some serious spyware... or not. :-P

[crashwg]

Ok, so my GF's family's computer has been acting up.  They keep having this popup (shown below) that claims to be reporting critical system errors and wants me to download a program that is most likely more spyware...

I formatted the computer and installed winxp pro (the same OS it had before I formated) and installed Firefox, limewire and AIM and I'm now getting the same friggin popups.

I've tried AdAware and Spybot S&D with no results other than "found something, quarantined or delete it."

Any ideas?  I just don't understand what it could be from...  I have Firefox, limewire and AIM on my own computer...  All downloaded from the same places too and I don't have a single problem. 

[sc1103]

I used to have the same exact hting, I reformatted and all, that might have done it but try HijackThis.  Also it may have been embedded in the registry (not sure how) so try cleaning that.  Im not exactly sure what it was or anything but I did all that and it ended up being cleaned off.

[grueinthebox]

Messenger Service is part of Windows 2000 & XP.  It's a service you can turn off.  It has legitimate uses (say a sysadmin wanted to broadcast a message about an upcoming maintenance or something), but for home use you should probably turn it off.  Some clever jackass discovered a way to use it over the internet to broadcast spam.  It's not really spyware...

Start > Control Panel > Administrative Tools > Services, turn off the Messenger service.

Edit: spelling.

[crashwg]

Sounds like an easy fix!

Thanks grueinthebox

[sc1103]

Messenger Service is part of Windows 2000 & XP. It's a service you can turn off. It has legitimate uses (say a sysadmin wanted to broadcast a message about an upcoming maintenance or something), but for home use you should probably turn it off. Some clever jackass discovered a way to use it over the internet to broadcast spam. It's not really spyware...

Start > Control Panel > Administrative Tools > Services, turn off the Messenger service.

Edit: spelling.

I feel stupid

[SOAPboy]

Messenger Service is part of Windows 2000 & XP. It's a service you can turn off. It has legitimate uses (say a sysadmin wanted to broadcast a message about an upcoming maintenance or something), but for home use you should probably turn it off. Some clever jackass discovered a way to use it over the internet to broadcast spam. It's not really spyware...

Start > Control Panel > Administrative Tools > Services, turn off the Messenger service.

Edit: spelling.

I feel stupid

Most linux guys do with easy Windows fixes *hugs

And its been possible to do this for a while, since NT actually.. it Just started getting exploited in xp which is the weird part.. O_o

[saint]

The fact that they are able to send you popups means you *DON'T HAVE A FIREWALL RUNNING!* (or it's not configured right)... (Caps are to be scary, not yelling)

Highly recommend you go get Zonealarm, at least the free version if not the pro version.  If nothing else download service pack 2 and turn on the XP firewall.

[sc1103]

The fact that they are able to send you popups means you *DON'T HAVE A FIREWALL RUNNING!* (or it's not configured right)... (Caps are to be scary, not yelling)

Highly recommend you go get Zonealarm, at least the free version if not the pro version. If nothing else download service pack 2 and turn on the XP firewall.

Ahh that explains it...I no longer have the cabinet networked   

[SOAPboy]

The fact that they are able to send you popups means you *DON'T HAVE A FIREWALL RUNNING!* (or it's not configured right)... (Caps are to be scary, not yelling)

Highly recommend you go get Zonealarm, at least the free version if not the pro version.

[saint]

It means he has port 135 exposed to the Internet, which has no business being exposed to the Internet on an arcade cabinet (or, IMHO, on any machine). This isn't network admin messages being sent, he's at home. If port 135 is open, then I'm assuming all his ports are open, meaning no firewall. Operating a Microsoft system on the Internet without a firewall is asking to be hosed. The fact that he's being spammed isn't harmful - it's the deeper implications of the fact that the spam is possible that should alarm him.

Average lifespan of a Microsoft system on the net without adequate firewall/virus protection is... 10 minutes at best?

NET SEND on Windows

There has been a recent (2002-10-11) upsurge in NET SEND spam. This will pop up a window on a Windows machine, using the Messenger Service (note this is different from Windows or MSN Messenger, it's a low-level service built-in to the Windows operating system).

