Messenger Service problem!

[helpme]

I'm running a Windows XP Professional without SP2 (i know i should update it)
and i got this message from the messenger service once every minute:

Message from "a computer name" to "my computer name" on "date"
My god! Some one killed ChineseHacker-2 Monitor

I searched the net for solutions and i found out that it should be the
PE_CHIR.B worm. I also downloaded trend micro's special tool against this
worm, but that didn't find any malware on my computer (just like my AVG
antivirus and anti-spyware )...trend micro also says that i should have a
file named runouce.exe in my registry, but i haven't found it where it should
be.

So what should i try? I'm not a computer expert, so if it's possible give
simple (but good) solutions. Big thanks!

 

[Tom [Pepper] Willett]

You need to update to SP2 which disables the service. You apparently also
don't have a proper firewall running to block the incoming traffic.

"helpme" <helpme@discussions.microsoft.com> wrote in message
news:62BBEE0B-8F5D-4B2E-BC4B-2A540F712FCE@microsoft.com...
: I'm running a Windows XP Professional without SP2 (i know i should update
it)
: and i got this message from the messenger service once every minute:
:
: Message from "a computer name" to "my computer name" on "date"
: My god! Some one killed ChineseHacker-2 Monitor
:
: I searched the net for solutions and i found out that it should be the
: PE_CHIR.B worm. I also downloaded trend micro's special tool against this
: worm, but that didn't find any malware on my computer (just like my AVG
: antivirus and anti-spyware )...trend micro also says that i should have a
: file named runouce.exe in my registry, but i haven't found it where it
should
: be.
:
: So what should i try? I'm not a computer expert, so if it's possible give
: simple (but good) solutions. Big thanks!
:
:
:

 

[helpme]

I have ZoneAlarm firewall which worked fine until now.
About disabling the service...i already read about how to do it, but i would
like to resolve the situation. Disabling the messenger service would not
remove the worm from my PC. Am I right?

"Tom [Pepper] Willett" wrote:

> You need to update to SP2 which disables the service. You apparently also
> don't have a proper firewall running to block the incoming traffic.
>
> "helpme" <helpme@discussions.microsoft.com> wrote in message
> news:62BBEE0B-8F5D-4B2E-BC4B-2A540F712FCE@microsoft.com...
> : I'm running a Windows XP Professional without SP2 (i know i should update
> it)
> : and i got this message from the messenger service once every minute:
> :
> : Message from "a computer name" to "my computer name" on "date"
> : My god! Some one killed ChineseHacker-2 Monitor
> :
> : I searched the net for solutions and i found out that it should be the
> : PE_CHIR.B worm. I also downloaded trend micro's special tool against this
> : worm, but that didn't find any malware on my computer (just like my AVG
> : antivirus and anti-spyware )...trend micro also says that i should have a
> : file named runouce.exe in my registry, but i haven't found it where it
> should
> : be.
> :
> : So what should i try? I'm not a computer expert, so if it's possible give
> : simple (but good) solutions. Big thanks!
> :
> :
> :
>
>
>

 

[David H. Lipman]

From: "helpme" <helpme@discussions.microsoft.com>

| I have ZoneAlarm firewall which worked fine until now.
| About disabling the service...i already read about how to do it, but i would
| like to resolve the situation. Disabling the messenger service would not
| remove the worm from my PC. Am I right?
|


Totally insufficient and Messenger Service spam/scams are are generated EXTERNAL to your PC
and are not caused by worms that may/may not be resident on your PC. The assumption of a
worm as the culprit is a faux conclusion.

You *NEED* to install WinXP SP2 and all post SP2 updates ASAP!


