Hi, PROs.

I run Windows XP (genuine copy) and AVG-Free antivirus. Recently I am noticing that as soon I go into the net a pop-up window arrives saying:

Message from WINDOWS to ERROR on 6/13/2006 2:11:35 AM

WARNING! WINDOWS REQUIRES IMMEDIATE ATTENTION.

Windows has found CRITICAL SYSTEM ERRORS

To fix the errors please do the following:
1. Download Registry Repair from http://www.criticalregistryfix.com
2. Install Registry Repair
3. Run Registry Repair
4. Reboot your computer
FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!

OK

Clicking OK will immediately close this one and produce another similar window and so on. The website in the message varies but none of them exist.

I realize that this could be a virus. What do I do?

Regards.

Get a firewall, block incoming port 139. Or disable the windows messaging service.

disable the windows messaging service.
THE first thing to do with XP :goodpost:

The fact that the "popup" links directly to a site other than Microsoft should clue you in that you're receiving an ad, not a warning message generated by Windows. You should probably get a spyware/adware cleaning and blocking program. Never click "Ok" or the linked site on any kind of pop-up if it looks at all like it may not be an actual Windows error.

Thanks, everybody. Following your clues, I searched in Windows Help, and I found this:

Stop receiving pop-up ads that have the title Messenger Service

If advertisements open on your computer in a window titled Messenger Service, your system might not be secure. Although the name is similar, these messages—which are sometimes called "messenger spam"—are not related to Windows Messenger, MSN Messenger, or other instant messaging programs.

Disabling instant messaging programs is not necessary and will not prevent Messenger service spam. To help protect your computer, you should enable Windows Firewall (or a firewall of your choice) and also make sure that the Messenger service feature in Windows XP is disabled.

And squid_80 advised to block incoming port 139. How does one do that and what are the other consequences?

Regards.

My I ask why port 139?
Thanks Mike

You should download spybot from safer-networking.org and the update, install both and run the spybot check. Its just a free tool that will check for any spyware on your computer, a very useful one too.

Ouch! If you're directly connected to the internet, you're probably owned by now and sending out spam without realizing it, and it might be a good idea to reinstall. But, on the chance that it's not (or removable), get Tiny Personal Firewall (http://www.pcworld.com/downloads/file_description/0,fid,8051,00.asp) (no free versions since bought by CA, but the last is still good), look up and get Windows Defender, spybot, and adaware, and make sure AVG is up-to-date. (I'd run them in that order.)

Tiny will keep your system from being open to anyone, and the others can hopefully clean up anyone who already got on.

If you are owned, a rootkit remover (http://www.pcsupportadvisor.com/rootkits.htm) may be necessary.

Most commonly you'll find a poorly protected Windows file/print sharing service on ports 139 and 445.

If you're on a Windows-based network that's running NetBios, it's pretty normal to have port 139 open in order to facilitate the NetBios protocol. If you're not on a network using NetBios, there's no reason to have that port open. Most networks that use NetBios and connect to the Internet also have a firewall that blocks incoming traffic on port 139, that way, you're sure that all NetBios traffic originates from within your own network. Blocking port 139 gets into denial of file sharing and remote procedure issues, but I doubt that either of these is important to you unless you're doing some heavy lifting.

Other than digging into your event logs to see what's specifically happening on your system, you probably don't need to panic. Follow the guys' advice on spyware identifier/removers and make sure you're behind a software firewall, for sure. XP has an embedded firewall that's "off" by default (I know, it's not the best, but a quick fix for the short-term); if you don't have it enabled, find it and do so. Pull up your XP help files and key in "firewall", it'll tell you how to do this. Most spyware is merely inconvenient, some is malicious; you've got to constantly be on the lookout for this junk.

ammck55

From the sound that the messenger service isn't disabled by default, I'm guess service pack 2 isn't installed. The firewall of pre-SP2 is utter crap. There are many free, good firewalls out there, though. Some like ZoneAlarm...

If you have service pack 2, though, XP's firewall is much better than before and can be used as your default firewall, but I'd not recommend it as it really isn't that safe. A good 3rd party firewall is the best bet to go.

Oops, I meant port 135. But blocking both is recommended anyway (plus like foxyshadis said your box is probably 0wned by now if port 135 is open).

I hear so much about getting and keeping your antivirus up to date but I would always say a good firewall setup is far more important in this interconnected world.

There are just so many 0wn3d computers sending out spam and zombied or acting as a proxy, all without the user knowing and thinking they are safe because they have 'antivirus'.

