Bo's Web Security

Security issues and warning messages directing you to download a fix.
The short answer...DON'T!!!
For the long answer, please read on.

It sounds like you are being bombarded by an old exploit of the messenger service that is built into Windows and turned on by default (look for the words Messenger Service in the blue bar above the actual error message).

This messenger service was originally intended as a communication tool for network administrators to use to broadcast a single message to all users (i.e. Please logoff of the network in 15 minutes for maintenance purposes).

This saves the IT staff from physically having to go to every user of the network to alert them or hope that they saw an e-mail and remembered to log off.

This pop-up message is a great way to get the user's attention and some deviously clever folks on the Internet figured out how to exploit this tool to send you an advertisement disguised as a Windows error message.

Microsoft does not have anything built into the operating system that would direct you to a Web site to download a repair tool, especially tools that are not written by Microsoft.

The reason that these devious pitch men are able to reach across the Internet and repeatedly send you ads is that your computer is wide open to the entire Internet and was basically waiting to be contacted by outsiders because of the way you are set up to connect to the Internet.

There are a number of things that you can do to eliminate this problem from ever occurring again.

The first is to disable the built-in Messenger Service in Windows that is turned on by default.

For Windows 2000 users, go to Start | Control Panel | Admin tools | and Select "Services." Once in services, locate the "Messenger" service. Right click it and Select STOP.

For Windows XP users, go to Start | Control Panel | (For those in Category View), select Performance and Maintenance | Admin tools | Services | Locate "Messenger" then right click and Select STOP. (For those in the "classic" view Use Win2k instructions above.)

Another reason that you are getting these messages is that you are not protecting yourself behind a firewall. If you have a high-speed (or broadband) Internet connection, you should strongly consider purchasing a broadband router that essentially makes your computer invisible on the Internet. By cloaking your system, these intruders don't have a way of knowing that you are connected.

While most of these ads are just a ploy to get you to spend your hard-earned money, some will also try to direct you to rogue Web sites that will attempt to get you to give up your personal information.

Identity theft is a big target of international organized crime syndicates, so always be wary of repair or quick fix utilities. Before you download anything into your computer, make sure you get it from a trusted source or don't download it.

Q: Does my antivirus app protect me from new viruses?

A: If it's a variant of an existing virus, the answer is yes. Most antivirus vendors send out generic signature file entries designed to detect the latest variants of known virus families. If it's an unknown virus, it's hit or miss. In addition to static signature files, antivirus apps also contain heuristics, a set of behavior rules that identify and flag suspicious file activity, such as a subroutine that sends copies of the file to everyone in your Outlook address book. Heuristics vary from vendor to vendor, and some are better able to stop unknown viruses than others.

What is svchost.exe, and why does it want permission to go onto the internet?

I wish to know what the program svchost.exe wants to do if I give it permission to access the Internet. My firewall tells me that svchost.exe wants to access the Internet. This is not related to my specific request for anything, and my inclination is to say no. But I am not certain that is the right thing to do. I have searched the Internet for svchost and svchost.exe and gotten lots of hits. The Microsoft knowledge base explains svchost but doesn't convince me I want to let it access to the Internet. But it also suggests I might be wrong (note: W32Time, Dnscache…). I could tell the firewall to never let svchost.exe have Internet access, or I could tell it to always let svchost.exe have Internet access. But I don't understand enough to know which would be best. Please help me out with this sticky security issue.

The Microsoft page describing this process is at http://support.Microsoft.com/default.aspx?scid=kb;en-us;314056 and I've wondered this myself in the past. The svchost.exe runs as a request by DLL's (Direct Link Libraries). This can be a legitimate request from your computer's system processes or any other DLL. More often than not, it is always a Microsoft process request, but it can be used by other programs. Most of these requests are not needed for computer operation but may be needed for such things as updates to programs and operating systems.

