WARNING: I wrote alot of **bleep**, but i wanted to be as specific as possible... so you might want to get a drink, have a smoke, and take a bathroom break before continuing.
Im running XP Pro SP1 (cant upgrade to SP2, brothers computer, wont allow it), ZoneAlarm Security Suite version:7.0.337.000, Firefox2
Most people have probably heard of the "from system to alert" virus/exploit/whatever that advertisers are using to spam users with pop ups, I never had a problem with it until last week. Out of the blue, the infection popped up and ive been going crazy ever since. So, I disabled "Messenger Service" with GRC's "shoot the messenger" program (instead of manually) before i found that tool i ran all my software to destroy whatever infected me, with all the latest updates, and in safe mode. Zone Labs, Ewido AVG, and XoftspySE (all the pay versions and none of them found anything suspicious).
I wrote down the full message from the first pop up i got, it happend as soon as i logged onto my isp. as follows:
Message from SYSTEM to ALERT on 9/13/07 1:48:41 AM
STOP! IMMEDIATE ATTENTION REQUIRED
Windows has found CRITICAL SYSTEM ERRORS.
Download Registry Cleaner from: www.key32.com
FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!
Other messages varied but had the same general message of "go to this site and download this or your computer will explode", the other sites it tried to goad me into checking out were:
The shoot the messenger tool from GRC seems to have taken care of that (though upon restart this morning it reverted back to enabled so i had to re use the tool and shut it down again.
But my biggest concern right now is that doing the GRC Shields Up scan revealed that I had ports open and unstealthed, which has never happened to me before when using Shields up in the past, because of how great zone is all my common ports have always been stealthed, so I know that I have some infection that is keeping my ports open.
Ive been trying some solutions mostly through GRC and a little from ZASS's help file, the ports that were open for me was blackjack 1025, and upnp 5000, I was able to close 5000 with a different GRC freeware tool, but it spooked me that it opened up after never having a problem with it before... as far as that **bleep** port 1025, I have no idea how to close it... I used the ZASS help documentation to try and familiarize myself with doing custom configuration on the firewall (something I dont know much about, and am just learning on) I went to the firewall main section and hit the custom button to manually try and close port 1025, and tried blocking incoming UDP and TCP ports punching in the number 1025, tried blocking form internet and trusted zone, tried blocking all incoming fancy named incoming **bleep**, and still... port 1025 just wouldent die.
So Im really hoping someone can help me nip this in the bud, because Im just about meltdown... Im sure everyones been there. One other thing I did with help from GRC was disable DCOM, I really want to disable "client for microsoft networks" and "file and printer sharing" but the instructions from GRC dont work for me probably because Im on a modem, so Im afraid to touch anything for fear of killing my computer.
If disabling messenger service made everything go back to normal (as in stealth) then I wouldent be thinking there was still something lurking on my rig (not as much anyway)... but because theres still problems, it looks pretty obvious to me that there is an infestation, probably just to new to detect, or mabye it tweaked my computers configuration, or worse my SS's configuration. Thanks, to anyone who took the time to read my 10 mouthfulls... you know on second look, it actually dosent look like that much.
Operating System:Windows XP Pro
Product Name:ZoneAlarm Internet Security Suite