This has really got me bugged; I've gotten about 4 of these (that I've been able to save) and I have no idea what's happening.

Running etrust AV up to date; Kerio Firewall 2.1.5 which tests out ok at grc (leaktest and sheilds up); Win XP Home on a Dell 450 pention ii 384 mb ram.

view at http://members.cox.net/~philosopher_king/weird_msg3.jpg

Philo - Turning off your Windows Messenger Service will probably solve the problem.

Do you need/use it for anything? Pete

Hi PhiloVance

You might want to review your firewall rule set as that should not be getting in unless you have allowed it.

Regards,

CrazyM

Some time ago Pieter posted in several places this instruction:
Unfortunately, what you´re experiencing is no regular pop-up that any Popup stopper so far can take care of. It´s a service from Microsoft that is installed and started by default as a service for all their customers (even if they don´t need it, or want it) This is how to disable it:

Windows 2000
Click Start-> Programs-> Administrative Tools->Services
Scroll down and highlight "Messenger"
Right-click the highlighted line and choose Properties.
Click the STOP button.
Select Disable or Manual in the Startup Type scroll bar
Click OK


Windows XP
Click Start->Settings->Control Panel
Click Administrative Tools
Double click Services
Scroll down and highlight "Messenger"
Right-click the highlighted line and choose Properties.
Click the STOP button/link.

Hope it helps!

A convenient test site for this specific issue can be found here (http://www.mynetwatchman.com/winpopuptester.asp). Along with other prevention info after the test.

Regards,

CrazyM

OK, I went to the site mentioned by CrazyM and tested; it tested ok, iow I got no message. Also I turned off Messenger Service long ago when I first got XP, so that's not it. As I mentioned I use Kerio and I checked it against Steve Gibson's Leaktest and Shields Up programs. No apparent holes.

http://discussions.virtualdr.com/showthread.php?s=&threadid=138063&highlight=messenger+service

The above link at VDr sort of describes my situation especially what Ridgerunr has to say. I honestly don't think this is Windows Messenger, I think it's a well hidden Trojan. Can anyone recommend a Trojan checker?

Thanks.

Philo - And you just now checked to see if it was still turned off?

With the recent spate of M$ updates we've had lately, one never knows if they decided to turn it back on for some reason.....

Other than that, I'm fresh out of ideas, sorry - but it really doesn't sound like malware. Pete

Hi PhiloVance,

Use either Adaware 6 (http://www.lavasoftusa.com) or Spybot S&D (http://security.kolla.de/) (or both) to check your computer for spyware. Make sure to get the latest updates for both before scanning.

Regards,

Pieter

spy1 and Pieter

Thanks for your concern. Will check out a few more things.

I'll keep this link updated as to any progress I've made. :(

Just recently found this: I don't usually use IE, but I do have it installed. Scary, isn't it.
http://www.microsoft.com/security/security_bulletins/ms03-020.asp

{QUOTE-> quoting: PhiloVance link=board=21;threadid=9958;start=0#msg64995 date=1054926519]
spy1 and Pieter

Thanks for your concern. Will check out a few more things.

I'll keep this link updated as to any progress I've made. :(

<-QUOTE}

Hi PhiloVance,

Please do keep us posted. We´ll work our way up the malware ladder to find the culprit. From experience I´d say, if it isn´t an open port, changes are big it´s spyware.
And if it is we´ll find it. ;)

Regards,

Pieter

Ok, it's been a week, so I ran Ada-aware and Spybot after d/l the latest updates. Found a variety of things as follows:

Here's the link to a screen dump of the Spybot stuff:
http://members.cox.net/~philosopher_king/Spybot_dso_exploit.jpg

This looks like it may refer to the link I mentioned earlier about the IE security hole.