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[PA Bear]

Get the machine fully patched at Windows Update ASAP!
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

helpme wrote:
> I'm running a Windows XP Professional without SP2 (i know i should update
> it) and i got this message from the messenger service once every minute:
>
> Message from "a computer name" to "my computer name" on "date"
> My god! Some one killed ChineseHacker-2 Monitor
>
> I searched the net for solutions and i found out that it should be the
> PE_CHIR.B worm. I also downloaded trend micro's special tool against this
> worm, but that didn't find any malware on my computer (just like my AVG
> antivirus and anti-spyware )...trend micro also says that i should have a
> file named runouce.exe in my registry, but i haven't found it where it
> should be.
>
> So what should i try? I'm not a computer expert, so if it's possible give
> simple (but good) solutions. Big thanks!

 

[John McGaw]

helpme wrote:
> I'm running a Windows XP Professional without SP2 (i know i should update it)
> and i got this message from the messenger service once every minute:
>
> Message from "a computer name" to "my computer name" on "date"
> My god! Some one killed ChineseHacker-2 Monitor
>
> I searched the net for solutions and i found out that it should be the
> PE_CHIR.B worm. I also downloaded trend micro's special tool against this
> worm, but that didn't find any malware on my computer (just like my AVG
> antivirus and anti-spyware )...trend micro also says that i should have a
> file named runouce.exe in my registry, but i haven't found it where it should
> be.
>
> So what should i try? I'm not a computer expert, so if it's possible give
> simple (but good) solutions. Big thanks!
>
>
>

Are you on a LAN? If so, you need to find the computer called "a
computer name" and scan it for malware immediately -- messenger popup
messages are communication _between_ networked computers so looking for
it on _your_ computer is almost certainly a waste of time. Oh, and
install all service packs and patches on all the computers while you are
at it.

 

[helpme]

No, i didn't even know who could be that person...but the worm i was talking
about should do this messenger trick. It has a nice, detailed description on
trendmicro.com
(http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_CHIR.B&VSect=T)...i just can't find it on my PC.

"John McGaw" wrote:

> helpme wrote:
> > I'm running a Windows XP Professional without SP2 (i know i should update it)
> > and i got this message from the messenger service once every minute:
> >
> > Message from "a computer name" to "my computer name" on "date"
> > My god! Some one killed ChineseHacker-2 Monitor
> >
> > I searched the net for solutions and i found out that it should be the
> > PE_CHIR.B worm. I also downloaded trend micro's special tool against this
> > worm, but that didn't find any malware on my computer (just like my AVG
> > antivirus and anti-spyware )...trend micro also says that i should have a
> > file named runouce.exe in my registry, but i haven't found it where it should
> > be.
> >
> > So what should i try? I'm not a computer expert, so if it's possible give
> > simple (but good) solutions. Big thanks!
> >
> >
> >
>
> Are you on a LAN? If so, you need to find the computer called "a
> computer name" and scan it for malware immediately -- messenger popup
> messages are communication _between_ networked computers so looking for
> it on _your_ computer is almost certainly a waste of time. Oh, and
> install all service packs and patches on all the computers while you are
> at it.
>

 

[PA Bear [MS MVP]]

Right pew, wrong church. As you're running WinXP SP1 with IE6, the machine
is not vulnerable to PE_CHIR.B, which can only exploit machines running
IE5.01 and IE5.5.

Again, get SP2 and all post-SP2 critical updates installed and you won't
have to worry about Messenger Service.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


helpme wrote:
> No, i didn't even know who could be that person...but the worm i was
> talking
> about should do this messenger trick. It has a nice, detailed description
> on
> trendmicro.com
> (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_CHIR.B&VSect=T)...i
> just can't find it on my PC.
>
> "John McGaw" wrote:
>
>> helpme wrote:
>>> I'm running a Windows XP Professional without SP2 (i know i should
>>> update
>>> it) and i got this message from the messenger service once every minute:
>>>
>>> Message from "a computer name" to "my computer name" on "date"
>>> My god! Some one killed ChineseHacker-2 Monitor
>>>
>>> I searched the net for solutions and i found out that it should be the
>>> PE_CHIR.B worm. I also downloaded trend micro's special tool against
>>> this
>>> worm, but that didn't find any malware on my computer (just like my AVG
>>> antivirus and anti-spyware )...trend micro also says that i should have
>>> a
>>> file named runouce.exe in my registry, but i haven't found it where it
>>> should be.
>>>
>>> So what should i try? I'm not a computer expert, so if it's possible
>>> give
>>> simple (but good) solutions. Big thanks!
>>>
>>>
>>>
>>
>> Are you on a LAN? If so, you need to find the computer called "a
>> computer name" and scan it for malware immediately -- messenger popup
>> messages are communication _between_ networked computers so looking for
>> it on _your_ computer is almost certainly a waste of time. Oh, and
>> install all service packs and patches on all the computers while you are
>> at it.

