Anyone get messages displayed on screen?

Discussion in 'privacy problems' started by PhiloVance, Jun 5, 2003.

Thread Status:
Not open for further replies.
  1. PhiloVance

    PhiloVance Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    93
    Location:
    Bakersfield, CA
    This has really got me bugged; I've gotten about 4 of these (that I've been able to save) and I have no idea what's happening.

    Running etrust AV up to date; Kerio Firewall 2.1.5 which tests out ok at grc (leaktest and sheilds up); Win XP Home on a Dell 450 pention ii 384 mb ram.

    view at http://members.cox.net/~philosopher_king/weird_msg3.jpg
     
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Philo - Turning off your Windows Messenger Service will probably solve the problem.

    Do you need/use it for anything? Pete
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi PhiloVance

    You might want to review your firewall rule set as that should not be getting in unless you have allowed it.

    Regards,

    CrazyM
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Some time ago Pieter posted in several places this instruction:
    Unfortunately, what you´re experiencing is no regular pop-up that any Popup stopper so far can take care of. It´s a service from Microsoft that is installed and started by default as a service for all their customers (even if they don´t need it, or want it) This is how to disable it:

    Windows 2000
    Click Start-> Programs-> Administrative Tools->Services
    Scroll down and highlight "Messenger"
    Right-click the highlighted line and choose Properties.
    Click the STOP button.
    Select Disable or Manual in the Startup Type scroll bar
    Click OK


    Windows XP
    Click Start->Settings->Control Panel
    Click Administrative Tools
    Double click Services
    Scroll down and highlight "Messenger"
    Right-click the highlighted line and choose Properties.
    Click the STOP button/link.

    Hope it helps!
     
  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    A convenient test site for this specific issue can be found here. Along with other prevention info after the test.

    Regards,

    CrazyM
     
  6. PhiloVance

    PhiloVance Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    93
    Location:
    Bakersfield, CA
    OK, I went to the site mentioned by CrazyM and tested; it tested ok, iow I got no message. Also I turned off Messenger Service long ago when I first got XP, so that's not it. As I mentioned I use Kerio and I checked it against Steve Gibson's Leaktest and Shields Up programs. No apparent holes.

    http://discussions.virtualdr.com/showthread.php?s=&threadid=138063&highlight=messenger+service

    The above link at VDr sort of describes my situation especially what Ridgerunr has to say. I honestly don't think this is Windows Messenger, I think it's a well hidden Trojan. Can anyone recommend a Trojan checker?

    Thanks.
     
  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Philo - And you just now checked to see if it was still turned off?

    With the recent spate of M$ updates we've had lately, one never knows if they decided to turn it back on for some reason.....

    Other than that, I'm fresh out of ideas, sorry - but it really doesn't sound like malware. Pete
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi PhiloVance,

    Use either Adaware 6 or Spybot S&D (or both) to check your computer for spyware. Make sure to get the latest updates for both before scanning.

    Regards,

    Pieter
     
  9. PhiloVance

    PhiloVance Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    93
    Location:
    Bakersfield, CA
    spy1 and Pieter

    Thanks for your concern. Will check out a few more things.

    I'll keep this link updated as to any progress I've made. :(

    Just recently found this: I don't usually use IE, but I do have it installed. Scary, isn't it.
    http://www.microsoft.com/security/security_bulletins/ms03-020.asp
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi PhiloVance,

    Please do keep us posted. We´ll work our way up the malware ladder to find the culprit. From experience I´d say, if it isn´t an open port, changes are big it´s spyware.
    And if it is we´ll find it. ;)

    Regards,

    Pieter
     
  11. PhiloVance

    PhiloVance Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    93
    Location:
    Bakersfield, CA
    Ok, it's been a week, so I ran Ada-aware and Spybot after d/l the latest updates. Found a variety of things as follows:

    Here's the link to a screen dump of the Spybot stuff:
    http://members.cox.net/~philosopher_king/Spybot_dso_exploit.jpg

    This looks like it may refer to the link I mentioned earlier about the IE security hole.

    Here's a text file of the Adaware Log (bugs are listed at the bottom of the report):
    http://members.cox.net/~philosopher_king/Adaware_log_20030606.TXT

    I am running win xp home and I am the administrator (pat) I noticed that all the cookies, exploits, etc. are under the limited users: joseph, kids, francis and diana. I have spywareblster installed but perhaps I don't have it set right. Appreciate some direction on this.

    Note: I have not, repeat not, removed these items in case there's more you want to know. Let me know if I should remove these or not. Thanks.
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi PhiloVance,

    About user profiles and SpywareBlaster: http://www.wilderssecurity.com/showthread.php?t=9874

    One of joseph´s cookies led me to a very dubious site:
    hxxp://www.clickslink.com/programs/popupsponsor.html
    (I changed http to hxxp to avoid unwanted visits)

    Everything AdAware and Spybot found can be removed.

    Regards,

    Pieter
     
  13. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    There doesnt seem to be anything major (mainly tracking cookies), not to the extent of causing the popup.

    I still betting it;s messanger spam. Are you sure you got UDP 135 and TCP 139,445 covered?
     