Here's a text file of the Adaware Log (bugs are listed at the bottom of the report):
http://members.cox.net/~philosopher_king/Adaware_log_20030606.TXT

I am running win xp home and I am the administrator (pat) I noticed that all the cookies, exploits, etc. are under the limited users: joseph, kids, francis and diana. I have spywareblster installed but perhaps I don't have it set right. Appreciate some direction on this.

Note: I have not, repeat not, removed these items in case there's more you want to know. Let me know if I should remove these or not. Thanks.

Hi PhiloVance,

About user profiles and SpywareBlaster: http://www.wilderssecurity.com/showthread.php?t=9874

One of joseph´s cookies led me to a very dubious site:
hxxp://www.clickslink.com/programs/popupsponsor.html
(I changed http to hxxp to avoid unwanted visits)

Everything AdAware and Spybot found can be removed.

Regards,

Pieter

{QUOTE-> quoting: PhiloVance link=board=21;threadid=9958;start=0#msg65067 date=1054951952]
Ok, it's been a week, so I ran Ada-aware and Spybot after d/l the latest updates. Found a variety of things as follows:

Here's the link to a screen dump of the Spybot stuff:
http://members.cox.net/~philosopher_king/Spybot_dso_exploit.jpg

This looks like it may refer to the link I mentioned earlier about the IE security hole.

Here's a text file of the Adaware Log (bugs are listed at the bottom of the report):
http://members.cox.net/~philosopher_king/Adaware_log_20030606.TXT

I am running win xp home and I am the administrator (pat) I noticed that all the cookies, exploits, etc. are under the limited users: joseph, kids, francis and diana. I have spywareblster installed but perhaps I don't have it set right. Appreciate some direction on this.

Note: I have not, repeat not, removed these items in case there's more you want to know. Let me know if I should remove these or not. Thanks.

<-QUOTE}

There doesnt seem to be anything major (mainly tracking cookies), not to the extent of causing the popup.

I still betting it;s messanger spam. Are you sure you got UDP 135 and TCP 139,445 covered?

The latest; last night I ran Ad-aware again and removed all 14 of the trackers; Ran Spybot S&D also, but surprisingly I got no hits, so clean on that. I went to the MS site and d/l 3 security patiches, One for the browser IE6 which I occasionally use, one for XP itself and another one of what I'm not sure. Anyway I d/l and install all of them. Today on another forum I found out Ad-Aware had a new sig file released today, so d/l that and ran again and got a clean bill of health. Have had no 'messenger messages' since I installed the security patches (which was about 7pm last night - local time). Here's keeping my fingers crossed.

Philo - Did the message look something like this screenshot?

If so, are you using AIM or Kazaa? Pete

Hi Pete,

PhiloVance added a screenshot in his first post. I took the liberty of taking out the relevant part and will attach it to this post.
I´m interested in what you got there though.
Do you get these with KaZaa (or derivatives) running?

Regards,

Pieter

Very similar, see: http://members.cox.net/~philosopher_king/weird_msg3.jpg

But, no, I don't use Kazaa. I don't use AIM at least that I know of, or Yahoo, or ICQ or any of those things.

Since I installed the MS security patches on Saturday night, I haven't had any messages. Will see how it goes. Thanks for everyone's concern.

PV 8)

Okay, his (Philo's) was definitely Messenger spam, then. (The updates should take care of them, I hope).

Yes, K and KL both have an IM feature - if you elect to use it.

You can either use an "Ignore" list function to block specific individuals ("Options/Messages" tab) , or, there's a box there that you can checkmark that says "Ignore all incoming messages" (which is the way anyone should have that setting set). Pete

I got win2000 not too long ago and I heard about this stuff on this board before... But I've never looked for the feature; figured I would do it when I got the first "pop up" as you might call it... the message... But it's never happened and my IP is pretty static on cable (unless I reboot modem) so I gues sygate personal firewall must be blocking it? I couldnt have just been lucky for months, right?

