Results 1 to 5 of 5

Thread: Messenger Service Infection Compromised My Port Security (Help Please)

  1. #1
    mrclean Guest

    Default Messenger Service Infection Compromised My Port Security (Help Please)

    WARNING: I wrote alot of **bleep**, but i wanted to be as specific as possible... so you might want to get a drink, have a smoke, and take a bathroom break before continuing.

    Im running XP Pro SP1 (cant upgrade to SP2, brothers computer, wont allow it), ZoneAlarm Security Suite version:7.0.337.000, Firefox2

    Most people have probably heard of the "from system to alert" virus/exploit/whatever that advertisers are using to spam users with pop ups, I never had a problem with it until last week. Out of the blue, the infection popped up and ive been going crazy ever since. So, I disabled "Messenger Service" with GRC's "shoot the messenger" program (instead of manually) before i found that tool i ran all my software to destroy whatever infected me, with all the latest updates, and in safe mode. Zone Labs, Ewido AVG, and XoftspySE (all the pay versions and none of them found anything suspicious).

    I wrote down the full message from the first pop up i got, it happend as soon as i logged onto my isp. as follows:

    Message from SYSTEM to ALERT on 9/13/07 1:48:41 AM

    STOP! IMMEDIATE ATTENTION REQUIRED

    Windows has found CRITICAL SYSTEM ERRORS.

    Download Registry Cleaner from: www.key32.com

    FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!


    Other messages varied but had the same general message of "go to this site and download this or your computer will explode", the other sites it tried to goad me into checking out were:

    www.registrycleanerxp.com
    www.xpreg32.com
    www.scanpcpro.com
    www.win32fix.com
    regupdating.com

    The shoot the messenger tool from GRC seems to have taken care of that (though upon restart this morning it reverted back to enabled so i had to re use the tool and shut it down again.

    But my biggest concern right now is that doing the GRC Shields Up scan revealed that I had ports open and unstealthed, which has never happened to me before when using Shields up in the past, because of how great zone is all my common ports have always been stealthed, so I know that I have some infection that is keeping my ports open.

    Ive been trying some solutions mostly through GRC and a little from ZASS's help file, the ports that were open for me was blackjack 1025, and upnp 5000, I was able to close 5000 with a different GRC freeware tool, but it spooked me that it opened up after never having a problem with it before... as far as that **bleep** port 1025, I have no idea how to close it... I used the ZASS help documentation to try and familiarize myself with doing custom configuration on the firewall (something I dont know much about, and am just learning on) I went to the firewall main section and hit the custom button to manually try and close port 1025, and tried blocking incoming UDP and TCP ports punching in the number 1025, tried blocking form internet and trusted zone, tried blocking all incoming fancy named incoming **bleep**, and still... port 1025 just wouldent die.

    So Im really hoping someone can help me nip this in the bud, because Im just about meltdown... Im sure everyones been there. One other thing I did with help from GRC was disable DCOM, I really want to disable "client for microsoft networks" and "file and printer sharing" but the instructions from GRC dont work for me probably because Im on a modem, so Im afraid to touch anything for fear of killing my computer.

    If disabling messenger service made everything go back to normal (as in stealth) then I wouldent be thinking there was still something lurking on my rig (not as much anyway)... but because theres still problems, it looks pretty obvious to me that there is an infestation, probably just to new to detect, or mabye it tweaked my computers configuration, or worse my SS's configuration. Thanks, to anyone who took the time to read my 10 mouthfulls... you know on second look, it actually dosent look like that much.

    Operating System:Windows XP Pro
    Software Version:5.x
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Messenger Service Infection Compromised My Port Security (Help Please)

    Try the SuperantiSpyware (freeware version), just in case there is some variation of SmitFraud or SpywareQuake installed on the PC.

    As for the open/unstealthed ports, make sure there are no applications listed in the Zone Alarm Program list with server rights for the Internet Zone.

    Open the Run and type in command and Ok. In the Command type in netstat -ano and hit the enter key. Cross reference the PID of the application/in use with the PID of the Task Manager. This will show you what is running and what and where it is going to.
    A nice application that does the same is the Process Explorer, but it has to be fully explored to see it's capabilities.

    If this applies to XP SP1, then follow this advice...

    Open the DCOM Config under the Component Services tree in the Console Root of the Component Services (found in the Admistrative Tools of the Control Panel) and disable any messenger. Or open the Run and type in dcomcnfg and OK and then disable the messenger or any NetBIOS.

    Open the Properties of the NetWork Connections and disable the NetBIOS over TCP/IP in the WINS found in the Advanced button of the Properties of the Internet Protocol (TCP/IP). Also disable the LMHosts.

    Disable any File and Printer Sharing or Microsoft Networks in the General tab of the Properties of the network connections. This will close the BIOS ports and a few others.