The NET SEND messages are making it past the usual NetBIOS filters (ports 137-139, port 445) because in Windows 2000 and XP, the Messenger Service now works using RPC. A lookup is done on port 135 (epmap, DCE [RPC] endpoint resolution). That tells what high-numbered port the Messenger Service is listening on. The best way to stop this is to permanently disable the Messenger Service. You may also want to block port 135. I have also included information about Microsoft Distributed COM (DCOM), which uses port 135.

You may also want to block port 1026, based on Windows Messenger Popup Spam on UDP Port 1026.

(http://www.chebucto.ns.ca/~rakerman/trojan-port-table.html)


Another take on it:

Cure the cause
If you are a home user...

Beware! The problem is much bigger than just receiving annoying messages.
It means your Pc is very vulnerable to all sorts of attacks.

Quoting Microsoft's KnowledgeBase article on the subject,

"In addition to transmitting net send messages to your computer over the Internet, a malicious user may also be able to use the NetBIOS connection to your computer to perform the following tasks:

    * Access your private information
    * Initiate denial of service (DoS) attacks against a high profile Web site
    * Distribute software illegally by appropriating space on your hard disk

For this reason, Microsoft recommends that you install a firewall and configure it to block NetBIOS traffic instead of merely just turning off the Messenger service. "

We have prepared a list of good software firewalls....

So in short.... don't operate without a firewall -- whether that's ZoneAlarm, or just built in SP2 firewall

The fact that they are able to send you popups means you *DON'T HAVE A FIREWALL RUNNING!* (or it's not configured right)... (Caps are to be scary, not yelling)

Highly recommend you go get Zonealarm, at least the free version if not the pro version.  If nothing else download service pack 2 and turn on the XP firewall.

Has nothing to do with it.. its a net send command that talks directly to the OS beyond a simple firewall.

Its not an 'attack' its a remote admin command that has had a loophole forever..

Which is funny, because XPs Net Send command is alot more secure than the older versions in NT and 2k.. ><

BTW sp2 only turns off the messager service by default.. thats MS's "Fix" for it.. Its a really useful tool as a network admin, thus its still in the O/s

[SOAPboy]

It means he has port 135 exposed to the Internet, which has no business being exposed to the Internet on an arcade cabinet (or, IMHO, on any machine). This isn't network admin messages being sent, he's at home. If port 135 is open, then I'm assuming all his ports are open, meaning no firewall. Operating a Microsoft system on the Internet without a firewall is asking to be hosed. The fact that he's being spammed isn't harmful - it's the deeper implications of the fact that the spam is possible that should alarm him.

Average lifespan of a Microsoft system on the net without adequate firewall/virus protection is... 10 minutes at best?

NET SEND on Windows

There has been a recent (2002-10-11) upsurge in NET SEND spam. This will pop up a window on a Windows machine, using the Messenger Service (note this is different from Windows or MSN Messenger, it's a low-level service built-in to the Windows operating system).

The NET SEND messages are making it past the usual NetBIOS filters (ports 137-139, port 445) because in Windows 2000 and XP, the Messenger Service now works using RPC. A lookup is done on port 135 (epmap, DCE [RPC] endpoint resolution). That tells what high-numbered port the Messenger Service is listening on. The best way to stop this is to permanently disable the Messenger Service. You may also want to block port 135. I have also included information about Microsoft Distributed COM (DCOM), which uses port 135.

You may also want to block port 1026, based on Windows Messenger Popup Spam on UDP Port 1026.

(http://www.chebucto.ns.ca/~rakerman/trojan-port-table.html)


Another take on it:

Cure the cause
If you are a home user...

Beware! The problem is much bigger than just receiving annoying messages.
It means your Pc is very vulnerable to all sorts of attacks.

Quoting Microsoft's KnowledgeBase article on the subject,

"In addition to transmitting net send messages to your computer over the Internet, a malicious user may also be able to use the NetBIOS connection to your computer to perform the following tasks: