URGENT HELP! - pop up messages!

Discussion in 'other software & services' started by Mcville80, Apr 25, 2003.

Thread Status:
Not open for further replies.
  1. Mcville80

    Mcville80 Guest

    I am having pop up messages come up as follows:

    "Message from ALERT SERVICE to Windows User on 24/04/03 00.16

    WARNING - YOUR COMPUTER IS AT RISK!
    You have just received this message through an open port on youir computer. This means that anyone can send a message like this, or even use the open port to theor advantage to invade your privac.

    Please visit www,BYEBYEADS.com to secure this port and never receive messages like this again.
    MAKE SURE YOU WRITE THIS ADDRESS DOWN BEFORE YOU PRESS OK. PRESSING OK WILL NOT AUTOMATICALLY TAKE YOU TO THE WEBSITE.

    Go to www.BYEBYEADS.com to stop pop-ups now!"

    (I never click on OK but just close them.)

    I have Norton Internet Security, have done online port scan checks with Symantec which said all were OK, have checked my Start up programs (only 4 legit ones + 4 desktop.ini ) At the moment I have a trial of TDS but not yet the full version.
    Should I have anything to worry about with these messages (a similar one came up in French today) or could it be I still have a buried program somewhere? They are a pain in the ass and have had at least 4 come up in 2 hrs. Iam on Win XP and Broadband.
    Thanks for any advice / help!
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Mcville80,

    The messenger service runs on 95, 98, Me win2k and XP.

    Using the Messenger Service anyone in the world can send pop up messages to your computer, you can disable the Messenger service. Its easy to reverse at a later time.

    For Windows 2000 and XP this is a way to disable it:

    * Go to start and click Run
    * Type services.msc
    * Double-click on Messenger.
    * In the messenger Properties window, select Stop, then choose Disable as the Startup Type.
    * Click OK.

    This service is indeed being used to spam IP ranges.
    No malware needs to be on your computer.

    Regards,

    Pieter
     
  3. Pierre

    Pierre Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    16
    Have you been hit with unwanted advertising or Spam? The message you received is the newest form of internet spam. You don't have to have an email account or even a web browser. You received this message due to a buit in feature that Microsoft included in Windows XP, 2000, and NT.

    That the way they start their page on byebyeads...
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hell Mcville80,
    Pieter is correct in his reply but please do not confuse the Messenger Service with MS Instant Messenger. :D
    The messenger service is an Admin service NOT the Instant messenger service used to chat to your friends. This has confused many people
     
  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Mcville80

    You should also check your NIS firewall configuration. It should be blocking these. Unless you have a rule allowing it/them.

    Regards,

    CrazyM
     
  6. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Mcville80!

    If you already start deactivating the Messenger Service, also deactivate the Telnet service as described above by Pieter. You don't need this service... If it's enabled it is a great danger for your security, many hackers try to breach the system by attacking this vulnerable service! ;)

    Best regards!

    Patrice
     
  7. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    There are a lot of ways to prevent those messages ;)

    on Win2k/XP :

    Local Security Strategy : User rights Attribution : Contact this PC from the Network - Select Anybody and delete it. Reboot
    (sorry, I translate from French GUI, the terms might differ)

    If your need de service on your LAN :
    with you Fw Block incoming traffic for non trusted IP :

    135, 137 UDP and 139 TCP

    Rgds,
     
  8. mcville80

    mcville80 Guest

    Thanks folks - Ive disabled Messenger, and thanks for clarifying its not Windows Messenger!!
    Ill have a look at firewall, but any help with that will be appreciated!
    Could JacK clarify the process of his advice. Thanks. Or is disabling messenger enough?

    At least its eased any worries about trojans....
    Forums like this are a blessing!
    :)
     
  9. mcville80

    mcville80 Guest

    PS - Sorry!
    Re: Patrice's advice - deactivating Telnet also - is this also in services.msc as I couldnt find it listed there.
    Thanks.
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Hi mcville,

    >> Re: Patrice's advice - deactivating Telnet also - is this also in services.msc as I couldnt find it listed there.

    The Telnet service is not on Windows XP Home Edition, if that is what you are running. It is on WinXP Pro.

    HTH,
    LowWaterMark
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I was wondering if you can do something nice here with the firewall (blocking the ports 137-139 of course) and your TDS.
    It's working little different, but you can broadcast and TCP connect with friends of course; see for that part the thread Pierre posted in the TDS forum.

    The winpopup service as it's called on win9* systems seems need to be active to receive messages at all and port 139 not blocked, as far as my own testing went till now. (thanks to Pieter's explanation recently in the other thread!) Will do some more testing with that in due time.
     
  12. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Yo mcville80,

    If you are running a rules based firewall, just create rules
    any App
    local port 135, 137, 139, 445
    Direction IN
    Protocol TCP/UDP
    Remote address ANY
    Remote Port ANY

    You might if on a LAN to make rules allowing traffic for the PC on your LAN above this rule.

