Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Messenger Service


  • Please log in to reply
13 replies to this topic

#1 myissues

myissues

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 11 April 2007 - 01:08 AM

Hello,

I have had a problem arise on my computer that has a grey box pop up saying Messenger Service and in the box that repeatedly comes up has several .com sites that it wants me to visit to clear registry. The most popular is key32.com I have went through all the steps and downloads that were required/reccomended in order to use this post for my log. I should ad that the pop up only seems to be a problem when computer is connected to the internet. I ran all the anit-malware tools, spybot, ewido, adware,panda, atf, etc... and the box still comes up. Here is the log I thank you for all of your help. Also I would like to know is after everything is cleared up, how many of the downloaded tools have to stay on the computer ? It seems like I put ALOT into it today. Will it affect the performance ?



Logfile of HijackThis v1.99.1
Scan saved at 1:49:21 AM, on 4/11/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\CePMTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176279010797
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{101C11F2-7D86-4F72-ABEB-BB1F2F13AA89}: NameServer = 69.72.104.3 69.72.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{101C11F2-7D86-4F72-ABEB-BB1F2F13AA89}: NameServer = 69.72.104.3 69.72.0.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:21 PM

Posted 11 April 2007 - 02:24 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

We can help you, but first you need to help us.
Any reason why your windows isn't up to date? You don't have even ServicePack1 installed!
Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.
Please visit this page and update to Service Pack 1. Without this update, you're wide open to re-infection, and we're both just wasting our time.

When your system is clean afterwards, then update to SP2, because updating to SP2 CAN cause problems as long as you are infected.

The Windows "Messenger Service" is being exploited to spray the Internet with unsolicited commercial eMail. The receipt of a single UDP packet can cause a "Messenger Service" dialog to pop-up on the user's screen. It is possible for the sender to "spoof" (falsify) the packet's "Source IP", making these packets impossible to trace back to their origin................

The first thing to understand is that the Windows Messenger Service is completely different from, and not in any way related to, "MSN Messenger", "Windows Messenger", or any other well-known instant messaging system. Therefore, disabling the Windows Messenger service will have no effect upon your use of any other instant messaging applications. They will continue to work without trouble.

To block the spam is to turn off Messenger Service.
Click Start>>Settings>>Control Panel

--Double click Administrative Tools
--Double click Services
--Double click Messenger
--Under Service Status, click Stop
--In the box next to Startup Type, select Disabled
--Click Apply>>OK

Alternatively, you can download a small program that will disable Messenger Service for you Called Shoot The Messenger.
It's available at: http://www.grc.com/stm/shootthemessenger.htm

After completing all of the above, let me know if the messenger popups have stopped.

#3 myissues

myissues
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 11 April 2007 - 11:03 AM

David,
I used the link for windows update that was in the list of things to do before i posted the log. I assumed when I went there that everything was updated... my bad. I will use your link now and try again. I thank you for your help. I will also try the next steps you provided. And post back. Another question I have is will the firewall effect anything on my normal emails or web surfing ? Will it prevent emails ??? I just do not want to lose anything.

Thanks Again

Will

#4 myissues

myissues
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 11 April 2007 - 11:16 AM

Okay,
I pulled up the list on the Microsoft site and I see abunch of security updates but none are labeled SP1 nor any for service pack 2 ???

#5 myissues

myissues
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 11 April 2007 - 11:18 AM

P.S.

The security updates are under the high-priority update page

#6 myissues

myissues
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 11 April 2007 - 01:48 PM

Okay I downloaded and installed the updates. And stopped and disabled the messenger. The Zone Alarm firewall keeps popping up asking me to accept or deny several things and I continue to say deny mainly because I do not know what these are. One common one is it says Toshiba Pinger trying to access internet. It is fustrating to see these pop up every 20 mins on the Zone Alarm especially if I can filter some of them so they do not pop up any more.

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:21 PM

Posted 11 April 2007 - 04:39 PM

Hiya Will, glad to hear that you finally got the update installed on the PC.
Quite a few users have a problem installing service packs, I don't the process is that user friendly to be honest.