 

[helpme]

Actually i had IE5 in the past, so i could be infected!
I understand that i should update, you are all right, but that would not
remove the worm from my computer...

"PA Bear [MS MVP]" wrote:

> Right pew, wrong church. As you're running WinXP SP1 with IE6, the machine
> is not vulnerable to PE_CHIR.B, which can only exploit machines running
> IE5.01 and IE5.5.
>
> Again, get SP2 and all post-SP2 critical updates installed and you won't
> have to worry about Messenger Service.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (IE, OE, Security, Shell/User)
> AumHa VSOP & Admin http://aumha.net
> DTS-L http://dts-l.net/
>
>
> helpme wrote:
> > No, i didn't even know who could be that person...but the worm i was
> > talking
> > about should do this messenger trick. It has a nice, detailed description
> > on
> > trendmicro.com
> > (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_CHIR.B&VSect=T)...i
> > just can't find it on my PC.
> >
> > "John McGaw" wrote:
> >
> >> helpme wrote:
> >>> I'm running a Windows XP Professional without SP2 (i know i should
> >>> update
> >>> it) and i got this message from the messenger service once every minute:
> >>>
> >>> Message from "a computer name" to "my computer name" on "date"
> >>> My god! Some one killed ChineseHacker-2 Monitor
> >>>
> >>> I searched the net for solutions and i found out that it should be the
> >>> PE_CHIR.B worm. I also downloaded trend micro's special tool against
> >>> this
> >>> worm, but that didn't find any malware on my computer (just like my AVG
> >>> antivirus and anti-spyware )...trend micro also says that i should have
> >>> a
> >>> file named runouce.exe in my registry, but i haven't found it where it
> >>> should be.
> >>>
> >>> So what should i try? I'm not a computer expert, so if it's possible
> >>> give
> >>> simple (but good) solutions. Big thanks!
> >>>
> >>>
> >>>
> >>
> >> Are you on a LAN? If so, you need to find the computer called "a
> >> computer name" and scan it for malware immediately -- messenger popup
> >> messages are communication _between_ networked computers so looking for
> >> it on _your_ computer is almost certainly a waste of time. Oh, and
> >> install all service packs and patches on all the computers while you are
> >> at it.
>
>

 

[PA Bear [MS MVP]]

Even if you'd upgraded to WinXP from an earlier Windows version and had
never installed IE6 SP1, the machine could not be infected.

