Messenger Service Popups

[Steevo]

Is there any way to remove the constant pop-up dialogs titled "Messenger
Service" which randomly appear on my screen for no reason. The constant
"visit my webcam site" offers are really beginning to annoy me.

Many thanks

Andrew

 

[scott harrison]

Stop the messenger service in control panel. and set it
not to start automaticlly

 

[Phil \(a.k.a. purplehaz\)]

Secure your hacker prone computer:

If they say messenger service in the title bar, these pop ups have nothing
to do with MSN messenger or Windows messenger. What this is a new way for
spammers to attack your computer and send you pop-up ads. If you receive
these ads it means that your computers netbios ports are wide open to the
internet and this could be a real security problem. What you should do is
install a good firewall that will block the ports the spammers use and stop
the ads. A good place to start is Zone Alarm ( www.zonelabs.com ) for an
inbound/outbound blocking firewall or use the inbound blocking only firewall
built in to XP. If needed configure the firewall to block ports 135, 137-139
and 445. Zone Alarm will block these ports by default.

Use this site to test some of your ports security:
https://grc.com/x/ne.dll?bh0bkyd2

You can/should also disable the messenger service, which is the service the
spammers exploit, but it isn't needed to stop the ads and disabling the
service will not block the open netbios ports.

Note: If the Messenger service is stopped, messages from the Alerter
service (notifications from your antivirus software, for example) are
not transmitted. If the Messenger service is turned off, any services
that explicitly depend on the Messenger service do not start, and an
error message is logged in the System event log. For this reason,
Microsoft recommends that you install a firewall and configure it to
block NetBIOS and RPC traffic instead of turning off the Messenger
service. To turn off the service goto, control panel, administrative tools,
services, find messenger, right click, properties, hit the stop button, set
startup type to manual or disabled. (be sure to stay patched at windows
update as well)

If the pop-ups appear while surfing web pages then download and install one
of the many pop-up blocker programs. Search www.download.com for popup
blocker, you'll find many free ones.

Also get a good spyware cleaner:

Spybot - http://www.safer-networking.org/

Ad-aware - http://www.lavasoft.com

 

[Phil \(a.k.a. purplehaz\)]

Although that can be a good thing to do, it is the wrong answer. Please do
not tell someone to disable the messenger service without first telling them
to install and enable a firewall. A firewall will block/hide the open ports
that the spammers use to exploit the messenger service. The correct answer
is to install and enable a firewall and then if you want disable the service
as well. But disabling alone is bad advice.

 

[Cerridwen]

Stop the messenger service in control panel. and set it
not to start automaticlly

It's a good thing you don't have the first idea what you're on about or he'd
be in serious trouble!

The below is the correct (and *ONLY*) way to cure the problem (courtesy of
Bruce Chambers MVP)

If the Messenger service is stopped, messages from the Alerter service
(notifications from your antivirus software, for example) are not
transmitted. If the Messenger service is turned off, any services that
explicitly depend on the Messenger service do not start, and an error
message is logged in the System event log. For this reason,
Microsoft strongly recommends that you install a firewall and configure it
to block NetBIOS and RPC traffic instead of turning off the Messenger
service.

This particular "sales method" is strikingly similar to the
"protection" rackets offered to small businesses by organized
criminals. Yes, it's a scam; no reputable business would need to
resort to extortion. Particularly since they're trying to sell you a
type of protection that is already available to you free of charge.

This type of spam has become quite common over the past few
months, and unintentionally serves as a valid security "alert." It
demonstrates that you haven't been taking sufficient precautions while
connected to the Internet. Your data probably hasn't been compromised
by these specific advertisements, but if you're open to this exploit,
you may well be open to other threats. Install and use a decent,
properly configured firewall. (Disabling the messenger service, as
some people recommend, only hides the symptom, and does nothing to
secure your machine.) And ignoring or just "putting up with" these
messages and the problem they represent is particularly foolish.

Messenger Service of Windows
http://support.microsoft.com/default.aspx?scid=KB;en-us;168893

Messenger Service Window That Contains an Internet Advertisement
Appears
http://support.microsoft.com/?id=330904

Stopping Advertisements with Messenger Service Titles
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp

Blocking Ads, Parasites, and Hijackers with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

Oh, and be especially wary of people who advise you to do nothing
more than disable the messenger service. Disabling the messenger
service is a "head in the sand" approach to computer security.

The real problem is not the messenger service pop-ups; they're
actually providing a useful service by acting as a security alert. The
true problem is the unsecured computer, and you've been
advised to merely turn off the warnings. How is this helpful?