  14. PhiloVance

    PhiloVance Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    93
    Location:
    Bakersfield, CA
    The latest; last night I ran Ad-aware again and removed all 14 of the trackers; Ran Spybot S&D also, but surprisingly I got no hits, so clean on that. I went to the MS site and d/l 3 security patiches, One for the browser IE6 which I occasionally use, one for XP itself and another one of what I'm not sure. Anyway I d/l and install all of them. Today on another forum I found out Ad-Aware had a new sig file released today, so d/l that and ran again and got a clean bill of health. Have had no 'messenger messages' since I installed the security patches (which was about 7pm last night - local time). Here's keeping my fingers crossed.
     
  15. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Philo - Did the message look something like this screenshot?

    If so, are you using AIM or Kazaa? Pete
     

    Attached Files:

  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Pete,

    PhiloVance added a screenshot in his first post. I took the liberty of taking out the relevant part and will attach it to this post.
    I´m interested in what you got there though.
    Do you get these with KaZaa (or derivatives) running?

    Regards,

    Pieter
     

    Attached Files:

  17. PhiloVance

    PhiloVance Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    93
    Location:
    Bakersfield, CA
    Very similar, see: http://members.cox.net/~philosopher_king/weird_msg3.jpg

    But, no, I don't use Kazaa. I don't use AIM at least that I know of, or Yahoo, or ICQ or any of those things.

    Since I installed the MS security patches on Saturday night, I haven't had any messages. Will see how it goes. Thanks for everyone's concern.

    PV :cool:
     
  18. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Okay, his (Philo's) was definitely Messenger spam, then. (The updates should take care of them, I hope).

    Yes, K and KL both have an IM feature - if you elect to use it.

    You can either use an "Ignore" list function to block specific individuals ("Options/Messages" tab) , or, there's a box there that you can checkmark that says "Ignore all incoming messages" (which is the way anyone should have that setting set). Pete
     
  19. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    I got win2000 not too long ago and I heard about this stuff on this board before... But I've never looked for the feature; figured I would do it when I got the first "pop up" as you might call it... the message... But it's never happened and my IP is pretty static on cable (unless I reboot modem) so I gues sygate personal firewall must be blocking it? I couldnt have just been lucky for months, right?
     
  20. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I was! <g> Pete
     
  21. PhiloVance

    PhiloVance Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    93
    Location:
    Bakersfield, CA
    A bit of an update

    Well, some good news and some bad news:

    Bad news first:

    So much for MS 'security patches'. I got another one of those messages, it can be viewed at the links below. At the same time I got a screen dump of the processes running (suggested by someone on alt.comp.freeware). It's a total of 3 pictures as one would not cover it all.

    Pic on apps running: http://members.cox.net/~philosopher_king/msgr_plus_app.jpg

    Pic 1 on processes running: http://members.cox.net/~philosopher_king/msgr_plus_proc1.jpg
    Pic 2 on processes running: http://members.cox.net/~philosopher_king/msgr_plus_proc2.jpg

    Excuse me, but I'm not real good at picture links. ;)

    Good news:

    I got to checking around and one of the persons replying in the alt.comp.freeware thread suggested this: http://grc.com/stm/ShootTheMessenger.htm . It's from Steve Gibson, and I've installed it. In case you're interested the discussion started on 6/9/03 and is titled "A spyware in my pc if anyone else had the same issue ..."

    Other info:

    I actually got to see one display the other day and just before it displayed I observed a little box on the screen doing something. A very small box somewhat like you get for a download meter. Then the little box disappeared and I got the message. Another item I've noticed is I never used to get these on Win 98, so it's an XP thing, I think. I don't know how much closer I'm getting to the solution, but I am doing something. ;)

    Perhaps you've noticed, but the message seems to stay on top no matter what you do (except click OK, then it goes away).
     
  22. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Well it makes switching off the messanger service a one-click affair, otherwise I don't see any advanatage versus doing it manually.

    Regardless,If you are using a firewall, and still get messager spam , I would be very concerned, clearly you are doing something wrong with your firewall rules.
     
  23. PhiloVance

    PhiloVance Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    93
    Location:
    Bakersfield, CA
    JayK..You're probably right, but the catcher is I thought I had the messenger shut off (from doing it manually) but with GRC's shoot the messenger program it noted I had it on. I'm using yosponge's Kerio Rules, as I don't have the knowledge to set them up myself...plus of course, some I've added.

    Hey, at this point I'll try anything. :p
     
  24. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    You know, during the course of this discussion, i noticed the same thing myself.

    Even though I had the WindowsMessenger service turned off, SG's utility said it was still on - so I nailed it again with "ShoottheMessenger". (Hey, it couldn't hurt, right?).

    Very puzzling. Pete
     
  25. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Could be shootthemessanger misfiring. Anyway it's simple to test if messanger is on..

    It's possible that you might even accidently turn on the messanger service with that tool if it just toggles the service off and on.

    I recommend you do this to test.

    Open a dos box type netsend 127.0.0.1 test and see if you can a popup.

    If you get some error message about lacking some component or what not, the messanger service is not running.
     
Thread Status:
Not open for further replies.