I was! <g> Pete

Well, some good news and some bad news:

Bad news first:

So much for MS 'security patches'. I got another one of those messages, it can be viewed at the links below. At the same time I got a screen dump of the processes running (suggested by someone on alt.comp.freeware). It's a total of 3 pictures as one would not cover it all.

Pic on apps running: http://members.cox.net/~philosopher_king/msgr_plus_app.jpg

Pic 1 on processes running: http://members.cox.net/~philosopher_king/msgr_plus_proc1.jpg
Pic 2 on processes running: http://members.cox.net/~philosopher_king/msgr_plus_proc2.jpg

Excuse me, but I'm not real good at picture links. ;)

Good news:

I got to checking around and one of the persons replying in the alt.comp.freeware thread suggested this: http://grc.com/stm/ShootTheMessenger.htm . It's from Steve Gibson, and I've installed it. In case you're interested the discussion started on 6/9/03 and is titled "A spyware in my pc if anyone else had the same issue ..."

Other info:

I actually got to see one display the other day and just before it displayed I observed a little box on the screen doing something. A very small box somewhat like you get for a download meter. Then the little box disappeared and I got the message. Another item I've noticed is I never used to get these on Win 98, so it's an XP thing, I think. I don't know how much closer I'm getting to the solution, but I am doing something. ;)

Perhaps you've noticed, but the message seems to stay on top no matter what you do (except click OK, then it goes away).

Well it makes switching off the messanger service a one-click affair, otherwise I don't see any advanatage versus doing it manually.

Regardless,If you are using a firewall, and still get messager spam , I would be very concerned, clearly you are doing something wrong with your firewall rules.

JayK..You're probably right, but the catcher is I thought I had the messenger shut off (from doing it manually) but with GRC's shoot the messenger program it noted I had it on. I'm using yosponge's Kerio Rules, as I don't have the knowledge to set them up myself...plus of course, some I've added.

Hey, at this point I'll try anything. :P

You know, during the course of this discussion, i noticed the same thing myself.

Even though I had the WindowsMessenger service turned off, SG's utility said it was still on - so I nailed it again with "ShoottheMessenger". (Hey, it couldn't hurt, right?).

Very puzzling. Pete

{QUOTE-> quoting: spy1 link=board=21;threadid=9958;start=15#msg66093 date=1055392664]
You know, during the course of this discussion, i noticed the same thing myself.

Even though I had the WindowsMessenger service turned off, SG's utility said it was still on - so I nailed it again with "ShoottheMessenger". (Hey, it couldn't hurt, right?).

Very puzzling. Pete
<-QUOTE}

Could be shootthemessanger misfiring. Anyway it's simple to test if messanger is on..

It's possible that you might even accidently turn on the messanger service with that tool if it just toggles the service off and on.

I recommend you do this to test.

Open a dos box type netsend 127.0.0.1 test and see if you can a popup.

If you get some error message about lacking some component or what not, the messanger service is not running.

This explains it & helps to fix it! Worked for me! I use ICQ has more features & loads when I want it to load!

http://www.blkviper.com/AskBV/tech8.htm

Glad to see that you've got it figured out and taken care of, HM. Pete

Well I was looking for a suggestion thread & stumbled across this thread. I actually turned it off a while back & then while looking for info on turning off uneccesary XP apps I found http://www.blkviper.com/AskBV/tech8.htm. I just hope the folks read it as it's pretty informative.

The main test is just like JayK but with a little more detail

To test for this security vulnerability, at the command prompt, (run: cmd.exe) type:

net send 127.0.0.1 hi

If you get a popup “hi” message, you should disable the Messenger service.

read this link http://www.blkviper.com/AskBV/tech8.htm

{QUOTE-> quoting: PhiloVance link=board=21;threadid=9958;start=15#msg66052 date=1055372168]
JayK..You're probably right, but the catcher is I thought I had the messenger shut off (from doing it manually) but with GRC's shoot the messenger program it noted I had it on. I'm using yosponge's Kerio Rules, as I don't have the knowledge to set them up myself...plus of course, some I've added.