Equivalent Scenario 1: Somewhere in a house, a small fire starts,
and sets off the smoke alarm. You, not immediately seeing any
fire/smoke, complain about the noise of the smoke detector, and are
advised to remove the smoke detector's battery and go back to sleep.

Equivalent Scenario 2: You over-exert your shoulder at work or
play, causing bursitis. After weeks of annoying and sometimes
excruciating pain whenever you try to reach over your head, you go to
a doctor and say, while demonstrating the motion, "Doc, it hurts when
I do this." The doctor, being as helpful as some of your respondents,
replies, "Well, don't do that."

I'm beginning to think that the people deliberately posting such
bad advice are hacker-wannabes who have no true interest in helping
you secure your system, but would rather give you a false sense of
security while ensuring that your computer is still open to
exploitation.

 

[Steevo]

Secure your hacker prone computer:

If they say messenger service in the title bar, these pop ups have nothing
to do with MSN messenger or Windows messenger. What this is a new way for
spammers to attack your computer and send you pop-up ads. If you receive
these ads it means that your computers netbios ports are wide open to the
internet and this could be a real security problem. What you should do is
install a good firewall that will block the ports the spammers use and stop
the ads. A good place to start is Zone Alarm ( www.zonelabs.com ) for an
inbound/outbound blocking firewall or use the inbound blocking only firewall
built in to XP. If needed configure the firewall to block ports 135, 137-139
and 445. Zone Alarm will block these ports by default.

Use this site to test some of your ports security:
https://grc.com/x/ne.dll?bh0bkyd2

You can/should also disable the messenger service, which is the service the
spammers exploit, but it isn't needed to stop the ads and disabling the
service will not block the open netbios ports.

Note: If the Messenger service is stopped, messages from the Alerter
service (notifications from your antivirus software, for example) are
not transmitted. If the Messenger service is turned off, any services
that explicitly depend on the Messenger service do not start, and an
error message is logged in the System event log. For this reason,
Microsoft recommends that you install a firewall and configure it to
block NetBIOS and RPC traffic instead of turning off the Messenger
service. To turn off the service goto, control panel, administrative tools,
services, find messenger, right click, properties, hit the stop button, set
startup type to manual or disabled. (be sure to stay patched at windows
update as well)

If the pop-ups appear while surfing web pages then download and install one
of the many pop-up blocker programs. Search www.download.com for popup
blocker, you'll find many free ones.

Also get a good spyware cleaner:

Spybot - http://www.safer-networking.org/

Ad-aware - http://www.lavasoft.com



Many thanks for your advice, the messages do have "Messenger Service" in the
title bar, and are not website popups.
I had disabled the messenger service although since seeing your first post I
have re-enabled it.
I am currently using Norton Internet Security with the firewall installed
and, as far as I was aware working. I have just checked the general rules
section on the firewall and the "Default Inbound NetBIOS Name" and "Default
Inbound NetBIOS" are both blocked. Despite this I am still recieving the
messages. Do you know if there are any other settings I need to check/alter?
In addition to this I already have both adaware and spybot installed and I
regularly perform scans with both. As yet I have not found any items of
concern.


Many thanks

 

[Jim Byrd]

Hi Steevo - If you get popups even when your browser is not connected to the
Internet with a title bar reading "Messenger Service", then these are most
likely due to open NetBios TCP ports 135, 139 and 445 and UDP ports 135,
137-138 and a UDP port in the range of 1026-1029.. You really need to block
these with a firewall as a general protection measure. You can stop the
popups by turning off Messenger Service; however, this still leaves you
vulnerable. If you have an NT-based OS such as XP or Win2k, you should
probably also specifically block TCP 593, 4444 and UDP 69, 139, 445, and
install the very important 823980 patch from MS03-026, here:
http://support.microsoft.com/?kbid=823980 to block the Blaster worm..


See: Messenger Service Window That Contains an Internet Advertisement
Appears http://support.microsoft.com/?id=330904 which identifies reasons to
keep this service and steps to take if you do.

You can test your system and follow the 'Prevention' link to get additional
information here:
http://www.mynetwatchman.com/winpopuptester.asp Unless you have very good
reasons to keep this active, it should be turned off in Win2k and XP. Go
here and do what it says:
http://www.itc.virginia.edu/desktop/docs/messagepopup/ or, even better, get
MessageSubtract, free, here, which will give you flexible control of the
service and viewing of these messages:
http://www.intermute.com/messagesubtract/help.html Recommended.

