Messenger Service spam problems again

[dontsleeponit]

Hi everyone. Ive been having some issues with the windows firewall,
and had to disable it. I do run sygate pro 5.5. After disabling the
windows firewall I am getting the classic spam through windows
messenger service. I have set up sygate to block ports 135, 137, 138,
139, 445, and 1025 for both TCP and UDP. I have gone to the shields up
site https://www.grc.com/x/ne.dll?bh0bkyd2 , and I pass all of the
port tests. What can be causing the spam from the messenger service
now? Is it a worm that is on my computer, because I dont understand
how this can happen with all of the ports blocked. I do NOT want to
simply disable the messenger service, that would be like closing my
eyes to the real problem.

I have also updated and run both spybot S&D and Ad-Aware, found a few
minor things, but the problem persists.

Anyone have some advice for me?

Thanks.

 

[dontsleeponit]

I will also ad that I have done the "spam yourself" function on the
shields up website, and the messenger service does not pop up. I guess
this must mean something ON my computer is causing the messenger
service spam. I cant seem to find any info out there about this, its
all about port blocking, etc.

Also the spam I am getting is all for "registrycleanerXP" or something
along those lines.

 

[Malke]

Hi everyone. Ive been having some issues with the windows firewall,
and had to disable it. I do run sygate pro 5.5. After disabling the
windows firewall I am getting the classic spam through windows
messenger service. I have set up sygate to block ports 135, 137, 138,
139, 445, and 1025 for both TCP and UDP. I have gone to the shields up
site https://www.grc.com/x/ne.dll?bh0bkyd2 , and I pass all of the
port tests. What can be causing the spam from the messenger service
now? Is it a worm that is on my computer, because I dont understand
how this can happen with all of the ports blocked. I do NOT want to
simply disable the messenger service, that would be like closing my
eyes to the real problem.

I have also updated and run both spybot S&D and Ad-Aware, found a few
minor things, but the problem persists.

When you say "spam from the messenger service" do you really mean that
you are getting messages from Registry Cleaner that your computer is
infected? Because 1) if your messenger service is not disabled this
means that you don't have XP Service Pack 2 installed and you should; 2)
your computer is infected with some variant of the Smitfraud trojan.

So what version of XP are you using and what Service Pack level? You can
disable the messenger service by going to:

Start>Run>services.msc [enter]

Scroll down to the messenger service, stop it, and disable it.

To remove variants of the Smitfraud trojan:

Do the preparatory steps here:
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Then do the specific removal steps here:
http://www.elephantboycomputers.com/page2.html#Smitfraud_Trojan -
Smitfraud, Spyaxe, Spyfalcon

You can also check to see if there are targeted removal steps for your
malware here:
Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Not all tools used will work in Vista and you will need to run them
elevated. Since Vista is so new, it will be a while before removal
techniques and tools are developed. If you are unable to remove the
infection by following the general steps, register at one of the
HijackThis forums as suggested.

Standard caveat: If the procedures look too complex - and there is no
shame in admitting this isn't your cup of tea - take the machine to a
professional computer repair shop (not your local version of
BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may
be so infested that Windows will need to be clean-installed. Have all
your data backed up before you take the machine into a shop.


Malke

 

[Daave]

Hi everyone. Ive been having some issues with the windows firewall,
and had to disable it. I do run sygate pro 5.5. After disabling the
windows firewall I am getting the classic spam through windows
messenger service. I have set up sygate to block ports 135, 137, 138,
139, 445, and 1025 for both TCP and UDP. I have gone to the shields up
site https://www.grc.com/x/ne.dll?bh0bkyd2 , and I pass all of the
port tests. What can be causing the spam from the messenger service
now? Is it a worm that is on my computer, because I dont understand
how this can happen with all of the ports blocked. I do NOT want to
simply disable the messenger service, that would be like closing my
eyes to the real problem.

I have also updated and run both spybot S&D and Ad-Aware, found a few
minor things, but the problem persists.

Anyone have some advice for me?

As Malke pointed out, you may have been infected with Smitfraud or one
of its variants. That is, even though it appears you have Messenger
Service spam, you very well may have malicious software already running
on your PC that produces windows that look like Messenger spam.

Even though you stated you didn't want to disable the Messenger service,
do it anyway. (temporarily, as a diagnostic tool). This way if the
windows keep popping up, you'll know it's not Messenger spam. Then
follow her instructions/links and you should be fine.

If it is Messenger spam, make sure you also block incoming traffic to
UDP 1026-1029. Also make sure you block block TCP 593, 4444 and UDP 69
and keep your system patched with the latest security updates. Hopefully
that'll do it.

Good luck!