    Disabling service Messenger is enough for those messages, not enough for your security : ) enable ICF is enough or a rules based firewall even without disabling the service if needed.

    Rgds,
     
  13. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    You will have to check your System Wide, Application and Trojan rules for anything that may be allowing inbound to local service/port 135, 137, 139 or 445 from any remote address. If these messenger pop ups are getting through, you likely have a rule somewhere allowing it. You will have to determine what rule is allowing them and where it is first.

    If you are running a version of NIS prior to v4.5, you will find a utility called NIS Rules very helpful in this regard.

    Once you find it, you can assess it (how/why that particular rule ended being there) and determine what you need to do from there - remove, modify it to block or create specific block rules as Jack suggested. If you choose to make global block rules, keep in mind your set up and if any specific allows may be needed prior to the block rules. Make sure the firewall is set high.

    You might also find this site useful for rules in NIS.

    Regards,

    CrazyM
     
  14. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Mcville80,
    To be honest with you, deinstall NIS and install a new firewall. This firewall isn't protecting you at all!!! I was once myself running NIS and I thought I was secure... There's nothing worse than a firewall which doesn't protect you at all! I did some online test with this firewall and the results were horrible. Let's call it like this: Doors wide open... :eek:

    Last but not least you don't need just outside-inside protection, but also inside-outside protection and that's where NIS is the worst firewall I ever had! Nothing is blocked at all!! :mad:

    If you wanna know more about software and so called Leak Tests go to this website and check the results:

    http://www.pcflank.com/

    Read carefully those two articles:

    -Personal firewalls vs Leak Tests
    -Personal firewalls vs. Stealth Test, part II

    After reading of those articles I suppose you deinstall NIS and install Look'n'Stop! :D

    If you have further questions, don't hesitate to ask!

    Best regards!

    Patrice

    P.S. I almost forgot, there are some nice online tests on the PC Flank Homepage!
     
  15. InsaneJester

    InsaneJester Registered Member

    Joined:
    Apr 28, 2003
    Posts:
    27
    telnet is in servises but i dont know about you but my telnet is by default disabled
     
  16. Elaine Manna

    Elaine Manna Guest

    :rolleyes:[flash=200,200][/flash]
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Elaine Manna,

    Are you trying to tell us something? o_O

    Pieter
     
  18. Uguel707

    Uguel707 Graphic Artist

    Joined:
    Nov 9, 2002
    Posts:
    2,999
    Location:
    San Diego
    from Pieter
    Hi Pieter!

    I've just followed your instructions a while ago, although I can see many services in that list, I don't see "messenger". So I'm wondering how could I get to that feature? My Os is Windows XP NT.

    Thankx!

    Uguel
     
  19. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Uguel707

    If you running Windows XP Pro it should be there unless you used some Anti- utilities which removed that service completely…
     
  20. Uguel707

    Uguel707 Graphic Artist

    Joined:
    Nov 9, 2002
    Posts:
    2,999
    Location:
    San Diego
    Hi Phantom!

    No, my OS is windows XP Home Edition Nt.

    --that's the way it was set by the tech in case I want to add a new pc connected to it--

    But, if I can't see that feature or service from there,
    I'm wondering if I can disable it with Look'n' Stop...?
    I've just got Look'n' Stop from a week and as a new user, I set it by default, when I'll get more familiar working with it, I may apply more security rules.

    Thankx,

    Uguel
     
  21. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Uguel,

    As long as LnS is blocking all netbios ports TCP& UDP 135-139 + 445 you will not have any problems with the messenger spam that uses this service.

    You should see the service listed in the services applet but if you have these ports blocked you are just as safe.

    :)
     
  22. Uguel707

    Uguel707 Graphic Artist

    Joined:
    Nov 9, 2002
    Posts:
    2,999
    Location:
    San Diego
    Thankx a lot to both of you for your quick input!

    Well, yes, they are listed there. But I can see them from the "log file" I guess that means they have a clear field?
    Don't they?

    Uguel
     
  23. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hey ;)

    As long as they are listed to block you are fine. If they appear in the log that is just background noise from the net hitting your firewall but not going through. Many of the viruses and worms going about the net at present rely on these ports so it is normal to see a lot of corresponding entries in your log.

    HTH,

    Dan
     
  24. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Using Unmodified EnhancedRulesSet.rls, it should by default block those no problems…
     
  25. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi:

    Regards Messenger, etc. one of the things you should download is XPAntispy, this cures a lot of XP "leaks" etc. including Messenger, Auto Windows Media Player updates. see screen shot..

    http://www.xp-antispy.org/

    It's a German site, but just look for the words "download" and english in it. You will be able to figure it out. v3.72 is latest.

    hth .... :D

    Cheers, TAS
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.