Spyware message

  • Thread starter Thread starter Sean Bartleet
  • Start date Start date
S

Sean Bartleet

Hi,

Every hour or so when using my computer I get a dialog that pops up, looking
like an old doss window. The dialog is titled "Messenger service" The
message is to the tune of my computer may be infected with spyware and that
I should go to www.spw2.com and buy their software.

I have searched for "SPW" and "Spyware" in filenames, file contents and the
registry to no avail. I have searched the registry for "run" and "runonce"
and cannot seem to find a reference to spyware or anything that looks
similar.

Does anyone have any ideas how I can find what is causing this to appear on
my computer and how to make it stop?

Any assistance will be appreciated.

Sean Bartleet
 
Disable "Messenger" in Services. This is not Windows Messenger (the chat
program). Go to Start>Control Panel>Administrative Tool>Services>(scroll
down to)Messenger. Right click, and a box will pop up. Under the General
Tab, select "disabled" for Startup Type. In Service Status select "Stop".
That will keep the advertiser from using Messenger to send you popups.
You can also do a Google search for "shoot the messenger"...it's a free
program that will stop the service for you if you aren't comfortable doing
the above.
 
I left out a step:
After you right click and the box pops up, select "Properties", another box
will come up...continue with rest of first post.

Fitz
 
Sean said:
Hi,

Every hour or so when using my computer I get a dialog that pops up,
looking like an old doss window. The dialog is titled "Messenger
service" The message is to the tune of my computer may be infected
with spyware and that I should go to www.spw2.com and buy their
software.

I have searched for "SPW" and "Spyware" in filenames, file contents
and the registry to no avail. I have searched the registry for "run"
and "runonce" and cannot seem to find a reference to spyware or
anything that looks similar.

Does anyone have any ideas how I can find what is causing this to
appear on my computer and how to make it stop?
Click to expand...


Start|Control Panel|Network connections|R-click|Properties|Advanced
tab|Check the ICF box|OK
Install an anti-virus application. Scan your PC. Also get any critical
updates from Windows Update.
 
Greetings --

It's a scam, trying to get you to buy an update that Microsoft
provides free of charge. It's also a very clear warning that your PC
is wide open to anyone on the Internet who wants to hack it.

This type of spam has become quite common over the past several
months, and unintentionally serves as a valid security "alert." It
demonstrates that you haven't been taking sufficient precautions while
connected to the Internet. Your data probably hasn't been compromised
by these specific advertisements, but if you're open to this exploit,
you may well be open to other threats, such as the Blaster Worm that
recently swept cross the Internet. Install and use a decent,
properly configured firewall. (Merely disabling the messenger
service, as some people recommend, only hides the symptom, and does
little or nothing to truly secure your machine.) And ignoring or just
"putting up with" the security gap represented by these messages is
particularly foolish.

Messenger Service of Windows
http://support.microsoft.com/default.aspx?scid=KB;en-us;168893

Messenger Service Window That Contains an Internet Advertisement
Appears
http://support.microsoft.com/?id=330904

Stopping Advertisements with Messenger Service Titles
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp

Blocking Ads, Parasites, and Hijackers with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

Whichever firewall you decide upon, be sure to ensure
UDP ports 135, 137, and 138 and TCP ports 135, 139, and 445 are _all_
blocked. You may also disable Inbound NetBIOS (NetBIOS over TCP/IP).
You'll have to follow the instructions from firewall's manufacturer
for the specific steps.

You can test your firewall at:

Symantec Security Check
http://security.symantec.com/ssc/vr_main.asp?langid=ie&venid=sym&plfid=23&pkj=GPVHGBYNCJEIMXQKCDT

Security Scan - Sygate Online Services
http://www.sygatetech.com/

Oh, and be especially wary of people who advise you to do nothing
more than disable the messenger service. Disabling the messenger
service, by itself, is a "head in the sand" approach to computer
security. The real problem is _not_ the messenger service pop-ups;
they're actually providing a useful, if annoying, service by acting as
a security alert. The true problem is the unsecured computer, and
you've been advised to merely turn off the warnings. How is this
helpful?


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 
Greetings --

Please stop posting potentially harmful advice.

Disabling the messenger service, as you advise, is a "head in the
sand" approach to computer security that leaves the PC vulnerable to
threats such as the W32.Blaster.Worm.