Also the win XP firewall does not count this is just an M$ trick to fool you into thinking you covered, out of the box an XP setup can phone all of your info, software and habits back to M$ in 12 different ways, and this is without any so called hacker (I despise this term as I am a proud hacker and there would be no home computers or internet without them) getting into the act.

GRC.com has a good firewall port checker to see if you have any problems, as well as a tool to stop the message problems, but just turning its service is all you need to do.

I think I believe the opposite to you Lenny, good antivirus/spybot software is far more important than a firewall. Every now and again I start up my copy of TPF, but usually I'm happy with my NOD32 + Spybot/Windows Defender setup.

I think I believe the opposite to you Lenny, good antivirus/spybot software is far more important than a firewall.
I get worried when I hear that, because its very hard for you to get infected without your help i.e. you clicking something, opening an e-mail from someone you don't know/spam, where as every IP block on the Internet is being scanned every minute of the day.
In a PC answers test a few months ago they took a win XP SP2 box all fully patched and up to date and put it onto a BB connection without any sort of firewalling protection (via the free modem) and it took on average 22 minutes for the box to get scanned and then 0wn3d. In one case it took 3 minutes ! and one over 7 hours, but in effect a 100% of the time.

As I say again with a bit of common sense its very hard to get infected with a virus or trojan. For my computers its less than 3 times in 30 years, including being on line for over 20 of them, but its only the last 10 that this has really become a real problem, and every time I did get infected it was always because of a third party, wanting to run something they have with them or checking their e-mail via my network, its not often I have an AV scanner installed on all of my computers/boots, but I scan everything on the network once a month just incase something is inside of an archive.

What's 0wn3d ?

Regards.

What's 0wn3d ?It's generally acknowledged to be urban slang that came out of the gaming genre; here's one definition:
To over take another user/lamer/network/AP/PC with hacking and attack methods
It's becoming more and more common for vulnerable pc's to be taken over, "owned", and used as spamboxes

As far as the firewall versus antivirus/spyware debate, if I had to choose one, I'd pick.....uh, why choose only one? Why not use a combination of all the tools at our disposal? I've been having good luck with a combination of hardware firewalls (routers), software firewalls (ZoneAlarm), then throw in whatever your favorite antivirus app happens to be. Once you realize that you, and only you, are responsible for the security of either your home network or single PC, you've got 90% of the problem whupped. Everything from that point on is just tinkering, and time.

[Edit] Oops, I forgot to mention that I regularly run my spyware software, too.

ammck55

I use ZoneAlarm Pro. myself but it is payware. They do offer a free version of ZoneAlarm for firewall purposes which is better than the firewall in the XP version of windows IMO.

Get it Here. (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za)

It's generally acknowledged to be urban slang that came out of the gaming genre; here's one definition:
To over take another user/lamer/network/AP/PC with hacking and attack methods
It's becoming more and more common for vulnerable pc's to be taken over, "owned", and used as spamboxes
ammck55

Thanks for doing that ammck55, yep, 0wn3d is silly l33t (elite) speak, or an easy way to say that you box (computer) has become under the control of another, usually for something not good.

I have moved to an Isp that actively disconnects you from their network if you have found to become used in this way, and the sooner all Isp's and network providers do this the better, there is also talk of you becoming liable for the costs of the cleanup if your box is used in this way.
In that same PC answers security reviews it said that more than 50% of home computers in the UK have at some time been used as an open relay, spam sending, or kiddy pr0n distributing boxes.

I know its not nice but if people did not read the spam they get or run firewalls there would not be the spam/malware problem that we have today i.e. >60% of all e-mail traffic is spam and then we have the fools that think its a good idea to bounce the spam or a notification back to the return addy which is *always* false there by only making the problem much worse.

I have setup 'honey pots' in the past to check networks, and for fun and it can be within seconds your scanned, put it this way even my slowest home box can scan over 1000 IP numbers per second for open ports and vulnerabilities.

I thought Zone Alarm just finally admitted to there tracking (spyware) of all the ZA firewall users ?

You can do much better for free.

Lenny_Nero
You say "even my slowest home box can scan over 1000 IP numbers per second for open ports and vulnerabilities."
Does that mean any port? or just the ones listed above?
I ask as I have a CATV ISP, with a modem, then a router.
I have one port one, forwarded to one computer, to use a bittorent program. Can the other computers connected to the network get infected like this?
Thanks Mike

Most commonly you'll find a poorly protected Windows file/print sharing service on ports 139 and 445.


ammck55
I thought I posted a thank you for this comment, but I don't see one. So thanks.
Mike

Lenny_Nero
You say "even my slowest home box can scan over 1000 IP numbers per second for open ports and vulnerabilities."
Does that mean any port? or just the ones listed above?
I ask as I have a CATV ISP, with a modem, then a router.
I have one port one, forwarded to one computer, to use a bittorent program. Can the other computers connected to the network get infected like this?
Thanks Mike

It is a bit slower if I search on all 65k ports, but there are port numbers more used to being open than closed i.e. the default port of what ever you are using. If you want to learn search on "port scanning" or FXP and check out the http://www.astalavista.com/index.php?section=home and astalavista site as a whole.