This process (program) can be used by any other program or DLL on your computer, so it may from time to time be used for not-so-good intentions; but most of the time, traffic to the Internet can be allowed safely from the svchost.exe. The good news is that you have a good firewall, one that does not allow service utilities like this one default access by design. Many people do (I'm a beta tester of these things). I have firewall filters in place for this process to allow outgoing traffic only and only to some sites. When you go to the Microsoft update site, svchost.exe must be allowed, or you cannot update your system. My firewall blocks all traffic in and out for svchost to any site except Microsoft.com for updates.

I, too, was at first concerned about this service, but after putting a few firewall filters in place, it no longer worries me, and I'd say you will feel comfortable after a few well-placed firewall rules (filters). You can do this yourself by choosing to block all requests to or from svchost.exe on your firewall that do not interfere with your Internet requests. It maybe needed for some other programs, though, such as antivirus updates, but normally not. I say, when in doubt, block it and see what happens.

I hope this helps you understand it a little more. This generic process in Windows could be used for bad things, but keeping your firewall in place and well managed, you should be safe and all your privacy intact. At least from this service.

Reader Jon writes: I am running--and paying for--Norton AntiVirus on my PC at home; the computer is about a year old. I've heard some good things about free antivirus software that is equal to if not better than Norton. I'd like to try some out while I still have Norton. Is it OK to run more than one antivirus application at the same time? Which are the best of the free applications and where can I get them? Thanks in advance.

Answer: You've asked two questions here, Jon. Let's answer them in turn.

1] Is it OK to run more than one antivirus application at the same time?

It is generally not recommended to run more than one antivirus software on a PC. To understand why, you must understand how they work. Antivirus software runs in the background from the moment you start your computer or from the moment Windows loads, depending on the software. Every time you run a program or open a file, it is scanned by the antivirus app before it is loaded into the memory. You may have noticed that after you installed Norton on your computer, it started to run slower. This is because the antivirus software uses large amounts of memory and resources.

If you run more than one antivirus, the following may result:

a) The two (or more) antiviruses will consume tremendous resources slowing your computer down to snail's pace and maybe causing it to hang/freeze frequently, sometimes even at startup itself.

b) The two antivirus software may detect each other's activity, and consider their behavior virus-like. This may result in one or both of the softwares trying to neutralize one another (maybe by quarantining or deleting each others core files). This may corrupt the software, or render them useless, and probably even cause a computer crash to boot (pun intended).

For example; we use the freeware version of AntiVir Personal Edition (More on this program is listed below). When we tested it over two years ago, we had Norton Antivirus Corporate Edition. We installed Antivirus Personal Edition along with Norton, which Norton did protest, and as soon as we got the system rebooted, it was like a replay of "Ground Hog Day". Or that we were caught in a diabolical loop with one antivirus programs detecting the other and attempting to halt it. The end result was a lesson well learned. However, during the testing we did note that both Norton and AntiVir Personal Edition were detecting the same types of behavior. Our further tests showed that AntiVir Personal Edition, which is free, was every bit as good as our old standby, Norton. After the license ran out for Norton, we started running AntiVir Personal Edition and have never looked back.

It is important to note that AVG Anti-Virus by Grisoft seems to live quite nicely with AntiVir Personal Edition. Perhaps it is due, in a large part, to the fact that they tend to examine the same files very differently.

c) If two antivirus softwares try to scan a file at the same time, there may be a conflict that will corrupt the file or prevent it from opening/running normally.

That should be reason enough for you to think twice before installing more than one antivirus software.

However there are certain instances, where it might be okay to install multiple antivirus softwares. This may not relevant to your particular case as a home PC user, but its an interesting point. If you ran a computer network, you might want extra protection for the main servers such as the email gateway server, a port of entry for many viruses. Here you might be willing to sacrifice some computer resources for added security on the server PC. Some commercial network protection softwares like GFI MailSecurity actually install multiple antivirus softwares on the mail server. The reasoning behind this being that one antivirus vendor may create an update for a virus before their competitor does, and thus you make sure you get the update from whoever's first, reducing your exposure time to a new virus. Also antiviruses seem to have their specialities eg Kaspersky is better at object scanning and neutralizing new viruses while McAfee is good at detecting non virus attacks like Active X ones. So a well thought out combination would produce all round protection.