    Open the Run and type in regedit.exe and OK
    In the regedit do the following changes (or create as needed) (this will tighten the security of the PC, permanently close some ports and help prevent the PC from allowing itself to act as a server):

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    EnableDCOM (REG_SZ)
    Set to: N


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc
    Value: DCOM Protocols
    Remove ncacn_ip_tcp

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Dnscache\Parameters\
    Value: MaxCachedSockets (REG_DWORD)
    Set to: 0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NetBT\Parameters
    SmbDeviceEnabled (REG_DWORD)
    Set to: 0

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\LanmanServer\Parameters\
    REG_DWORD
    AutoShareServer
    Set to: 0
    AutoShareWks
    Set to: 0

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\LanManServer\Parameters\NullSession Pipes\
    NullSessionPipes
    (Delete all value data INSIDE this key)
    NullSessionShares
    (Delete all value data INSIDE this key)

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurePipeServers\winreg\AllowedPaths\
    Machine
    (Delete all value data INSIDE this key)

    There is some details here about ports and services and applications. Also see Implementing Basic TCP/IP Security
    Open the Properties of My Computer and under the Remote, disable the Remote Assistance. This will stop the Remote entry from internet servers or PCs.

    Check the services listing at blackviper for disabling extra services that are a security risk.

    Oldsod

    Message Edited by Oldsod on 09-15-2007 10:20 PM
    Best regards.
    oldsod

  3. #3
    mrclean Guest

    Default Re: Messenger Service Infection Compromised My Port Security (Help Please)

    i downloaded superantispyware, updated and ran it in safe mode... it found only a few tracker cookies:
    adware.tracking cookie
    atdmt
    ads.addynamix

    And ive had those on my computer forever, no anti virus program ive ever tried has permanently removed them, unless i just pick them up everytime i surf... not sure. I did install the program with my anti virus protection running, which is something i normally don't do, but i wanted to save some time with a restart to grab the updates asap... and that "don't install with protection on" rule is bendable sometimes, ive noticed. in retrospect it was a mistake, but dammit, eh.

    I went through all my programs, and most were question marked or X'd out already but i did find these:

    COM
    generic host process (svchost.exe) - could cause crashes, zone recommends leaving it alone
    microsoft distributed transaction coordinator
    ntvdm
    run a dll as an app (rundll32.exe) could cause crashes, zone recommends leaving it alone
    set16.tmp through setB.tmp (no policy update or path shown, all had server access half email)
    software updater (mozilla) updater.exe)
    spybot search and destroy
    spybot teatimer
    updater for spybot
    windows installer (msiexec.exe)

    I X'd them all except for the two that zone warned me not to touch, i didnt X all the questionmarked ones yet, but I will.

    I ran command/netstat -ano (very cool tool by the way):
    Microsoft(R) Windows DOS
    (C)Copyright Microsoft Corp 1990-2001.

    C:\DOCUME~1\ADMINI~1>netstat -ano

    Active Connections

    Proto Local Address Foreign Address State PID
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 796
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 832
    TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 1308
    TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:1043 0.0.0.0:0 LISTENING 2328
    TCP 0.0.0.0:1045 0.0.0.0:0 LISTENING 2328
    TCP 0.0.0.0:1100 0.0.0.0:0 LISTENING 2328
    TCP 0.0.0.0:1157 0.0.0.0:0 LISTENING 2328
    TCP 0.0.0.0:3260 0.0.0.0:0 LISTENING 1260
    TCP 0.0.0.0:3261 0.0.0.0:0 LISTENING 1260
    TCP 67.150.254.119:139 0.0.0.0:0 LISTENING 832
    TCP 67.150.254.119:1100 4.79.142.192:80 ESTABLISHED 2328
    TCP 67.150.254.119:1157 216.143.70.73:443 ESTABLISHED 2328
    TCP 127.0.0.1:1042 127.0.0.1:1043 ESTABLISHED 2328
    TCP 127.0.0.1:1043 127.0.0.1:1042 ESTABLISHED 2328
    TCP 127.0.0.1:1044 127.0.0.1:1045 ESTABLISHED 2328
    TCP 127.0.0.1:1045 127.0.0.1:1044 ESTABLISHED 2328
    UDP 0.0.0.0:445 *:* 4
    UDP 0.0.0.0:500 *:* 632
    UDP 0.0.0.0:1032 *:* 960
    UDP 0.0.0.0:1038 *:* 960
    UDP 0.0.0.0:1097 *:* 960
    UDP 0.0.0.0:1098 *:* 960
    UDP 67.150.254.119:123 *:* 832
    UDP 67.150.254.119:137 *:* 832
    UDP 67.150.254.119:138 *:* 832
    UDP 127.0.0.1:123 *:* 832

    C:\DOCUME~1\ADMINI~1>

    I wasent exactly sure what you meant by cross reference the PID with task manager, but i think i got it right, i checked the processes tab while the netstat was still active and im pretty sure it lxcecoms.exe, my evil printer driver... it was third down both times when i ran netstat, i ran it once before i installed the antispyware program because i was excited to check it out, the first time i ran it, the PID was number 836 but now its 832. I dont have any experience with PID checking or netstat so i thought it would be best to post the log, PID means program ID right?