This IMO is a good reason to change the port often if you are going to have it open.
But if you use a basic NAT able router it makes life a bit harder, and then you setup a software firewall rule to only allow the program you want thru and then after that (if processed in order) a rule stopping everything, so effectively blocking all but what you want to allow thru, and never use the DMZ until you really understand what it means, I come across far too many people using this when they need ports open.

This is probably related to and a consequence of my problem described in my first post in this thread (post No. #1).

The essence of the first post was: My Genuine WinXP machine, protected with AVGfree antivirus (updated regularly manually), hitherto never connected to the net before, started giving "Messenger Service" popups after being connected.

Simultaneously with that, I noticed one new problem: my good old NERO throwing off this sort of error message while verifying data written after writing a disc "successfully":

Data verification failed. Sector 7946 - 334720 on disc has different content to source.

The written disc, however, reads/plays without any problem. Could this be a hoaxy message NERO is being forced to display by some malicious program?

Uninstalling NERO and reinstalling had no effect. Changing writing software to Roxio Suite 8 had no effect. It gave off similar message that a part of the written data was different than the original.

Any comments, PROs?

Regards.

I doubt your statement of spyware causing this. First, usually spyware does not interact with problems in this way and second, you did verify that it was indeed not so when switching to roxio.
Unless, of course, it had somehow corrupted system files used by both burning systems, and this is unlikely. This problem is likely a) a windows problem or b) a drive problem.

It is a bit slower if I search on all 65k ports, but there are port numbers more used to being open than closed i.e. the default port of what ever you are using. If you want to learn search on "port scanning" or FXP and check out the http://www.astalavista.com/index.php?section=home and astalavista site as a whole.


This IMO is a good reason to change the port often if you are going to have it open.
But if you use a basic NAT able router it makes life a bit harder, and then you setup a software firewall rule to only allow the program you want thru and then after that (if processed in order) a rule stopping everything, so effectively blocking all but what you want to allow thru, and never use the DMZ until you really understand what it means, I come across far too many people using this when they need ports open.

Thanks. I already had a custom port opened, not the default one. I will look over the site too.
Mike

Unless, of course, it had somehow corrupted system files used by both burning systems, and this is unlikely. This problem is likely a) a windows problem or b) a drive problem.

Thanks for addressing this issue. What sort of windows problem you have in mind and what can I do about it (remember, I wrote well before venturing into the net with that machine)? If it's a drive problem, then why should the written disc read well?

Regards.

What you have to remember is that the message popup is just a bluff to get you to go the web site where you will then get infected with something.

I have burnt many perfect disks that Nero's check calls no good in the verification, I always make my own hash often md5 but I have been looking into others. It cant see if a file has been marked 'dirty' (changed) and even though it has changed it by setting the archive bit, they have yet to sort this with nero v6.

Hmmm...

For some reason "Messenger" always wants to appear in all my "Hotmail/MSN" accounts: -

http://img201.imageshack.us/img201/4160/hotmail1ay.png

And this is despite the fact I have never, ever installed "Messenger" and have removed it via "Add/Remove Windows Components" :eek:


Cheers

Thanks for addressing this issue. What sort of windows problem you have in mind and what can I do about it (remember, I wrote well before venturing into the net with that machine)? If it's a drive problem, then why should the written disc read well?

Regards.
If the "drive" is faulty, then I'd expect maybe it would do something wrong as in unable to verify the disc, but read it. Makes sense.
To figure that out, I'd try to put it in another computer and see if it acts the same. It could be bugs in the software, too, though, I guess... a firmware update may also shed light on the problem. If there is one.

Hmmm...

For some reason "Messenger" always wants to appear in all my "Hotmail/MSN" accounts: -
Cheers
This is not the same "Messenger" as the popups the OP had problems with, in the usual M$ world they are two things that are 'sort' of the same but not.
It is a way for people working on the same LAN to get in touch with another user on the subnet/work group.

The "Messenger" you see in the hotmail window it its ability to integrate the "Messenger" IRC client so you can see if any 'buddies' I think they are called, are on line in the interweeb, and then ping them or what ever.

Its not a problem because it is just part of the page and not really any ref to you not installed "Messenger"