Anyone get messages displayed on screen?

[PhiloVance]

This has really got me bugged; I've gotten about 4 of these (that I've been able to save) and I have no idea what's happening.

Running etrust AV up to date; Kerio Firewall 2.1.5 which tests out ok at grc (leaktest and sheilds up); Win XP Home on a Dell 450 pention ii 384 mb ram.

view at http://members.cox.net/~philosopher_king/weird_msg3.jpg

[spy1]

Philo - Turning off your Windows Messenger Service will probably solve the problem.

Do you need/use it for anything? Pete

[CrazyM]

Hi PhiloVance

You might want to review your firewall rule set as that should not be getting in unless you have allowed it.

Regards,

CrazyM

[Jooske]

Some time ago Pieter posted in several places this instruction:
Unfortunately, what you´re experiencing is no regular pop-up that any Popup stopper so far can take care of. It´s a service from Microsoft that is installed and started by default as a service for all their customers (even if they don´t need it, or want it) This is how to disable it:

Windows 2000
Click Start-> Programs-> Administrative Tools->Services
Scroll down and highlight "Messenger"
Right-click the highlighted line and choose Properties.
Click the STOP button.
Select Disable or Manual in the Startup Type scroll bar
Click OK


Windows XP
Click Start->Settings->Control Panel
Click Administrative Tools
Double click Services
Scroll down and highlight "Messenger"
Right-click the highlighted line and choose Properties.
Click the STOP button/link.

Hope it helps!

[CrazyM]

A convenient test site for this specific issue can be found here. Along with other prevention info after the test.

Regards,

CrazyM

[PhiloVance]

OK, I went to the site mentioned by CrazyM and tested; it tested ok, iow I got no message. Also I turned off Messenger Service long ago when I first got XP, so that's not it. As I mentioned I use Kerio and I checked it against Steve Gibson's Leaktest and Shields Up programs. No apparent holes.

http://discussions.virtualdr.com/sho...senger+service

The above link at VDr sort of describes my situation especially what Ridgerunr has to say. I honestly don't think this is Windows Messenger, I think it's a well hidden Trojan. Can anyone recommend a Trojan checker?

Thanks.

[spy1]

Philo - And you just now checked to see if it was still turned off?

With the recent spate of M$ updates we've had lately, one never knows if they decided to turn it back on for some reason.....

Other than that, I'm fresh out of ideas, sorry - but it really doesn't sound like malware. Pete

[Pieter_Arntz]

Hi PhiloVance,

Use either Adaware 6 or Spybot S&D (or both) to check your computer for spyware. Make sure to get the latest updates for both before scanning.

Regards,

Pieter

[PhiloVance]

spy1 and Pieter

Thanks for your concern. Will check out a few more things.

I'll keep this link updated as to any progress I've made.

Just recently found this: I don't usually use IE, but I do have it installed. Scary, isn't it.
http://www.microsoft.com/security/security_bulletins/ms03-020.asp

[Pieter_Arntz]

Quote:

quoting: PhiloVance link=board=21;threadid=9958;start=0#msg64995 date=1054926519]
spy1 and Pieter

Thanks for your concern. Will check out a few more things.

I'll keep this link updated as to any progress I've made.

Hi PhiloVance,

Please do keep us posted. We´ll work our way up the malware ladder to find the culprit. From experience I´d say, if it isn´t an open port, changes are big it´s spyware.
And if it is we´ll find it.

Regards,

Pieter

[PhiloVance]

Ok, it's been a week, so I ran Ada-aware and Spybot after d/l the latest updates. Found a variety of things as follows:

Here's the link to a screen dump of the Spybot stuff:
http://members.cox.net/~philosopher_king/Spybot_dso_exploit.jpg

This looks like it may refer to the link I mentioned earlier about the IE security hole.

Here's a text file of the Adaware Log (bugs are listed at the bottom of the report):
http://members.cox.net/~philosopher_king/Adaware_log_20030606.TXT

I am running win xp home and I am the administrator (pat) I noticed that all the cookies, exploits, etc. are under the limited users: joseph, kids, francis and diana. I have spywareblster installed but perhaps I don't have it set right. Appreciate some direction on this.

Note: I have not, repeat not, removed these items in case there's more you want to know. Let me know if I should remove these or not. Thanks.

[Pieter_Arntz]

Hi PhiloVance,

About user profiles and SpywareBlaster: http://www.wilderssecurity.com/showthread.php?t=9874

One of joseph´s cookies led me to a very dubious site:
hxxp://www.clickslink.com/programs/popupsponsor.html
(I changed http to hxxp to avoid unwanted visits)

Everything AdAware and Spybot found can be removed.

Regards,

Pieter

[JayK]

Quote:

quoting: PhiloVance link=board=21;threadid=9958;start=0#msg65067 date=1054951952]
Ok, it's been a week, so I ran Ada-aware and Spybot after d/l the latest updates. Found a variety of things as follows:

Here's the link to a screen dump of the Spybot stuff:
http://members.cox.net/~philosopher_king/Spybot_dso_exploit.jpg

This looks like it may refer to the link I mentioned earlier about the IE security hole.

Here's a text file of the Adaware Log (bugs are listed at the bottom of the report):
http://members.cox.net/~philosopher_king/Adaware_log_20030606.TXT

I am running win xp home and I am the administrator (pat) I noticed that all the cookies, exploits, etc. are under the limited users: joseph, kids, francis and diana. I have spywareblster installed but perhaps I don't have it set right. Appreciate some direction on this.