Keep in mind that this level of security (and paranoia) is not required for a home PC user like you. If however you prefer that argument and insist on running two antivirus softwares, you need to do it correctly and in an informed manner. During installation, some antivirus softwares will not install unless you uninstall the one that's already on your system. In that case install the second one first and the first one second. Secondly, make sure only one of them runs at a time. The other must be totally disabled. Only use the other if you want to scan a file or folder with both. Do not keep both running in the background at the same time for reasons 1,2, and 3.

A software that will help you manage two antivirus softwares together is HandyBits VirusScan Integrator that is available as freeware from http://www.handybits.com/vsi.htm

2] Which are the best of the free (antivirus) applications and where can I get them?

One of my favorites is AVG Anti-Virus by Grisoft. Their website is www.grisoft.com. As a noncommercial home user, you can download the free version which can be found in AVG Products | AVG Free Edition. The following link should take you directly to the website of the free version: Free grisoft

I have used AVG numerous times since it was released about 6 yrs ago and it works great. It's detected and prevented (or fixed) a number of virus and Trojan infections on my computer.

Another one I like is Avast antivirus. The site is www.avast.com. Once again there is a free noncommercial version, known as the Home Edition. I have used this software some over in the past and was fully protected by it. The latest version comes with P2P and IM shields which are important if you file share (usually illegal) and/or chat on instant messengers. Should be illegal!

I would also recommend AntiVir Personal Edition which again is free. You should find it at Free AntiVir . I've used this one twice too over the last 4 years and it worked great.

You might find other newer free ones by running a search on Yahoo or Google, but the 3 I've named above have been around for 4-5 years and have done a great in all of our tests.

A good way to test if an antivirus software is working is to do the Eicar Test. Go to http://www.eicar.org/anti_virus_test_file.htm to learn more. Read the instructions before trying it.

Good luck with your antivirus quest. You might want to look into personal firewalls as well as spyware protection while you're at it. Check out Bo's Featured Freeware for more security programs.

I'm using winXP ,when I working on computer I always getting popup with sixty six it's like web page and shows can't display required web page.I think it is a spyware. I downloaded microsoft antispyware but it could not remove it and also my antivirus software expired. How can I remove this?
- Sun

First, identify any odd-ball applications listed in Control Panel | Add/Remove programs. You will need to be online to remove certain spyware applications because they require you to go to their website's uninstall interface.

Next, make sure the detection definitions for Adaware, Spybot Search & Destroy, and Microsoft AntiSpyware are up-to-date. Each of these tools has their own web update utility built into it. If the spyware infestation is really bad, go ahead and skip this step for now, but make sure you do eventually go back to perform the updates and rescan the computer with all three removal tools. Another option is to just download the updates, then boot in safe mode to perform the spyware scans.

After the first set of spyware scans, be sure to clear the browser cache, history, AutoComplete forms, and temp files. Then reboot and run the spyware removal utilities again.

Next, run the HijackThis utility. If you are still unsure about what may or may not be legitimate and what should be removed, many computer forums across the Internet that have experienced techs who are willing to assist users in identifying pests that appear in HijackThis logs. Simply copy and paste the log's contents into a new thread and courteously request assistance. Also, be sure to clearly state what Operating System and Service Pack for that Operating System that you are running.

Rootkits are a special kind of software tool used to hide trojans, viruses and other malware from your anti-virus scanner and other security products. Unfortunately there are extremely effective which means that some of you reading this will be infected even though you believe your PC to be totally clean. Thankfully there is a new class of security product now available called rootkit detectors that use specialized techniques to detect these dangerous intruders. Most of these detectors require quite a bit of technical skill to interpret the results but one of the simplest to use and most effective is also free. It's called BlackLight and is currently available as a free beta from F-Secure until the 1st of October 2005. I suggest everyone download this product and scan their PC. The chances of you being infected are small but for five minutes work it's not worth taking the risk.

