# More Pc/internet Advice Needed (sorry)



## Roger (May 17, 2003)

I'm in trouble again!

Despite having a commercial (quite expensive) Firewall and anti-virus software...in the last few days, I have been plagued with adverts appearing at random...fortunately clean so far,

Despite downloading and running Spybot, adware etc...I cant seem to shift it or fine wqhere its hiding.

Any ideas folks?

Thanks

Roger


----------



## Stan (Aug 7, 2003)

What Windows/ service pack are you on Rog?

If on XP proir to SP2 it might be coming in through the Windows Mesenger port.

If so, go to: http://grc.com/default.htm

Download "shoot the messenger" and that will kill it.

If on XPSP2 messenger is disabled so we will need to look elsewhere.

Might be an idea to put Zone Alarm on just to find out what is trying to call out?


----------



## rhaythorne (Jan 12, 2004)

Note that "Shoot the Messenger" actually disables the Messenger service which may not be a good idea depending on your particular environment, although it's probably perfectly fine if you're just on a stand-alone home machine.

If you're running a firewall, it's a better idea to check its configuration and make sure that you're not exposing TCP/UDP Ports 135-139 to the Internet. This has the same result as "Shoot the Messenger" whilst allowing internal messaging to continue uninterrupted.

If that doesn't fix it you could also try running "hijackthis" which may reveal the culprit. There are loads of places from which you can download this utility so best to Google for it and take your pick. If you do run this you can send me the resulting log file if you like and I'll have a look through it.


----------



## Roger (May 17, 2003)

Thanks again Guys...

Stan

I have XP pro with SP2 and loads of updates

Ray,

I downloaded "shoot the messenger" and, so far, all seems to be quiet.

Do you only need to run it once? or perhaps, how do you disable completely, Messenger?

If I get any more. I will send you a log from "Hijack this"

Roger


----------



## rhaythorne (Jan 12, 2004)

If you go to Start > Programs > Administrative Tools > Services, you will see that a service called Messenger is now disabled. That's what "Shoot the Messenger" does when you run it. You can do the same thing yourself by right-clicking the Messenger service, selecting Properties and then choosing Stop and adjusting the Startup Type to Disabled.

However, if the pop-up ads you were receiving were indeed being delivered via the Messenger service it suggests that your firewall is not configured properly because you have a TCP or UDP Port between 135 and 139 open to the Internet. Ideally you need to close them off.


----------



## Stan (Aug 7, 2003)

Maybe a trip to Shields Up! https://www.grc.com/x/ne.dll?bh0bkyd2 would be a good idea Rich? Just in case there are other ports visible?

Is there any problem with running a software firewall along side a hardware one?


----------



## rhaythorne (Jan 12, 2004)

Stan said:



> Maybe a trip to Shields Up! https://www.grc.com/x/ne.dll?bh0bkyd2 would be a good idea Rich? Just in case there are other ports visible?


Definitely a good idea











> Is there any problem with running a software firewall along side a hardware one?


A host based firewall (i.e. a software firewall on a PC for example) running behind a hardware firewall is entirely feasible; in fact that's what I do myself. It can sometimes start to get a bit tricky though when you want to do more complicated stuff like setting up VPN's perhaps, or running FTP in PORT mode, using NAT, or running the host based firewall on something like a Domain Controller for example. When doing these sorts of things you occassionally find that they fail because it can be complicated to get _both_ firewalls to understand whats going on and allow legitimate traffic to pass whilst still blocking everything else. But generally speaking, yes, it's perfectly OK.


----------



## Roger (May 17, 2003)

> However, if the pop-up ads you were receiving were indeed being delivered via the Messenger service it suggests that your firewall is not configured properly because you have a TCP or UDP Port between 135 and 139 open to the Internet. Ideally you need to close them off.


Er um, Ray, not sure what that means!

I am using McAfee Security

Roger


----------



## rhaythorne (Jan 12, 2004)

I'll attempt a fly-by tour of Ports









The various applications and services running on computers talk to each other on different "Ports". For example, when you open your web browser and connect to RLT's website or this forum, a Port >1023 is opened up on your PC and it connects to RLT's web server on Port 80. Ports <1024 are used for particular services. So, for example, Port 80 is for web servers, 20 and 21 are for FTP, 23 is for Telnet, 25 is for SMTP (email), 53 is DNS, and so on. Ports 1024 and above are known as "ephemeral" ports - temporary ports opened up to allow a machine to connect to a particular service. There are 65535 ports for TCP and 65535 ports for UDP.

