HELP!!!

[Bungleau]

Guys, guys, guys.... it is NOT spyware. It is NOT malware. It is something that Microsoft added in to later editions of Windows called the Messenger Service. I believe it only affects Win2k and higher. 95, 98, and ME are free of it. I'm not sure if NT is or not...

What's it used for? For the network administrator to be able to send messages to all computers on the network. Think "System going down in five minutes" and that sort.

How is it being used against me? It's just a broadcast call to any computer that's open and available. You probably don't have a firewall up, do you? *tsk tsk* Time to get one... and remember rule #1: Don't click on it! There will be nothing good waiting on the other side, guaranteed.

Does anyone use it? Well, in the many companies I work with (over 300, from small to Fortune 500) and IT professionals I deal with (thousands), I have yet to find someone who uses it. That should tell you something...

How do I get rid of it? You can use Net Stop (a way I hadn't considered), but I prefer to simply disable the Messenger service entirely.

Fine. How do I DO that? Go to Control Panel, Administrative Options, Services. Find Messenger in the service list. Right-click on it and set it to disabled. Stop it if it's currently alive.

And that's it. Forever (or at least until you load a service pack).

[Ilander]

....I hate to add my illustrious tech advice...as I don't consider myself an expert at anything involving computers, but Bungleau is right.

Of course, I do wonder how they managed to get your IP address...but heck, they probably save those things...you haven't had your IP blocking software forever, have you?

Sure, you probably have spyware...but this is unrelated...this is just a major pain in the arse that Microshaft built into its OS...nothing more.

I say that you probably have spyware because it's incredibly difficult to NOT have spyware...if your scan doesn't show up anything at all, it's probably just because your programs for scanning aren't updated...

[Bungleau]

Thanks for the vote of confidence [img]smile.gif[/img]

As for how they get your IP address... it's easy. Start at 0.0.0.0 and kick off a program that cycles each number from 0 through 255. Stop when you get to 255.255.255.255, see how many nibbles you got (like emails asking if it's legit [img]smile.gif[/img] ), and start over.

It's nothing personal. It's an open port / IP address thing.

And I agree -- there's probably spyware in there as well. But that's unrelated to the Messenger stuff (unless the Messenger link was clicked on).

[Hivetyrant]

Ok, as I have said earlier, I have run 3 scans for spyware with both fully updated Adaware SE, and Spybot S&D, I also Have a fully updated ZoneAlarm Pro, which has been there since the beginning.
So this doesnt make any sense.
Both scans came up with maybe 5 Alexa registry finds but thats it.

[Hivetyrant]

Hmmm, ok it seems that I have fixed the problem.....
I went into a command prompt and typed "net stop messenger", and it worked, I guess I mispelled it when I tried that last time.
Bunglau, I have used IP scanners before, but still dont see how my IP was found, considering I have Zonealarm Pro, which would not allow an IP scanner to ping me, or do anything else to know I am currently active.

[Intrepid]

Quote:

Originally posted by Hivetyrant: Hmmm, ok it seems that I have fixed the problem..... I went into a command prompt and typed "net stop messenger", and it worked, I guess I mispelled it when I tried that last time.

Damn Straight!
i told you!
i argued with lennon about it
i said that would fix the problem, and yeah!
good, i'm now happy i was right, now just add that to autoexec.bat or to a bat file in your startup directory and it'll remove the problem, you could possibly also find it in msconfig, under the services tab, but i haven't tried, i guess it could work also.

[Bungleau]

Net stop will work, but you're susceptible to a net start command being issued. Disabling the messenger service in the control panel will prevent it from ever being started. IOW, do you lock the door so no one can come through, or do you wall it up so there's no door any more?

And if you were getting the message with ZAPro in place, HiveTyrant, then perhaps someone in your trusted zone is infected. If you've got a router that does logging, you could see where that traffic was coming from (what IP address) and see if you know who that is...

In any case, it appears to be dead now, so good riddance...

[Intrepid]

how do you issue net start again other than being at the computer itself?
and that computer is at home so there is no trusted zone connected to it.

[Bungleau]

All you need is a batch file that contains "net start messenger". If that gets run, the messenger service will be started back up. If someone manages to place some malware on your system, they could create such a file, run it, and have access again.

As for the trusted zone, see what zones have been defined. There *is* a trusted zone, but you may not have any one in it. Without seeing your actual machine, there's only so much I can remotely diagnose [img]smile.gif[/img] My suggestion is to poke around in ZAPro, see who's being allowed to do what, and see if you agree.