Hey, at this point I'll try anything. :P
<-QUOTE}

In theory kerio or most firewalls out of the box will protect you from messanger spam. If your firewall is set up correctly, you have no need to close the messanger
service, since sometimes they might be required by certain AV proggies or whatnot.

I'm not sure that's correct, because the spam is coming through a hole/bug in messanger & if you have your firewall set up to allow messanger to transmit & recieve, you are then allowing the spam message to be recieved through the hole/bug in messanger.

Hi HossMonkey,

I´m afraid you´re mixing two things up. Very understandably by the way.
The windows messenger service and Windows Messenger (the chat client) work completely independent.
You can disable the service without any effect on the chat client. Also closing the ports for the service will not affect your ability to chat.

Regards,

Pieter

Thanks for the INFO!

Ok, I'm the one that started this thread and it's almost been a week since I applied Steve Gibson's shootthemessenger patch and I haven't gotten any more. So, not saying the patch is the solution, but so far it appears to be.

Anyway, thought I'd check back and let you people know what's happened.

8)

Cool! Thanks for the follow-up.

{QUOTE-> quoting: Pieter_Arntz link=board=21;threadid=9958;start=30#msg67550 date=1055879807]
Hi HossMonkey,

I´m afraid you´re mixing two things up. Very understandably by the way.
The windows messenger service and Windows Messenger (the chat client) work completely independent.
You can disable the service without any effect on the chat client. Also closing the ports for the service will not affect your ability to chat.

Regards,

Pieter
<-QUOTE}

Well of you still need to open the ports for the chat client of course.

To add on.

The windows messanger service I think was designed a long time ago to allow computers on a LAN to communicate with one another. Eg. An admin could send a popup messange to other desktops warning that the network was going down for maintance.

From what i have seen it's very primative used primarily to make announcements and not for chatting unlike ICQ,Aolchat and whatnot.

Unfortunately, some genius came up with the idea of using it to send spam. over the internet.


It's on by default even on standalone pcs.
I' ve read that some antivirus programs occasionally use it to send messanges on rare occasions. Even with a firewall up, the antiproggie can freely use the messanger service because it's all internal (I think).

I'm on a home LAN, my firewall is set up such that ut allows the messanger service to operate within the LAN (handy to comunicate short messages without going outside the LAN) but of course users outside the LAN trying to get in through the messanger service will face a brick wall.

Unfortunately I highlighted this issue some time ago, supposedly ethical and legitimate software to take advantage of this loophole.

http://www.wilderssecurity.com/showthread.php?t=9970

{QUOTE-> quoting: Tinribs link=board=21;threadid=9958;start=30#msg67924 date=1055963569]
Unfortunately I highlighted this issue some time ago, supposedly ethical and legitimate software to take advantage of this loophole.

http://www.wilderssecurity.com/showthread.php?t=9970
<-QUOTE}

Huh? The post appears to be sent on June 2003. The first messanger spam was sighted around Oct/Nov 2002 I think. It's hardly a new thing.

The spam software makes it somewhat easier to send spam, but you can do it easily with your default messanger service on every windows computer

Hi PhiloVance

{QUOTE-> quoting: PhiloVance link=board=21;threadid=9958;start=30#msg67662 date=1055897898]
Ok, I'm the one that started this thread and it's almost been a week since I applied Steve Gibson's shootthemessenger patch and I haven't gotten any more. So, not saying the patch is the solution, but so far it appears to be.

Anyway, thought I'd check back and let you people know what's happened.
<-QUOTE}

While you are no longer getting the messages, you should still review your firewall rules as they should not have been getting through in the first place. If you need some help in that regard, we can discuss/review your rules in the Other Firewalls (http://www.wilderssecurity.com/index.php?board=23) forum.

Regards,

CrazyM