In regards to Zone Alarm, it is well known for its alerts; when I installed it on my own PC it threw loads of alerts about normal system activity. Have a read of this quote I found on the net whilst researching, it's quite interesting and shows you aren't alone:

ZoneAlarm is famous about creating panic among novice users because it creates alerts about "normal" network activity. Its a good idea to just turn off these alerts, since you can and you should check them anyway from the ZA logs afterwards. And if you manage to get a trojan into your computer, its very likely that it will attempt to connect to internet which will alert ZA and notify you. And, if a trojan is trying to contact to your computer, you don't have anything to worry about as long as you have ZA running (and have not given permissions in ZA for trojans/backdoors on your computer to setup servers, etc.) so you really don't need to panic with getting dozens of "alerts" per hour.

http://www.markusjansson.net/eza.html

Here is another:

The most common complaint that I get about Zone Alarm and similar products is that it alerts too often, and for benign and valid access of the internet. That's unfortunate, because when it alerts too often for all these "false positives", people start ignoring the alerts, or turn off the feature completely. When a real problem happens they're unable to distinguish it from the noise, and frequently ignore that as well.

http://ask-leo.com/zone_alarm_firewall_do_...nat_router.html

I've been looking on the net, and I can't find any information on how to disable these alerts manually.
Can you look in the Zone Alarm settings and see if you can work out how it can be disabled?
If not I will look into it more and try and find exactly how you can do it.
Perhaps more importantly, have the messenger service popups stopped?
Let me know how you get on, David.

#8 myissues

myissues
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 11 April 2007 - 07:07 PM

David,

Once again I want to thank you for your help with this matter. I would like to let you know what each of the bubbles say from the firewall.

At start up the first reads Windows Explorer is trying to act as a server. I click deny.

The next one pops up immediately and says Fax Service is trying to access the trusted zone. I also click deny.

I then connect to the internet and imeediately at connect it says Toshiba Pinger is trying to access the internet. I also click deny.

I also have a bubble that posp up and says this version of Windows XP is no longer secure. Upgrade to SP2 (This is not a firewall bubble this is like an update bubble)

Now this time when the firewall bubbles came up I clicked remember this setting before I clicked deny. And restarted the computer and reconnected and never got a bubble other than the XP update bubble.

My question/concern is do I need any of the things that I denied in the firewall bubbles ?

Oh yeah no more Messenger bubbles either.

And can I remove any of the things that I downloaded yesterday or do i need to leave them all ??? It just seems like I put alot on here.

Thanks Again

Will

#9 myissues

myissues
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 11 April 2007 - 09:05 PM

I have noticed another issue. When web browsing I get "page cannot be displayed" message repetadly. Is this due to the firewall set at max ?? Where should the firewall be set ?? can I lower it to medium ??

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:21 PM

Posted 12 April 2007 - 04:42 AM

Ok, I think you are missing the point of what your firewall is doing. All the things that are asking for permission to do certain things are legitimate. Basically, when a program needs to use the internet, zone alarm can detect this and will ask you if you want to allow this program to use the internet. If you click deny each time, zone alarm will not allow this program access to the internet and will most likely mean that the program cannot do its task. You need to allow all these programs access to the internet so they can function normally.

This is probably the reason why you are getting "page cannot be displayed" messages.
The firewall is blocking internet access to major programs hence rendering them useless.
You need to set up Zone Alarm manually to achieve the best results.
I recommend you follow this guide here:
http://www.gnc-web-creations.com/computer-tech-tips.htm

You can remove any applications that we downloaded, but it's important that you keep any Microsoft updates.
If you have any further problems, I recommend that you post your question in the following forum as you will recieve better help there. Let them know you have had your Hijackthis log checked, and it isn't a serious security issue.
AntiVirus, Firewall and Privacy Products and Protection Methods

Let me know how you get on, thanks for the detailed replies - makes my job that bit easier. :thumbsup:
David

#11 myissues

myissues
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 12 April 2007 - 10:20 AM

David,

I will do those suggested ideas. I didn't notice the "page not displayed until after the windows SP1 update.

I wanted to keep atleast one of the anti-malware/spyware downloads is there one that is better than the others ?? I just did not want to delete them all. I would keep those that are important. I just thought that having 4 of the same type tools was alot ??

Will

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:21 PM

Posted 12 April 2007 - 12:29 PM

Ok, I thought you were referring to programs that I had asked you to download; I thought you meant the Shoot-the-Messenger program I offered as a possibilty to kill the messenger service that was causing the popups. You should keep Spybot as your antispyware, Norton as your antivirus and Zone Alarm as your firewall. If you keep them updated you should stay secure.
Let me know how you get on...

#13 myissues

myissues
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 12 April 2007 - 01:25 PM

David,
Sounds good. An update for you. I called my Internet provider and told them about the page problem, they had me remove my internet connection and then we reinstalled it. And PRESTO I haven't had the page come up yet and that was 2 and half hours ago....YIIIIPPPEEEE !!! I also went through the manual setup on the Firewall. From the link you gave me. I do believe we are fixed up now. You have been great... And I am thankful for everything.

Thank You !!!

Will

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:21 PM

Posted 12 April 2007 - 01:27 PM

Glad I could help! :flowers:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.
:thumbsup: If you wish to learn how to use HijackThis to remove malware, you might like to join the Malware Removal Training Program!

If you have any addition questions just ask...
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users