Just get fully patched and move on, please.
--
~PA Bear


helpme wrote:
> Actually i had IE5 in the past, so i could be infected!
> I understand that i should update, you are all right, but that would not
> remove the worm from my computer...
>
> "PA Bear [MS MVP]" wrote:
>> Right pew, wrong church. As you're running WinXP SP1 with IE6, the
>> machine
>> is not vulnerable to PE_CHIR.B, which can only exploit machines running
>> IE5.01 and IE5.5.
>>
>> Again, get SP2 and all post-SP2 critical updates installed and you won't
>> have to worry about Messenger Service.
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-Windows (IE, OE, Security, Shell/User)
>> AumHa VSOP & Admin http://aumha.net
>> DTS-L http://dts-l.net/
>>
>>
>> helpme wrote:
>>> No, i didn't even know who could be that person...but the worm i was
>>> talking
>>> about should do this messenger trick. It has a nice, detailed
>>> description
>>> on
>>> trendmicro.com
>>> (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_CHIR.B&VSect=T)...i
>>> just can't find it on my PC.
>>>
>>> "John McGaw" wrote:
>>>
>>>> helpme wrote:
>>>>> I'm running a Windows XP Professional without SP2 (i know i should
>>>>> update
>>>>> it) and i got this message from the messenger service once every
>>>>> minute:
>>>>>
>>>>> Message from "a computer name" to "my computer name" on "date"
>>>>> My god! Some one killed ChineseHacker-2 Monitor
>>>>>
>>>>> I searched the net for solutions and i found out that it should be the
>>>>> PE_CHIR.B worm. I also downloaded trend micro's special tool against
>>>>> this
>>>>> worm, but that didn't find any malware on my computer (just like my
>>>>> AVG
>>>>> antivirus and anti-spyware )...trend micro also says that i should
>>>>> have
>>>>> a
>>>>> file named runouce.exe in my registry, but i haven't found it where it
>>>>> should be.
>>>>>
>>>>> So what should i try? I'm not a computer expert, so if it's possible
>>>>> give
>>>>> simple (but good) solutions. Big thanks!
>>>>>
>>>>>
>>>>>
>>>>
>>>> Are you on a LAN? If so, you need to find the computer called "a
>>>> computer name" and scan it for malware immediately -- messenger popup
>>>> messages are communication _between_ networked computers so looking for
>>>> it on _your_ computer is almost certainly a waste of time. Oh, and
>>>> install all service packs and patches on all the computers while you
>>>> are
>>>> at it.

 

[David H. Lipman]

From: "helpme" <helpme@discussions.microsoft.com>

| No, i didn't even know who could be that person...but the worm i was talking
| about should do this messenger trick. It has a nice, detailed description on
| trendmicro.com
| (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_CHIR.B&VSect=T)...i
| just can't find it on my PC.
|

You are making faux conclusions!

The write-up is for an email worm. This mass-mailing email worm does NOT generate NetBIOS
over IP Pop-Ups via the Messenger Service.

I already also told you this is NOT generated from your PC. I is generated outside of your
PC from the POV of the Internet.

It is indicative of the lack of a FireWall. Even the simplistic FireWall construct in a
hardware DSL/Cable Router's NAT translation would block such NetBIOS over IP Pop-Ups
(displayed in a Messenger Service window).

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[David H. Lipman]

From: "PA Bear [MS MVP]" <PABearMVP@gmail.com>

| Right pew, wrong church. As you're running WinXP SP1 with IE6, the machine
| is not vulnerable to PE_CHIR.B, which can only exploit machines running
| IE5.01 and IE5.5.
|
| Again, get SP2 and all post-SP2 critical updates installed and you won't
| have to worry about Messenger Service.

Red Herring !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[helpme]

Just one more thing. If the message comes through the internet then how can i
still see it even if i'm disconnected?

"David H. Lipman" wrote:

> From: "helpme" <helpme@discussions.microsoft.com>
>
> | No, i didn't even know who could be that person...but the worm i was talking
> | about should do this messenger trick. It has a nice, detailed description on
> | trendmicro.com
> | (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_CHIR.B&VSect=T)...i
> | just can't find it on my PC.
> |
>
> You are making faux conclusions!
>
> The write-up is for an email worm. This mass-mailing email worm does NOT generate NetBIOS
> over IP Pop-Ups via the Messenger Service.
>
> I already also told you this is NOT generated from your PC. I is generated outside of your
> PC from the POV of the Internet.
>
> It is indicative of the lack of a FireWall. Even the simplistic FireWall construct in a
> hardware DSL/Cable Router's NAT translation would block such NetBIOS over IP Pop-Ups
> (displayed in a Messenger Service window).
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
>

 

[David H. Lipman]

From: "helpme" <helpme@discussions.microsoft.com>

| Just one more thing. If the message comes through the internet then how can i
| still see it even if i'm disconnected?
|


Good question...