Some of the newest and most complex Trojans utilize the "port knocking" method, which involves establishing a connection to a networked computer that has no open ports. Mike Mullins has the details of where these Trojans come from, how attackers activate them, and what you can do to keep them off your network.

Some of the newest and most complex Trojans utilize the "port knocking" method. This technique involves establishing a connection to a networked computer that has no open ports.

A normal scan of the computer might show that it's not listening on any ports. But that doesn't mean that the system is clean of rogue daemons.

Where these Trojans come from

The two most common delivery methods for Trojans are e-mail attachments and bad freeware or shareware.

Most security-minded users and administrators would never open an e-mail attachment, much less run a program they receive from some unknown source. However, there are millions of uneducated, unprotected home users with fast connections that are altogether too willing to see what someone e-mailed them.

For those who won't open unknown attachments, there's the lure of freeware and shareware. Everyone loves freeware, but it's not without risks.

For example, say you're looking for a utility program to do something. You'd rather not pay for it, and you find a cool little freeware that says it does the job. You download the utility, which records your IP address, and you scan the software with your antivirus tool before running it.

Don't bet your network on this tool. While not all freeware authors inject Trojans into their code, the possibility does exist for a Trojan to lie dormant on your machine until the author is ready to unleash its payload.

How these Trojans are activated

If you do have such a back door loaded on your system, typical port scans from the Internet will reveal no new listening ports. The Trojan will lie dormant, and it won't appear to be operating or listening on any ports—until the attacker uses a specific series of events to wake it up.

Activating a Trojan is rather simple. The attacker uses port knock sequences to activate the back door.

More specifically, a series of connection attempts in a specific order to a series of closed ports (for example, three connection attempts to ports 500, 501, and 502) activates the back door and opens a TCP port to listen for further instructions. Now, the attacker can use your machine for a massive distributed denial of service (DDoS) attack on his or her choice of targets.

Port-knocking back doors are cutting-edge virus technology. Computers can receive them without immediate side effects, and they allow attackers to retain control of their distribution network.

Final thoughts
I do get them once and a while, but it hurts.

Continue to educate your users—and anyone else who will listen—about e-mail attachment security. Antivirus programs are great, but education is the key to eliminating viruses and back doors on your network.

On a final note, I'm not against freeware and shareware programs. I use them and then delete them after they've served their purpose, or I replace them with a program I've paid for.

However, don't bet your network or your reputation on a program from someone you don't know. With today's technology, you get what you pay for.

Reader Jane writes: A few months ago an employee left his job at my company. I have found evidence that he has compromised my home computer. I have no idea how he did it nor do I know how to get rid of the items he may have loaded on my computer. Though I do not believe that there is anything on my computer that is terribly important I would like to remove anything that he may have loaded so he cannot connect to my machine. He is really very good with computers and very smart too. Is there anything I can do?

There's a school of thought that says if your computer has been compromised, you have really only one option: reformat. That's a drastic step, but if your intruder is as adept as you indicate, it may be the best approach. If they're really good, they could leave hooks that you could never find.

Some Windows XP Processes are down right dangerous while others need to run, some don't. See:

ProcessLibrary.com: Free Process Information
Find the latest information about spywares, adwares, trojans, viruses, system processes and common applications.

NOTE: Sure they are trying to sell you a product but the list of information here is invaluable

Q: I just installed ZoneAlarm with Antivirus, and now I can't open ZIP files sent by clients. What happened? The ZIP files are all renamed with ZM9 extensions and have little locks over their file icons. Help!

A: In addition to blocking file extensions recognized by Microsoft as possibly containing hostile code, ZoneAlarm's MailSafe feature now also quarantines ZIP files by default. The solution is to open ZoneAlarm, choose MailSafe, then Attachments, and allow the ZIP extension. You can then rename the ZM9 file extension to ZIP and open the files normally.