Security Fix Blogger
Friday, March 9, 2007 11:00 AM
A transcript follows.
Brian Krebs: Greetings, and Happy Friday dear Security Fix readers. I'm going to dive right in, but as always, please try to include as much detail about your system and software setup (OS version, whether you're using anti-virus/firewall software and what kind, any error messages, etc) if your question is problem-related.
Washington, D.C.: I'm wondering if I've gotten some sort of spyware or virus on my PC (XP SP2). A couple weeks ago, my Internet Options icon changed by itself (on a limited user account). The icon on the admin account didn't change. I'm wondering if a recent error message had something to do with it. It said something about the display and to restart to get back to normal. Everything on the screen was really large, a different color and hard to read. I restarted and everything seemed ok. Sometime after that I noticed the icon changed. I ran ZA antivirus and some antispyware (ZA, Spyware Doc, Defender, Adaware) and nothing was found. Am I paranoid or is my computer infected?
Brian Krebs: Hi D.C. Just because you're paranoid doesn't mean everybody isn't out to get you. But seriously, you should be a little paranoid on a Windows machine: it helps keep you on your toes ;)
To your question, Many pieces of malicious software today will disable security software on your machine as their first move. Sometimes, the only way to know whether your machine is clean is to run a third-party, online scan.
This is your lucky day, Washington: It so happens that we just minutes ago published a blog post about this very topic. Check out this post for more details and advice on this subject.
Buffalo Grove, Ill.: I have Windows XP Home Edition and Computer Associates anti-virus through att.yahoo DSL. My computer crashed and I had to re-install everything but now I cannot re-install Zone Alarm Firewall (free edition). I get an error message that Zone Alarm can't be installed because of my Computer Associates AV. I had both before, why not now?
Brian Krebs: Hi Debbie. I'm not sure what's going on here, but it seems to be a documented problem (see Zonelabs' User forum threads on this).
Personally, I'm not a huge fan of CA, and it pretty consistently earns low marks in anti-virus comparative tests.
There are plenty of other, better, free options that may play nicer with ZA, such as, and in no particular order or preference: AVG 7.5 Free, ClamWin, F-Prot, Avast, Bitdefender and AntiVir. Good luck.
St Paul, Minn.:
Is there any other ways to enhance firewall security beside just have a soft/hardware firewall? I use Windows 2000 Pro and under advance tcp/ip ip security, I see you can allow/dis-allow port access. Will this help harden the system more. If it does why hasn't anyone made more mention of this?
Brian Krebs: Sure, you can do this if you want. I don't see how it could hurt, and if you start experiencing network problems you can simply re-enable them if needed. But I don't really see it as necessary. Some commercial firewall software lets you pick and choose which ports should be open and closed in much the same way, or which programs should be allowed to use which ports.
As far as other options, it's probably overkill for most people, but I'm putting together a Smoothwall installation at the moment (smoothwall is a barebones Linux installation that acts as a hardware firewall that sits in front of all of the rest of your network equipment and firewalls.) If you have an older PC lying around and a couple of extra network cards and some ethernet cabling, and like learning networking and maybe a bit about linux, this is a pretty cool option.
Another idea is to check out a program like MyNetWatchman, which uses your firewall logs to alert you if it looks like someone has compromised your machine. MyNetWatchman uses a very interesting and innovative approach, and it's free. Learn more at this link here.
Stormville, N.Y.: Good morning! Dell Dimension 4700, Win XP home, Norton AV 2007. I have experienced the "blue screen death" twice. The offending driver was A5AGU.SYS. This driver belongs to my D-Link DWL-G132 Wireless USB adapter. I read that it causes "a critical overflow that can lead to kernel-mode code execution". My understanding is that this is a security problem. My question is : is my system infected? How do I find out if it is?
p.s. Since I found out the above I connected my PC to the modem direct (i.e. no wireless) I just found out there is a patch for the software flaw.
Brian Krebs: Good for you, Stormville. Yes, a patch was issued for this problem/vulnerability back in November 2006. You can find out more about it and obtain the latest fix at this link here.
Silver Spring, Md.: Brian - if I reinstall my hard drive on another computer with a new motherboard, will Windows XP load and function properly? Will I be able to get security updates from Microsoft Update without incurring the wrath of the Genuine Advantage tool? My current motherboard appears to have died on me. I've backed up most of my data. But I'd rather keep on using my current XP-loaded hard drive on a new machine, if possible, than switch to a new Vista machine. Also, could I reinstall my OEM copy of XP on a new hard drive and motherboard, or would that be prohibited by Microsoft?
Thanks for your help.
Brian Krebs: Are you going to be using the same processor on the new motherboard? You may encounter trouble in activating your copy of Windows after swapping out major pieces of hardware like a motherboard. If you get this error, you can usually clear it up with a call to Microsoft's activation center, and it should walk you through how to contact them at that point.
Depending on a lot of variables, you may experience inability to boot or you may have no problems moving to a new motherboard. Some people say the only way to make sure you get a proper install when moving serious hardware around is to re-install the operating system, but that pretty much wipes all the programs and settings you had and is a very painful process. You might consider other approaches, such as Sysprep or another such utility.