The purpose of your firewall is to close or hide all unnecessary ports on your PC from the Internet so that intruders can't see and connect to them. It just so happens that the Messenger Service (which you've now disabled) can be connected to and receive "net send" messages on Ports between 135 and 139. Whilst "Shoot the Messenger" is a neat utility, it's potentially just hiding the symptoms and not actually fixing the real problem. If the pop-up ads you were receiving were coming via the Messenger service from an external source, it implies that you have Ports 135-139 open to the Internet allowing someone to send you ads via the "net send" command.

I'm afraid I don't know anything about the McAfee firewall so I don't know how to configure it, but somewhere you should be able to add a rule to block these Ports or possibly remove a rule which is allowing them.

Follow Stan's advice and try the Shields Up Port Scan and see what the results are. Ideally Ports you're not actively using should be shown to be "Stealthed", which means that your firewall is blocking connection attempts and not replying at all, effectively making your PC invisible to the outside world. "Closed" Ports are ones where your machine is actively responding to the connection attempt with a "go away, I'm not listening" response. This prevents connection but reveals the presence of the machine on the Internet. An "Open" Port is one where your PC is saying "Hello, I'm listening" and will accept a connection.


----------



## Stan (Aug 7, 2003)

Roger,

As a first step to making sure you have no visible ports I would go to Sheilds Up and check all service ports.

It will bring up a grid of red, blue or green squares after the test. If you have any that are not green then you may have a problem.









I'm no computer security whiz but I've used Steve Gibson's site for a few years and I reckon the bloke is about as anti- hacker as you can get. He taught Micro$oft a few lessons.









If Sheilds Up says there is a vulnerability, you'd better believe it.









When you have identified any non- stealthed ports you can take advice (from Rich







) on shutting them down.

I reckon Rich knows a lot more about security than I ever could and I would always call upon him for help if needed.









Hope you get it sorted soon Rog.


----------



## Roger (May 17, 2003)

Hi Guys,

Just visited "Shields Up" and all the port tests show as Stealthy and the matrix is all green.

Bit stuck now


----------



## rhaythorne (Jan 12, 2004)

> Just visited "Shields Up" and all the port tests show as Stealthy and the matrix is all green.


That's a good thing







. Just wait and see what happens. If the pop-up ads come back, we can look for another cause.


----------



## rhaythorne (Jan 12, 2004)

By the way, if your annoying pop-ads were using the Messenger Service, they'd look something like this:

*Messenger Service and use of the net send command to generate a pop-up message*










There are automated tools available to send large quantities of such messages to a range of IP addresses.


----------



## Roger (May 17, 2003)

Thanks for all your efforts Stan and Rich..

Lets hope they leave me in peace........in a previous bout of this stuff, one of the ads was nastily pornographic...and I had a tough time explaining to the missus waht these ads were....when she first saw it...she thought that I had downloaded it.

I jus wish the B**tards who did this, would realise the possible consequencies.

Thanks again Guys, I,m grateful.

PS, Ray...the ads were not of the type that you shown...they were full page colour types.

Roger


----------



## rhaythorne (Jan 12, 2004)

> PS, Ray...the ads were not of the type that you shown...they were full page colour types.


Hmmm, not Messenger Service spam at all then. I had my doubts when you said that all your Ports were properly stealthed as they should be. Sounds more like a conventional spyware/adware infiltration of some kind. No worries; if the ads come back, make sure you update SpyBot S&D and AdAware and try running them again. If they still don't detect anything, run HijackThis, send me the log file and I'll see if I can spot the culprit









By the way, just to be on the safe side, if you're using a dial-up connection to the Internet, make sure that the number you're connecting to is still the correct number.


----------



## Roger (May 17, 2003)

Thanks Ray,

Will do...no, its not dial up..its 1mB broadband.

Cheers,

Roger


----------



## Stan (Aug 7, 2003)

Best of luck Roger.


----------