The real problem is _not_ the messenger service pop-ups; they're
actually providing a useful service by acting as a security alert. The
true problem is the unsecured computer, and you're only
advice, however well-intended, was to turn off the warnings. How is
this helpful?

Equivalent Scenario: You over-exert your shoulder at work or
play, causing bursitis. After weeks of annoying and sometimes
excruciating pain whenever you try to reach over your head, you go to
a doctor and say, while demonstrating the motion, "Doc, it hurts when
I do this." The doctor, being as helpful as you are, replies, "Well,
don't do that."

The only true way to secure the PC, short of disconnecting it from
the Internet, is to install and *properly* configure a firewall; just
installing one and letting it's default settings handle things is no
good. Unfortunately, this does require one to learn a little bit more
about using a computer than used to be necessary.


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 
From the Microsoft Website:

Disabling Messenger Service in Windows XP



Posted: January 09, 2004




If advertisements are opening on your computer in a window titled
Messenger Service, it may indicate that your system is not secure. You
should enable the Internet Connection Firewall and disable the Messenger
Service in Windows XP to help protect your computer from unwanted spam and
other potential threats.

End of cut and paste.....

The harmful advice you ask me not to post is readily available from
Microsoft on it's website. If the advice is incorrect then some
clarification is needed from MS. Until then, Messenger Service stays
terminated on my computer.

Thanks

Fitz
 
Greetings --

The fact that Microsoft posts this information make it no less
harmful. I've also asked Microsoft to remove that particularly stupid
piece of advice. Or do you assume that "If Microsoft says it, it must
be right?"

As disabling the messenger service, that's your choice. Just
don't imagine that by doing so you've done anything to secure your
computer. All you've done is "pulled the battery out of that
annoyingly noisy smoke detector." You haven't eliminated the source
of the smoke that set it off.


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 
No, I certainly don't believe MS is an all-knowing entity- the number of
patches and updates released is proof of that.
I use a router w/NAT and packet filtering - and AdWatch, which can be
configured to block unauthorized modifications to the registry, along with
pop up blocking, etc. That is in addition to an anti-virus program.
Just turning off Messenger Service may not remove the security problem, but
it would seem to stop one way of exploiting it.
 
Greetings --

It's true that there is currently one known security exploit that
could possibly provide access to a PC by causing an intentional buffer
overrun in the Messenger Service. And turning off the Messenger
Service can prevent this single exploit, which, by the way and as far
as I know, has yet to be found "in the wild."

Your response to the OP addressed no security issues at all, but
merely advised turning off the Messenger Service to eliminate
Messenger Service spam, which is annoying but harmless, in and of
itself. This is the sort of advice that I find particularly
dangerous. The problem is that turning off the Messenger Service does
_not_ block the wide open TCP and UDP ports that the spammers used to
deliver the spam to the Messenger Service for display. With the
Messenger Service disabled, those spam deliveries are still
continuing, but they're simply not being displayed. As I've said,
it's like pulling the battery out of a noisy smoke detector to silence
it, rather than looking for and eliminating the source of the smoke.

The danger of this "treat the symptoms" approach has been more
than aptly demonstrated by the advent of the W32.Blaster.Worm, the
W32.Welchia.Worm, and their variants. These worms attack PCs via some
of the very same open ports that the Messenger Service uses. Need I
mention how many hundreds of thousands of PCs have been infected by
these worms since last August? To date, according to my records, I
have personally responded to 567 Usenet posts concerning
Blaster/Welchia infections since last August, and I can't possibly
have seen and replied to every one that there's been posted in this
period.

Now, how many of those infected with Blaster/Welchia had turned
off the Messenger Service to hide spam? I can't say, and I don't
think anyone can. What I can say with absolutely certainty is that if
they'd all had a properly configured firewall in place, they would
have blocked the annoying spam _and_ been safe from a great many other
dangers, particularly Blaster/Welchia.

Of course, like the Messenger Service Buffer Overrun threat, there
is also a patch available to fix a PC's vulnerability to
Blaster/Welchia, which was available to the general public a full
month before the first instances of Blaster/Welchia "in the wild." If
people learned to stay aware of computer security issues and updated
their systems as needed, a whole lot of grief could have been avoided.
The problem with relying upon patches, however, is that they're
sometimes not available until _after_ the exploit has become
wide-spread. Antivirus software suffers from this same weakness; it's
simply not always possible to provide protection from threats that
have not yet been developed and/or discovered. Both approaches, while
important, are re-active in nature.