At a bare minimum, I would make sure to back up all of the data you want to keep from that hard drive. You might consider downloading or purchasing software to help you make an image of your entire hard drive and store that to a removeable media. You may also want to back up your system drivers (great advice for anyone, really). See this link here for some tips and tools for that task.
To your final question, you purchased a copy of Windows XP with your computer, correct? That entitles you to use the license key on one machine. Provided you are using it on one machine and one only, you are not doing anything wrong.
Pittsburgh, Pa.: Hello Brian. What anti-virus software do you recommend and can you give a URL that has instructions for uninstalling Norton Internet Security? David C.
Brian Krebs: My personal favorite, as I've noted in the past, is ESET's NOD32.
Symantec has uninstall utilities downloadable from their site for most versions of NIS. You didn't say what version you are using, but just Google it along with "uninstall utility" and you should be all set.
Merrifield, Va.: Brian, thanks for posting the link to the Windows DST updates. I used the guided updater, and when I double clicked to run the patch I'd downloaded, I immediately got a dialog box stating that it couldn't install because I already had a newer patch installed on my system (Windows XP Pro, SP2). Great, that's what I wanted to know - but isn't there an easier way for those of us who allow automatic updates to check to ensure that the DST patch was downloaded and installed?
Brian Krebs: You're welcome. Merrifield is referring to yesterday's blog post about the lack of security updates on next week's usual Patch Tuesday.
I'm sure there are more elegant ways to figure out if you have this DST update installed, but on my Windows XP SP2 system, the one that worked for me very quickly was to check for the presence of a file called "tzchange.exe" in the C:\Windows\System32 directory. Mine was installed on Jan. 29, 2007, and is a 59 kb file.
Minneapolis, Minn.: If memory (of the error messages) serves, the other day when clicked on an inforworld.com article, I got a Windows warning asking if I wanted to allow a script to run (no) followed by a stack overflow error message. I only got the first error message once, but every time I tried to read the article I got the second error message. What is going on here? Is the site infected, or poorly written, or incompatible with IE7, or...?
Brian Krebs: Does it only happen when you visit that particular Infoworld article, or does the same message pop up when you visit other sites? Sounds like some kind of script on that page is too clunky for the browser to handle or may be poorly written.
As this sounds like a scripting problem, you may also want to check to make sure you're running the latest version of Sun Java Runtime Environment (I believe J2SE Runtime Environment 5.0 Update 11 is the latest.
Do me a favor and drop another question in the hopper with a link to the problem article. You may also want to send a note to the Infoworld webmaster.
Cody, Wyo.: Hi Brian, I do a full system backup to an external hard drive 3 times weekly. (I use Drive Image 7, an older program, but I've had no problems at all with it.)
My question: If my computer should crash and die, could I just restore the backup without having to reinstall all my programs? That would be a daunting task, as I have probably 3 dozen or more software packages running. I've heard some folks say that is exactly what I'd have to do after restoring a full backup.
Fortunately, I've never had a computer crash on me in the many, many years I've been using one -- since 1975. But all this time I've been assuming a full system backup included not only the data files, but the programs themselves. And that's exactly what the Drive Image manual says. What's your opinion? Thanks! John
Brian Krebs: Cody, a drive imaging program like DriveImage or Acronis TrueImage (what I use) is most useful for its whole-drive imaging function: i.e., it will make a (sometimes compressed) copy of your entire hard drive, allowing you to move an exact copy of your system the way you have it now over to a new drive should your current hard drive fail. It's important to keep the images on a separate partition or hard drive (external) so that if you do run into problems you're not potentially dealing with a corrupt or otherwise inaccessible or unusable duplicate image. Most programs allow you to back up to multiple DVDs as well, but I've found DVDs to be less reliable and more of a hassle than, say...an external USB hard drive.
Hope that answers your question.
Alexandria, Va.: Brian, I'm running Xp and it seems like there have been urgent upgrades to download every day. Is this fallout from Vista?
P.S. I uninstalled Norton AV and switched to AVG and ZoneAlarm on your recommendation and am loving it.
Brian Krebs: Hrm, well, welcome to Windows. Haha, seriously...you shouldn't be prompted for updates "every day." Microsoft releases patches on the second Tuesday of each month (except not this one), and they haven't issued an interim patch that breaks that monthly cycle for a while. If you're putting off installing patches, then yes, it will bug you non-stop to install them, as it should.
Am I missing something in your question? Vista will have its own service pack (massive bundle of security and other fixes) out later this year, but XP's patch woes owe little to Vista.
Glad to hear you're happy with my advice, thanks!
Greenbelt, Md.: Here's a way you can check to tell if you have the DST patch installed or not. I am not sure how well it works though. http://dst.cdes.umn.edu/ Good luck.
Cody, Wyo.: Thanks, Brian, for your thorough answer. I do use a USB external hard drive. So it sounds like I'm in good shape. Thanks for your great columns -- they've been a lifesaver for me! John
Brian Krebs: Glad to hear it, John, thanks!
Brian Krebs: That's all the time I have today. Thanks to everyone who dropped by and helped make this a fun chat. Security Fix Live will be back again two weeks from today. In the meantime, please make a habit of dropping by the Security Fix blog and join in the discussion there. Until next time...
Editor's Note: washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.