(FWIW, ZoneAlarm's default Internet Zone firewall configuration blocks the
necessary ports to prevent this use of Messenger Service. I don't know the
situation with regard to other firewalls.)

Messenger Service is not per se Spyware or something that MS did wrong - It
provides a messaging capability which is useful for local intranets and is
also sometimes (albeit nowdays infrequently) used by some applications to
provide popup messages to users. However, it can also be (and now frequently
is) used to introduce spam via this open NetBios channel.
For a single user home computer, it normally isn't needed and can be turned
off which will eliminate the spam popups. This DOESN'T, however, remove the
vulnerability of having these ports open, when in fact they aren't needed,
since they can be perverted in other ways as well, some of which can be much
more damaging than just a spam popup.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[Phil \(a.k.a. purplehaz\)]

Secure your hacker prone computer:

If they say messenger service in the title bar, these pop ups have
nothing to do with MSN messenger or Windows messenger. What this is a
new way for spammers to attack your computer and send you pop-up ads.
If you receive these ads it means that your computers netbios ports
are wide open to the internet and this could be a real security
problem. What you should do is install a good firewall that will
block the ports the spammers use and stop the ads. A good place to
start is Zone Alarm ( www.zonelabs.com ) for an inbound/outbound
blocking firewall or use the inbound blocking only firewall built in
to XP. If needed configure the firewall to block ports 135, 137-139
and 445. Zone Alarm will block these ports by default.

Use this site to test some of your ports security:
https://grc.com/x/ne.dll?bh0bkyd2

You can/should also disable the messenger service, which is the
service the spammers exploit, but it isn't needed to stop the ads and
disabling the service will not block the open netbios ports.

Note: If the Messenger service is stopped, messages from the Alerter
service (notifications from your antivirus software, for example) are
not transmitted. If the Messenger service is turned off, any services
that explicitly depend on the Messenger service do not start, and an
error message is logged in the System event log. For this reason,
Microsoft recommends that you install a firewall and configure it to
block NetBIOS and RPC traffic instead of turning off the Messenger
service. To turn off the service goto, control panel, administrative
tools, services, find messenger, right click, properties, hit the
stop button, set startup type to manual or disabled. (be sure to stay
patched at windows update as well)

If the pop-ups appear while surfing web pages then download and
install one of the many pop-up blocker programs. Search
www.download.com for popup blocker, you'll find many free ones.

Also get a good spyware cleaner:

Spybot - http://www.safer-networking.org/

Ad-aware - http://www.lavasoft.com



Many thanks for your advice, the messages do have "Messenger Service"
in the title bar, and are not website popups.
I had disabled the messenger service although since seeing your first
post I have re-enabled it.
I am currently using Norton Internet Security with the firewall
installed and, as far as I was aware working. I have just checked the
general rules section on the firewall and the "Default Inbound
NetBIOS Name" and "Default Inbound NetBIOS" are both blocked. Despite
this I am still recieving the messages. Do you know if there are any
other settings I need to check/alter? In addition to this I already
have both adaware and spybot installed and I regularly perform scans
with both. As yet I have not found any items of concern.


Many thanks

You can disable the service, that's up to you, just as long as you have a
firewall up and running and blocking the correct ports. I have no experience
with nortons firewall so I have no clue as to why it does not block the
netbios ports by default. Every firewall should and if yours isn't then I'd
try another firewall. Zone alarm and the built in firewall in xp will block
these ports by default with no configuring necessary.
Try the port scan at https://grc.com/x/ne.dll?bh0bkyd2
and see if your netbios ports are open. If so, then either setup nortons
correctly or try another firewall.

 

[Bruce Chambers]

Greetings --

Does the title bar of these pop-ups read "Messenger Service?"

This type of spam has become quite common over the past year or
so, and unintentionally serves as a valid security "alert." It
demonstrates that you haven't been taking sufficient precautions while
connected to the Internet. Your data probably hasn't been compromised
by these specific advertisements, but if you're open to this exploit,
you most definitely open to other threats, such as the Blaster Worm
that still haunts the Internet. Install and use a decent, properly
configured firewall. (Merely disabling the messenger service, as some
people recommend, only hides the symptom, and does little or nothing
to truly secure your machine.) And ignoring or just "putting up with"
the security gap represented by these messages is particularly
foolish.

Messenger Service of Windows
http://support.microsoft.com/default.aspx?scid=KB;en-us;168893

Messenger Service Window That Contains an Internet Advertisement
Appears
http://support.microsoft.com/?id=330904

Stopping Advertisements with Messenger Service Titles
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp

Blocking Ads, Parasites, and Hijackers with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

Whichever firewall you decide upon, be sure to ensure UDP ports
135, 137, and 138 and TCP ports 135, 139, and 445 are _all_ blocked.
You may also disable Inbound NetBIOS (NetBIOS over TCP/IP). You'll
have to follow the instructions from firewall's manufacturer for the
specific steps.