There are several essential components to computer security: a
knowledgeable and pro-active user, a properly configured firewall,
reliable and up-to-date antivirus software, and the prompt repair (via
patches, hotfixes, or service packs) of any known vulnerabilities.
The weak link in this "equation" is, of course, the computer user.
All too many people have bought into the various PC/software
manufacturers marketing claims of easy computing. They believe that
their computer should be no harder to use than a toaster oven; they
have neither the inclination or desire to learn how to safely use
their computer. All to few people keep their antivirus software
current, install patches in a timely manner, or stop to really think
about that cutesy link they're about to click. Therefore, I (and
anyone who's thought about the matter) always recommend the use of a
firewall. Naturally, properly configuring a firewall requires an
investment of time and effort that most people won't give, but even
the default settings of the firewall will offer more automatic
protection than is currently present.

Now, as for the Messenger Service itself, it generally doesn't
hurt any thing to turn it off, although I never recommend doing so.
Granted, the service is of little or no use to most home PC users
(Although I've had uses it on my home LAN.), and turning off
unnecessary services is part of any standard computer security
protocol. However, I feel that the potential benefits of leaving the
Messenger Service enabled out-weigh any as-yet-theoretical risks that
it presents. It will indirectly let the computer user know that
his/her firewall has failed by displaying the Messenger Service spam.
Think of it as the canary that miners used to take down into the
mineshafts with them. There are others, of course, who disagree with
me on this point and advise turning off the service because it isn't
needed; you'll have to make up your own mind here.


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 
Thanks- that is a well thought out and diplomatic response. Although I,
personally, won't be turning messenger back on, I see the validity of
addressing the underlying security risk first.

Thanks-
Fitz
 
Hi,

Thanks to all for this info,

In the mean time I have discovered as you point out that my computer is wide
open and this is bad. I have downloaded a free copy of Zone alarm and am
spending more time reading the alerts than I am reading internet content.
Yikes.

Any recommendations on good firewall software (remember that this is a home
computer on a budget).

Any recomendations on where I can learn how to properly configure a fire
wall?.

Thanks again.

Sean Bartleet
 
Greetings --

ZoneAlarm, even the free version, is well-regarded. The frequent
alerts do get to be a bit of a nuisance, given today's hostile
Internet environment, so I usually recommend turning off any alerts
concerning thwarted in-coming attempts.

For your comfort, you can test your firewall at:

Symantec Security Check
http://security.symantec.com/ssc/vr_main.asp?langid=ie&venid=sym&plfid=23&pkj=GPVHGBYNCJEIMXQKCDT

Security Scan - Sygate Online Services
http://www.sygatetech.com/

WinXP's built-in firewall is fine at stopping incoming attacks, and
hiding your ports from probes. It doesn't give you any alarms to tell
you that it is working, though. What WinXP also does not do, is
protect you from any Trojans or spyware that you might download and
install inadvertently. It doesn't monitor out-going traffic at all,
much less block (or at least ask you about) the bad or the
questionable out-going packets.

ZoneAlarm, Kerio, or Sygate are all much better than WinXP's
built-in firewall, and are much more easily configured, and there are
a free versions of each readily available. Even Symantec's Norton
Personal Firewall is superior by far, although it does take a heavier
toll of performance then do ZoneAlarm, Kerio, or Sygate. It's been
several years since I've been tempted to try McAfee products. Their
quality seemed to take a steep nose-dive after they were acquired by
Network Associates.

When my subscription to Symantec's updates for Norton Internet
Security 2002 came up for renewal (at a cost substantially higher than
last year's subscription), I decided to try less expensive solutions.
I downloaded and installed the free version of GriSoft's AVG (
http://www.grisoft.com/us/us_dwnl_free.php ) and the free version of
Sygate's Personal Firewall ( http://smb.sygate.com/free/default.php ).
Both have proven to be easily installed, easy to use, and quite
effective. Additionally, I was pleasantly surprised to see a small
but very noticeable improvement in my PC's performance, once I'd
replaced the Symantec product.



Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 
Hi,

Thank you for your reply and the detailed information. I certainly
appreciate your time and effort.

Sean
 
Greetings --

You're welcome.

Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 
Back
Top