Guest dontsleeponit@gmail.com Posted September 24, 2007 Posted September 24, 2007 Hi everyone. Ive been having some issues with the windows firewall, and had to disable it. I do run sygate pro 5.5. After disabling the windows firewall I am getting the classic spam through windows messenger service. I have set up sygate to block ports 135, 137, 138, 139, 445, and 1025 for both TCP and UDP. I have gone to the shields up site https://www.grc.com/x/ne.dll?bh0bkyd2 , and I pass all of the port tests. What can be causing the spam from the messenger service now? Is it a worm that is on my computer, because I dont understand how this can happen with all of the ports blocked. I do NOT want to simply disable the messenger service, that would be like closing my eyes to the real problem. I have also updated and run both spybot S&D and Ad-Aware, found a few minor things, but the problem persists. Anyone have some advice for me? Thanks.
Guest dontsleeponit@gmail.com Posted September 24, 2007 Posted September 24, 2007 Re: Messenger Service spam problems again I will also ad that I have done the "spam yourself" function on the shields up website, and the messenger service does not pop up. I guess this must mean something ON my computer is causing the messenger service spam. I cant seem to find any info out there about this, its all about port blocking, etc. Also the spam I am getting is all for "registrycleanerXP" or something along those lines.
Guest Malke Posted September 24, 2007 Posted September 24, 2007 Re: Messenger Service spam problems again dontsleeponit@gmail.com wrote: > Hi everyone. Ive been having some issues with the windows firewall, > and had to disable it. I do run sygate pro 5.5. After disabling the > windows firewall I am getting the classic spam through windows > messenger service. I have set up sygate to block ports 135, 137, 138, > 139, 445, and 1025 for both TCP and UDP. I have gone to the shields up > site https://www.grc.com/x/ne.dll?bh0bkyd2 , and I pass all of the > port tests. What can be causing the spam from the messenger service > now? Is it a worm that is on my computer, because I dont understand > how this can happen with all of the ports blocked. I do NOT want to > simply disable the messenger service, that would be like closing my > eyes to the real problem. > > I have also updated and run both spybot S&D and Ad-Aware, found a few > minor things, but the problem persists. When you say "spam from the messenger service" do you really mean that you are getting messages from Registry Cleaner that your computer is infected? Because 1) if your messenger service is not disabled this means that you don't have XP Service Pack 2 installed and you should; 2) your computer is infected with some variant of the Smitfraud trojan. So what version of XP are you using and what Service Pack level? You can disable the messenger service by going to: Start>Run>services.msc [enter] Scroll down to the messenger service, stop it, and disable it. To remove variants of the Smitfraud trojan: Do the preparatory steps here: http://www.elephantboycomputers.com/page2.html#Removing_Malware Then do the specific removal steps here: http://www.elephantboycomputers.com/page2.html#Smitfraud_Trojan - Smitfraud, Spyaxe, Spyfalcon You can also check to see if there are targeted removal steps for your malware here: Bleeping Computer removal how-to's - http://www.bleepingcomputer.com/forums/forum55.html When all else fails, run HijackThis and post your log in one of the specialty forums listed at the first link above (not here, please). Not all tools used will work in Vista and you will need to run them elevated. Since Vista is so new, it will be a while before removal techniques and tools are developed. If you are unable to remove the infection by following the general steps, register at one of the HijackThis forums as suggested. Standard caveat: If the procedures look too complex - and there is no shame in admitting this isn't your cup of tea - take the machine to a professional computer repair shop (not your local version of BigComputerStore/GeekSquad). Please be aware that not all local shops are skilled at removing malware and even if they are, your computer may be so infested that Windows will need to be clean-installed. Have all your data backed up before you take the machine into a shop. Malke -- Elephant Boy Computers http://www.elephantboycomputers.com "Don't Panic!" MS-MVP Windows - Shell/User
Guest Daave Posted September 24, 2007 Posted September 24, 2007 Re: Messenger Service spam problems again <dontsleeponit@gmail.com> wrote in message news:1190617775.279170.67630@n39g2000hsh.googlegroups.com... > Hi everyone. Ive been having some issues with the windows firewall, > and had to disable it. I do run sygate pro 5.5. After disabling the > windows firewall I am getting the classic spam through windows > messenger service. I have set up sygate to block ports 135, 137, 138, > 139, 445, and 1025 for both TCP and UDP. I have gone to the shields up > site https://www.grc.com/x/ne.dll?bh0bkyd2 , and I pass all of the > port tests. What can be causing the spam from the messenger service > now? Is it a worm that is on my computer, because I dont understand > how this can happen with all of the ports blocked. I do NOT want to > simply disable the messenger service, that would be like closing my > eyes to the real problem. > > I have also updated and run both spybot S&D and Ad-Aware, found a few > minor things, but the problem persists. > > Anyone have some advice for me? As Malke pointed out, you may have been infected with Smitfraud or one of its variants. That is, even though it appears you have Messenger Service spam, you very well may have malicious software already running on your PC that produces windows that look like Messenger spam. Even though you stated you didn't want to disable the Messenger service, do it anyway. :-) (temporarily, as a diagnostic tool). This way if the windows keep popping up, you'll know it's not Messenger spam. Then follow her instructions/links and you should be fine. If it is Messenger spam, make sure you also block incoming traffic to UDP 1026-1029. Also make sure you block block TCP 593, 4444 and UDP 69 and keep your system patched with the latest security updates. Hopefully that'll do it. Good luck!
Recommended Posts