How to stop Messenger Service popups?

[Ken Williams]

I keep getting Messenger Service popups. But the catch is I installed a
firewall and blocked 135, 137-139, 445, 500, etc. and tested it, they are
blocked completely. But some how I still get popups from messenger. Does
anyone know how? my firewall is kerio 2.1.4.

Heres a log snippet that sorta shows that the connections are coming into port
1026 or so on my machine. But nothing answers there. I try to telnet to port
1026 and I get connection refused.

The spammers IP is 210.5.22.10 in this example.

2,[17/Aug/2003 13:34:57] Rule 'Log All': Permitted: In UDP,
210.5.22.10:32797->localhost:1026, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2,[17/Aug/2003 13:34:57] Rule 'Log All': Permitted: Out UDP,
localhost:1026->210.5.22.10:32797, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2,[17/Aug/2003 13:34:57] Rule 'Log All': Permitted: Out UDP,
localhost:1028->domain.net [209.51.110.150:53], Owner:
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2,[17/Aug/2003 13:34:57] Rule 'Log All': Permitted: In UDP, domain.net
[209.51.110.150:53]->localhost:1028, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE


No matter what I still get these popups, I have no idea how.

 

[Annie E.]

Hi:
I have exact same two computers, manufactured by hp with
exact programs running in both machines. The second one
is a sort for 'Back Up' purpose.
Strangely say, ... one computer completely stopped this
annoying 'Pop Up' Messenger Service just after
put 'firewall' in XP, but the other one still keeps
popping up this messenger service even though I did
several times 'Service' Messenger Service Disabled and
Firewall for sure.
Only thing I can think of is that the one without popping
up this messenger service is I use every day and fairly
active throughout day, literally, day and night.
However, the other/second machine is I rarely open and
use, ... maybe just few times a week.
However, the number/days of 'usage' is something to do
with this, ... I honestly don't know.
Either way, it seems to me VERY tough for anyone to get
rid of this, annoying pop-up, messenger service.
Everyday when I open NG, there are two or three messages
regarding Messenger Pop-Up like yours.

Hopefully, some GOOD solution would arrive soon.
Annie E.

-----Original Message-----
I keep getting Messenger Service popups. But the catch is I installed a
firewall and blocked 135, 137-139, 445, 500, etc. and tested it, they are
blocked completely. But some how I still get popups from messenger. Does
anyone know how? my firewall is kerio 2.1.4.

Heres a log snippet that sorta shows that the

connections are coming into port

1026 or so on my machine. But nothing answers there. I try to telnet to port
1026 and I get connection refused.

The spammers IP is 210.5.22.10 in this example.

2,[17/Aug/2003 13:34:57] Rule 'Log All': Permitted: In UDP,
210.5.22.10:32797->localhost:1026, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2,[17/Aug/2003 13:34:57] Rule 'Log All': Permitted: Out UDP,
localhost:1026->210.5.22.10:32797, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2,[17/Aug/2003 13:34:57] Rule 'Log All': Permitted: Out UDP,
localhost:1028->domain.net [209.51.110.150:53], Owner:
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2,[17/Aug/2003 13:34:57] Rule 'Log All': Permitted: In UDP, domain.net
[209.51.110.150:53]->localhost:1028, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE


No matter what I still get these popups, I have no idea how.
.

 

[Ken Williams]

Ken,

Just right-click on My Computer and go to Manage, which brings
up Computer Mangament. Expand the Services and Applications option and
click on Services. Scroll down the list on the right and double click the
Messenger Service item. Change the Startup type to Disabled, click Stop,
hit apply and say OK.

I'm trying to avoid disabling the service. I think its needed by some stuff I
do. I shouldn't have to disable it at all.

 

[Jon]

I had the same experience so I (rightly or wrongly) also blocked incoming
traffic to UDP 1026 and haven't had another pop-up since.
Jon

 

[Bruce Chambers]

Greetings --

This particular "sales method" is strikingly similar to the
"protection" rackets offered to small businesses by organized
criminals. Yes, it's a scam; no reputable business would need to
resort to extortion. Particularly since they're trying to sell you a
type of protection that is already available to you free of charge.

This type of spam has become quite common over the past few
months, and unintentionally serves as a valid security "alert." It
demonstrates that you haven't been taking sufficient precautions while
connected to the Internet. Your data probably hasn't been compromised
by these specific advertisements, but if you're open to this exploit,
you may well be open to other threats. Install and use a decent,
properly configured firewall. (Disabling the messenger service, as
some people recommend, only hides the symptom, and does nothing to
secure your machine.) And ignoring or just "putting up with" these
messages and the problem they represent is particularly foolish.

Messenger Service of Windows
http://support.microsoft.com/default.aspx?scid=KB;en-us;168893

Messenger Service Window That Contains an Internet Advertisement
Appears
http://support.microsoft.com/?id=330904

Stopping Advertisements with Messenger Service Titles
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp

Blocking Ads, Parasites, and Hijackers with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

Oh, and be especially wary of people who advise you to do nothing
more than disable the messenger service. Disabling the messenger
service is a "head in the sand" approach to computer security.

The real problem is _not_ the messenger service pop-ups; they're
actually providing a useful service by acting as a security alert. The
true problem is the unsecured computer, and you've been
advised to merely turn off the warnings. How is this helpful?

Equivalent Scenario 1: Somewhere in a house, a small fire starts,
and sets off the smoke alarm. You, not immediately seeing any
fire/smoke, complain about the noise of the smoke detector, and are
advised to remove the smoke detector's battery and go back to sleep.

Equivalent Scenario 2: You over-exert your shoulder at work or
play, causing bursitis. After weeks of annoying and sometimes
excruciating pain whenever you try to reach over your head, you go to
a doctor and say, while demonstrating the motion, "Doc, it hurts when
I do this." The doctor, being as helpful as some of your respondents,
replies, "Well, don't do that."

I'm beginning to think that the people deliberately posting such
bad advice are hacker-wannabes who have no true interest in helping
you secure your system, but would rather give you a false sense of
security while ensuring that your computer is still open to
exploitation.


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

I keep getting Messenger Service popups. But the catch is I installed a
firewall and blocked 135, 137-139, 445, 500, etc. and tested it, they are
blocked completely. But some how I still get popups from messenger. Does
anyone know how? my firewall is kerio 2.1.4.

Heres a log snippet that sorta shows that the connections are coming into port
1026 or so on my machine. But nothing answers there. I try to telnet to port
1026 and I get connection refused.

The spammers IP is 210.5.22.10 in this example.

2,[17/Aug/2003 13:34:57] Rule 'Log All': Permitted: In UDP,
210.5.22.10:32797->localhost:1026, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2,[17/Aug/2003 13:34:57] Rule 'Log All': Permitted: Out UDP,
localhost:1026->210.5.22.10:32797, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2,[17/Aug/2003 13:34:57] Rule 'Log All': Permitted: Out UDP,
localhost:1028->domain.net [209.51.110.150:53], Owner:
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2,[17/Aug/2003 13:34:57] Rule 'Log All': Permitted: In UDP, domain.net
[209.51.110.150:53]->localhost:1028, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE


No matter what I still get these popups, I have no idea how.