If you were using a News Client such as aoutlook Express I'd ask you to post a JPEG of the
actual Pop-Up.

However, you are using the Microsoft web front-end to the News Group and so you can NOT post
attachments.

You can email me the JPEG of the Pop-Up as an attachment.
To send me email, just remove ~nospam~ from my posting email address.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[John McGaw]

helpme wrote:
> Just one more thing. If the message comes through the internet then how can i
> still see it even if i'm disconnected?
>
snip...

Depends on what you mean by "disconnected". Do you mean that "I'm not
browsing the web" or do you mean than "I have completely disconnected my
computer from all external sources"? My original reply suggested that
you might have a problem within your own trusted network but you failed
to address that so I'll try asking a couple of direct questions which
you may might want to answer this time around: 1) how do you connect to
the internet? (direct dialup, or over a home network, "borrow" my
neighbor's wi-fi, or by some other means) and 2) what is the mysterious
"a computer name" that you referred to in your original post and is it a
computer on your own network (assuming you have a network)?

If you are unwilling to share enough information with those who are
trying to help you and if you are unwilling to dismiss you own original
guess as to the cause of the popup it seems unlikely that you will get
any further.

John McGaw
http://johnmcgaw.com

 

[helpme]

Disconnected = i disconnect my system using the "disconnect" option of the
connection icon from my desktop. Then the message still pops up from time to
time. But i found out that if i unplug my network cable (physical
disconnection) then the message stops. So i also think now that you were
right and the whole thing comes from the internet not from my PC (however
this should also mean that despite i'm disconnected the worm or whatever it
is still finds a way to my computer).

1. I'm using broadband internet.
2. I don't see why it is important for you to know what is that "computer
name". But i don't have an own network and i don't know who could be that
person/computer.

I think i already told you everything what i know...i don't know what else
should you know in order to help me...
I was very very busy this week, but if i (or we) can't do anything else then
i will install the updates (or maybe format my hard disk/reinstall windows
too).

Thanks for the help given so far.

"John McGaw" wrote:

> Depends on what you mean by "disconnected". Do you mean that "I'm not
> browsing the web" or do you mean than "I have completely disconnected my
> computer from all external sources"? My original reply suggested that
> you might have a problem within your own trusted network but you failed
> to address that so I'll try asking a couple of direct questions which
> you may might want to answer this time around: 1) how do you connect to
> the internet? (direct dialup, or over a home network, "borrow" my
> neighbor's wi-fi, or by some other means) and 2) what is the mysterious
> "a computer name" that you referred to in your original post and is it a
> computer on your own network (assuming you have a network)?
>
> If you are unwilling to share enough information with those who are
> trying to help you and if you are unwilling to dismiss you own original
> guess as to the cause of the popup it seems unlikely that you will get
> any further.
>
> John McGaw
> http://johnmcgaw.com
>

 

[David H. Lipman]

From: "helpme" <helpme@discussions.microsoft.com>

| Disconnected = i disconnect my system using the "disconnect" option of the
| connection icon from my desktop. Then the message still pops up from time to
| time. But i found out that if i unplug my network cable (physical
| disconnection) then the message stops. So i also think now that you were
| right and the whole thing comes from the internet not from my PC (however
| this should also mean that despite i'm disconnected the worm or whatever it
| is still finds a way to my computer).
|
| 1. I'm using broadband internet.
| 2. I don't see why it is important for you to know what is that "computer
| name". But i don't have an own network and i don't know who could be that
| person/computer.
|
| I think i already told you everything what i know...i don't know what else
| should you know in order to help me...
| I was very very busy this week, but if i (or we) can't do anything else then
| i will install the updates (or maybe format my hard disk/reinstall windows
| too).
|
| Thanks for the help given so far.
|

My replies still stand. You re receiving NetBIOS Pop-Ups, using the Messenger Service
emanating from the Internet.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp