=8732;start=15#msg81796 date=1061569532]
Thankx a lot to both of you for your quick input!

Well, yes, they are listed there. But I can see them from the "log file" I guess that means they have a clear field?
Don't they?

Uguel

" }-

Using Unmodified EnhancedRulesSet.rls, it should by default block those no problems…

Hi:

Regards Messenger, etc. one of the things you should download is XPAntispy, this cures a lot of XP "leaks" etc. including Messenger, Auto Windows Media Player updates. see screen shot..

http://www.xp-antispy.org/

It's a German site, but just look for the words "download" and english in it. You will be able to figure it out. v3.72 is latest.

hth .... ;D

Cheers, TAS

The bottom line priority shouldn't necessarily be on getting rid of something that is irritating like these ads but the fact that if someone is getting them their system isn't secure.

The messenger service isn't a hole. It isn't a bug. It is a perfectly legitimate and useful tool that is being used by scum (my opinion) for illegitimate purposes.

In this Microsoft article http://support.microsoft.com/default.aspx?scid=kb;en-us;330904 they say:

"Windows may use it to inform you when a print job is completed or when you lose power to your computer and switch to a uninterruptible power supply (UPS). Your antivirus program may use the Messenger service to send you notifications."

"If the Messenger service is stopped, messages from the Alerter service (notifications from your antivirus software, for example) are not transmitted. If the Messenger service is turned off, any services that explicitly depend on the Messenger service do not start, and an error message is logged in the System event log. For this reason, Microsoft recommends that you install a firewall and configure it to block NetBIOS and RPC traffic instead of turning off the Messenger service."

"To resolve this issue, install or turn on a firewall that blocks inbound NetBIOS and UDP broadcast traffic."

While disabling the service will work why take chances that this messes up functionality elsewhere.

Disabling the service gives a false sense of security. If a person is going to attack your machine he's not going to pop up a message and say "hey do you mind if I read or delete all your important files?". These messages provide sort of a wake up call that you need to secure your computer.

By disabling the messenger service a person may think they are protected and they aren't - they won't get the messages but that doesn't mean they are protected from far worse problems that a properly configured firewall would solve.

When people take the advice to "just disable the messenger service" I think they are winning a minor battle and losing the war if that's all they do and are happy they aren't getting irritated anymore.

Use a firewall. It resolves this issue and many more important ones that can quicly grow to much more than mere irritation.

Mark

STOP POP UP MESSAGES

Hi LEONARD BAGAROZZO,

If you are getting pop-ups at this site, you have a problem.
Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log as a .txt file, and copy and paste its contents into your next post.

Most of what it lists will be harmless, so do not fix anything yet.

Regards,

Pieter

:-\ 8) >:( :D

-{ Quote: " quoting: Pieter_Arntz link=board=9;threadid=8732;start=0#msg56656 date=1051279618]
Hi Mcville80,

The messenger service runs on 95, 98, Me win2k and XP.

Using the Messenger Service anyone in the world can send pop up messages to your computer, you can disable the Messenger service. Its easy to reverse at a later time.

For Windows 2000 and XP this is a way to disable it:

* Go to start and click Run
* Type services.msc
* Double-click on Messenger.
* In the messenger Properties window, select Stop, then choose Disable as the Startup Type.
* Click OK.

This service is indeed being used to spam IP ranges.
No malware needs to be on your computer.

Regards,

Pieter
" }-


Small clarification here...for 95, 98, Me there is a net send application but you would have to have clicked on the application...have the window for it sitting on your desk top for it to even work to send or recieve..and it is not being exploited in any case...the problem exploit exists only with Win 2000 and XP...

********************

How to Stop Pop-up Spam in Windows Systems

A number of Windows NT, 2000 and XP (but not W9X or ME, at least not so far) users have recently been noticing unsolicited pop-up windows displaying a spam message such as an advertisement concerning how to obtain a university diploma. If this happens to you, there is no particular need to worry — your system has not been attacked. What has happened is that someone has sent a message to your system via the messenger service that runs on your system. Turning off the messenger service will help prevent this kind of thing from happening. Here is how to disable the messenger service:

In Windows NT, go to the Control Panel, then to Services. Highlight "Messenger" and click on "Stop."

In Windows 2000 Professional and XP, go to the Control Panel, then to Administrative Tools, and then to Services. Highlight "Messenger" and click on "Stop." You must also set the "Startup Type" to "Disabled." If you do not have enough privileges to disable services or are unsure of exactly how to do this, contact your system administrator .

**********


And if you really want to secure Win XP not only from Popups but rather all the way try this site.

Checklist for Securing Windows XP Systems [fn1]


http://www.lbl.gov/ICSD/Security/systems/wxp-security-checklist.html#two