You can test your firewall at:

Symantec Security Check
http://security.symantec.com/ssc/vr_main.asp?langid=ie&venid=sym&plfid=23&pkj=GPVHGBYNCJEIMXQKCDT

Security Scan - Sygate Online Services
http://www.sygatetech.com/

Oh, and be especially wary of people who advise you to do nothing
more than disable the messenger service. Disabling the messenger
service, by itself, is a "head in the sand" approach to computer
security. The real problem is _not_ the messenger service pop-ups;
they're actually providing a useful, if annoying, service by acting as
a security alert. The true problem is the unsecured computer, and
you've been advised to merely turn off the warnings. How is this
helpful?


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Ian Merrithew]

I had disabled the messenger service although since seeing your first post I
have re-enabled it.

Neither the Messenger nor Alerter services are of any practical use for a
typical home user. Unless you have a piece of software that specifically
requires them, leave them off (in addition to having a firewall on,
natch). If you're not sure if you need them or not, set them to "Manual"
for a few days and see if they ever start up (i.e. before you turn your
computer off, go into Service Manager and see if they started). If they
don't, you're pretty safe to disable them.

You can get a full run-down of WindowsXP's services and a guide on whether
it's safe to disable them or not here:

http://www.blackviper.com/WinXP/service411.htm

 

[Don]

Don't listen to Cerridwen! Cerridwen has it all wrong on
the messenger service info! It's all lies. That's not
what Bruce Chambers says at all.

 

[Gary Tsang]

Install or enable a firewall.
The one built in with Windows the Internet Connection Firewall will block
those pop-ups

 

[Kevin Davis³]

Oh, and be especially wary of people who advise you to do nothing
more than disable the messenger service. Disabling the messenger
service, by itself, is a "head in the sand" approach to computer
security. The real problem is _not_ the messenger service pop-ups;
they're actually providing a useful, if annoying, service by acting as
a security alert. The true problem is the unsecured computer, and
you've been advised to merely turn off the warnings. How is this
helpful?

Don't forget that the Messenger Service would also provide a useful
service to hackers if it is not patched:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-043.asp

Setup a firewall first, but if you don't need the Messenger Service,
turn it off. If you need it, patch it. You would also be well
advised to spend $50 and buy a home router.

Be especially wary of people who would insist on having you keep the
Messenger Service on as a "helpful feature" and conveniently
forgetting to inform you that it has a very serious vulnerability that
needs to be patched immediately.

And of particular interest is that Microsoft itself and security
experts are seriously reconsidering the role of the Messenger service:

http://www.infoworld.com/article/03/10/28/HNmessengeroff_1.html

http://www.pcworld.com/news/article/0,aid,113321,tk,dn110703X,00.asp

http://news.com.com/2100-7355_3-5095935.html

http://www.cnn.com/2003/TECH/internet/11/07/microsoft.popup.reut/index.html


Here's a link where Microsoft actually outright advises the user to
turn off the Messenger Service:

http://www.microsoft.com/WindowsXP/pro/using/howto/communicate/stopspam.asp


Those who would advise not to turn off the Messenger Service for the
less than trivial unintended side benefit of being a warning is
dispensing advice which contradicts the advice of many real security
professionals.

The real problem is _not_ the messenger service pop-ups;
they're actually providing a useful, if annoying, service by acting as
a security alert.

If you were protecting your house and you had one door that nobody
ever used and that door was really loud and squeaky, would you:

A: Keep the door unlocked all the time and actually depend on the
loud squeak of the door to be an integral part of your house alarm
system to alert you of an intruder?

or

B. Since no legitimate people would ever use the door, bar the door
shut so that there was no chance no-one could enter through it?

 

[Kevin Davis³]

Don't listen to Cerridwen! Cerridwen has it all wrong on
the messenger service info! It's all lies. That's not
what Bruce Chambers says at all.

Bruce Chamber advises to leave the Messenger Service on as an
intrusion detection system. That is bad security advice.

 

[Cerridwen]

Install or enable a firewall.
The one built in with Windows the Internet Connection Firewall will
block those pop-ups

Unless they're running AOHELL or Compuserve or any other ISP that insists on
using a proprietary front end. Don't forget they override the default port
settings, thus rendering the ICS about as useful as a paper wetsuit.