Note: I have not, repeat not, removed these items in case there's more you want to know. Let me know if I should remove these or not. Thanks.

There doesnt seem to be anything major (mainly tracking cookies), not to the extent of causing the popup.

I still betting it;s messanger spam. Are you sure you got UDP 135 and TCP 139,445 covered?

[PhiloVance]

The latest; last night I ran Ad-aware again and removed all 14 of the trackers; Ran Spybot S&D also, but surprisingly I got no hits, so clean on that. I went to the MS site and d/l 3 security patiches, One for the browser IE6 which I occasionally use, one for XP itself and another one of what I'm not sure. Anyway I d/l and install all of them. Today on another forum I found out Ad-Aware had a new sig file released today, so d/l that and ran again and got a clean bill of health. Have had no 'messenger messages' since I installed the security patches (which was about 7pm last night - local time). Here's keeping my fingers crossed.

[spy1]

Philo - Did the message look something like this screenshot?

If so, are you using AIM or Kazaa? Pete

[Pieter_Arntz]

Hi Pete,

PhiloVance added a screenshot in his first post. I took the liberty of taking out the relevant part and will attach it to this post.
I´m interested in what you got there though.
Do you get these with KaZaa (or derivatives) running?

Regards,

Pieter

[PhiloVance]

Very similar, see: http://members.cox.net/~philosopher_king/weird_msg3.jpg

But, no, I don't use Kazaa. I don't use AIM at least that I know of, or Yahoo, or ICQ or any of those things.

Since I installed the MS security patches on Saturday night, I haven't had any messages. Will see how it goes. Thanks for everyone's concern.

PV

[spy1]

Okay, his (Philo's) was definitely Messenger spam, then. (The updates should take care of them, I hope).

Yes, K and KL both have an IM feature - if you elect to use it.

You can either use an "Ignore" list function to block specific individuals ("Options/Messages" tab) , or, there's a box there that you can checkmark that says "Ignore all incoming messages" (which is the way anyone should have that setting set). Pete

[Detox]

I got win2000 not too long ago and I heard about this stuff on this board before... But I've never looked for the feature; figured I would do it when I got the first "pop up" as you might call it... the message... But it's never happened and my IP is pretty static on cable (unless I reboot modem) so I gues sygate personal firewall must be blocking it? I couldnt have just been lucky for months, right?

[spy1]

I was! <g> Pete

[PhiloVance]

Well, some good news and some bad news:

Bad news first:

So much for MS 'security patches'. I got another one of those messages, it can be viewed at the links below. At the same time I got a screen dump of the processes running (suggested by someone on alt.comp.freeware). It's a total of 3 pictures as one would not cover it all.

Pic on apps running: http://members.cox.net/~philosopher_king/msgr_plus_app.jpg

Pic 1 on processes running: http://members.cox.net/~philosopher_king/msgr_plus_proc1.jpg
Pic 2 on processes running: http://members.cox.net/~philosopher_king/msgr_plus_proc2.jpg

Excuse me, but I'm not real good at picture links.

Good news:

I got to checking around and one of the persons replying in the alt.comp.freeware thread suggested this: http://grc.com/stm/ShootTheMessenger.htm . It's from Steve Gibson, and I've installed it. In case you're interested the discussion started on 6/9/03 and is titled "A spyware in my pc if anyone else had the same issue ..."

Other info:

I actually got to see one display the other day and just before it displayed I observed a little box on the screen doing something. A very small box somewhat like you get for a download meter. Then the little box disappeared and I got the message. Another item I've noticed is I never used to get these on Win 98, so it's an XP thing, I think. I don't know how much closer I'm getting to the solution, but I am doing something.

Perhaps you've noticed, but the message seems to stay on top no matter what you do (except click OK, then it goes away).

[JayK]

Well it makes switching off the messanger service a one-click affair, otherwise I don't see any advanatage versus doing it manually.

Regardless,If you are using a firewall, and still get messager spam , I would be very concerned, clearly you are doing something wrong with your firewall rules.

[PhiloVance]

JayK..You're probably right, but the catcher is I thought I had the messenger shut off (from doing it manually) but with GRC's shoot the messenger program it noted I had it on. I'm using yosponge's Kerio Rules, as I don't have the knowledge to set them up myself...plus of course, some I've added.

Hey, at this point I'll try anything.

[spy1]

You know, during the course of this discussion, i noticed the same thing myself.

Even though I had the WindowsMessenger service turned off, SG's utility said it was still on - so I nailed it again with "ShoottheMessenger". (Hey, it couldn't hurt, right?).

Very puzzling. Pete

[JayK]

Quote:

quoting: spy1 link=board=21;threadid=9958;start=15#msg66093 date=1055392664]
You know, during the course of this discussion, i noticed the same thing myself.

Even though I had the WindowsMessenger service turned off, SG's utility said it was still on - so I nailed it again with "ShoottheMessenger". (Hey, it couldn't hurt, right?).

Very puzzling. Pete

Could be shootthemessanger misfiring. Anyway it's simple to test if messanger is on..

It's possible that you might even accidently turn on the messanger service with that tool if it just toggles the service off and on.

I recommend you do this to test.

Open a dos box type netsend 127.0.0.1 test and see if you can a popup.

If you get some error message about lacking some component or what not, the messanger service is not running.