    I opened up the dcom config and found a component called "messenger private object", under the location tab, i unchecked "run application on this computer". Under the security tab the launch, access, & configuration permissions were set to allow, instead of fidgeting with them i left them as they were and went to the endpoints tab and clicked "disable protocol sequence" tcp/ip, im not sure if i did this step right, hopefully i did. When i went to double check it and make sure everything took, it had went back to default, then when i redid it the name "connection oriented tcp/ip" disappeared, and then there were two, but fidgeting around abit, i got it to go back to having a name, and redid the disable... looks like it stuck this time.

    Before i did this step, i checked to see if there was a netbios component, and there was... but after successfully completing the messenger disable (i think), the netbios wasent visible in the components tree.

    I have dail up, dunno if that changes anything. but the next step was easy to follow, i disabled netbios over tcp/ip and lmhosts, i did that for my main connection and 1394 adapter (whatever the **bleep** that is).

    the next step, i didn't see in the general tab, but i did see it in the networking tab, file and printer sharing was already disabled but i disabled client for microsoft networks (and left Qos packer scheduler checked cause im not sure if i need it).

    the registry entries:
    the first one was already in place
    the second one was already removed
    the third one added dword value, made value name MaxCachedSockets, was default set to 0
    the fourth one added dword value, made value name SmbDeviceEnabled, was default set to 0
    the fifith one added dword value, made value name AutoShareServer, was default set to 0
    second entry for fifth one added dword value, made value name AutoShareWks, default 0
    the sixth entry, deleted all value data inside NullSessionPipes, NullSessionShares
    the seventh entry deleted all value data inside Machine

    those links you gave me look great, im going to spend a few days/weeks going over them. remote assistance disabled

    This was my first time doing such an intricate style of procedures, im pretty sure i did it right, took my time... and several cig breaks, wouldn't have known where to start if it weren't for you... i really appreciate it you Oldsod you. REALLY appreciate it, thanks. You were great.

    PS: Out of curiosity, i was wondering if i had just done a system revert when i found out that my stealth was compromised... would the revert had removed/disabled what screwed up my stealth in the first place?

    Update: bad news, upon restart i decided to check some of the procedures and make sure that they stuck, messenger did, but client for microsoft networks didn't... it reverted back to its on state, and wins also re enabled netbios over tcp/ip but didnt re enable lmhosts, i did another shields up scan, and port 1025 is still open. the 1394 and lan c2 are still fully disabled but they arent connected to the internet since i dont have highspeed... so another component has to be respawning the microsoft network, right? i hope it didn't overwrite those registry entries to, but im to tired to check right now, its 3am. i still really appreciate your help, hopefully we can hammer away at it some more tommarrow and nip it in the bud.

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Messenger Service Infection Compromised My Port Security (Help Please)

    I am assuming you use no Internet Messengers- open the Sevices and disable anything with the Computer Browser, Messenger, Netmeeting, Routing and Remote Acess, TCP/IP over net BIOS, UPnP and SSDP. That may help quiet things down. The QoS service can be disabled since this is for larger LAN networks with many PC behind a large server or router.
    1394 is actually firewire and can be disabled in the network connections (unless you have some hardware or other PC to connect to your PC),

    There are good details at BlackViper and the The Elder Geek.
    I use both as guides.

    But the "bible" or the Microsoft information concerning ports related to applications and services is called Service overview and network port requirements for the Windows Server system. This does include the Windows XP operating system and covers both the ports and the protocol per service/application or usage. It is a very detailed listing.

    The syetem restore should not make any changes to the stealth, but I could be wrong about that.

    Any IP in the netstat that shows 127.0.0.1 (localhost or "internal IP") or 0.0.0.0 (non routeable "internal IP") do not really go out and are only listening internally.

    Ports 80 and 443 are the http and https ports, so I assume you have the browser opened and active at the time of the netstat.

    Ports 135, 137, 138, 139 and 445 are the bios ports used in conjunction with printers and such. These are still active, so I can see it has not been disabled yet. See if disabling the services in the beginning of this post helps (after a reboot) and made any further reductions.

    Again, please try the Process Explorer - it has lots of details and information. In the settings for it can be found the ports used by the process and lots of details about each process running.

    Oldsod

    Message Edited by Oldsod on 09-17-2007 04:07 PM
    Best regards.
    oldsod

  5. #5
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Messenger Service Infection Compromised My Port Security (Help Please)

    See MS KB for stopping the windows messenger.

    Oldsod
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •