Site New Answers Search Boards ILM ILE Answers New Question New Questions New Poll Blog View Register Login

Another soppy query about computer viruses

Message Bookmarked
Bookmark Removed
I got spooked after an unsual pop-up appeared on my computer several times: ' Message from Alert Service - you have just received a message through an open port in your computer. Please visit www.byebybeads.com to secure this port and never receive messages like this again!', I decided to do a security test, run by my Symantec fire wall. The test result said the following port was OPEN: '

UPnP (Universal Plug and Play). This service is used to communicate with any UPnP devices attached to your network.

So what now.. anyone got any advice?

James Avon, Tuesday, 22 April 2003 13:27 (twenty-two years ago)

Go here (maybe).

Bryan (Bryan), Tuesday, 22 April 2003 13:34 (twenty-two years ago)

This sounds like a nasty little piece of spy/adware. Get adaware from http://adaware.com. If you don't use a network printer or suchlike by all means close this port on your firewall. The security issue here is the pernicious little pice of software that you unwittingly installed. Be very careful what you dowload or open from your emails.

Ed (dali), Tuesday, 22 April 2003 14:06 (twenty-two years ago)

Also, you might want to check out ZoneAlarm.

slutsky (slutsky), Tuesday, 22 April 2003 14:10 (twenty-two years ago)

Thanks Ed, And yet I already have the Norton Intenet Security 2003 installed, and the ad-blocking is on. I thought this would be able to cope. Moreover, would an Adaware download be of use where Norton has apparently failed.

Bryan, sorry to pin you down, but how confident are you that downloading this microsoft update, tailored to deal with 'Unchecked Buffer in Universal Plug and Play can Lead to System Compromise', would help with the situation I've described.

Cheers.

James Avon, Tuesday, 22 April 2003 14:27 (twenty-two years ago)

Sorry. it was the only UPnP security update I could think of. What OS are you running?

Bryan (Bryan), Tuesday, 22 April 2003 14:34 (twenty-two years ago)

AdAware will root out bits of spy/adware. Norton Internet Security will not block this kind of software which you have legitamately, but unwittingly installed.

Ed (dali), Tuesday, 22 April 2003 14:38 (twenty-two years ago)

Ah! I once again didn't read the orignal post carefully enough. This was some shitty pop up meant to scare you. Listen to Ed. DON'T INSTALL ANYTHING if it asks you to.

Bryan (Bryan), Tuesday, 22 April 2003 14:43 (twenty-two years ago)

As it goes, Ed, I've just now opted to download that update you linked to from Microsoft, reasoning that it couldn't hurt. But where the pop-up is concerned, I think you're right - it's trying to get me to visit some scummy website, where I'm sure there would be a penalty to pay if I yielded to the scare-mongering.

The port keeps opening up, making my system vulnerable. What a bugger.

James Avon, Tuesday, 22 April 2003 14:53 (twenty-two years ago)

I think with that patch you're ok. Unless you need UPnP you can always disable it through the Control Panel.

Bryan (Bryan), Tuesday, 22 April 2003 14:56 (twenty-two years ago)

i'd recommend always keeping yr windows installation up to date. it's not the first time i've heard that UPnP is not smart, though - check out this guy's website (but i think the seriousness of this has been downgraded since that time, with the fixes and all)

http://grc.com/unpnp/unpnp.htm

ron (ron), Tuesday, 22 April 2003 15:01 (twenty-two years ago)

This is where my astonishing naivity really begins to get embarrassing: whereabouts on the Control Panel? And I don't know if I need it - the UPnP, what it's for, actually (what would the consequnces be of disabling it)?

I'll check that website out now, ron, cheers.

James Avon, Tuesday, 22 April 2003 15:04 (twenty-two years ago)

Go here to learn about disabling it.

Bryan (Bryan), Tuesday, 22 April 2003 15:06 (twenty-two years ago)

Curious -- I disabled it, following those instructions, but a subsequent Symantec Security Check still puts a big red cross next to that particular port, saying it's open and I am vulnerable.

James Avon, Tuesday, 22 April 2003 15:32 (twenty-two years ago)

Maybe windows is reopening it. It may think its more crucial that you do. Windows uses this port to detect things like printers on the network that work using MS Plug and Play. If its a home pc you may as well tell your Firewall to block that port.

Ed (dali), Tuesday, 22 April 2003 15:39 (twenty-two years ago)

That sounds cogent. Um, how do I tell my firewall to block that port?

One more thing (Sorry, I bet you're beginning to regret responding to my post now!), if I download the free adaware software, will it screw up my current Norton protection defaults etc?

James Avon, Tuesday, 22 April 2003 15:48 (twenty-two years ago)

It shouldn't.

Bryan (Bryan), Tuesday, 22 April 2003 15:50 (twenty-two years ago)

i use the sygate personal firewall. you don't have to know anything about ports etc. to use it, it just pops up a dialog whenever any program or process attempts to broadcast to/from the computer. all you have to do is say yes or no. the programs you want to be able to have the run of the place (browser, etc.) just set to 'always allow'. it's interesting, actually, to see just how often stupid softwares are trying to send messages all over the net.

ron (ron), Tuesday, 22 April 2003 21:40 (twenty-two years ago)

XP-AntiSpy (see http://www.xp-antispy.de/ ) is supposed to disable that UPnP thing, the messenger system which was probably what was actually used to send you spam, and a load of other XP security concerns and annoyances besides. That, Lavasoft AdAware, and a personal firewall like Sygate or Zone Alarm (maybe the Norton Protection software you already have is one too, I'm not sure) are pretty much invaluable if you run XP and use the internet much.

Adaware should leave your Norton settings well alone. A firewall should also leave the settings alone but may block traffic to those apps, so if internet software seems strange after installing one then try disabling the firewall temporarily to see if that is the problem. XP AntiSpy may override some settings you've changed elsewhere but you can choose which ones to set in it and put them back if they don't work.

Frazer, Tuesday, 22 April 2003 22:00 (twenty-two years ago)

I should learn to read.

1. You didn't say that you were using XP but it sounds very much like you are. If so, try XP-Antispy. If not, well, don't.

(Don't be too scared of leaving some things without the green tick next to them. There are a lot of things on there which aren't actually malicious but just potentially annoying. However, there are a few items like the messaging service which are well worth disabling, and it's a handy piece of software, though some of the translated descriptions are hard to understand.)

2. I haven't used Norton Internet Security but the name suggests it must be a personal firewall, so maybe downloading another will be pointless. Then again, if it's leaving ports open and letting junk through and the settings won't let you stop either then maybe you could run another on top. They shouldn't interfere with each other that I can see. Take a look at Norton's settings; maybe you missed the ones which deal with these problems.

3. Norton's ad-blocking probably just stops pop-up webpages - this message was via the Windows messaging system, which is completely separate from webpage adverts. I can think of no good reason not to disable it. Sometimes it gets used on private local networks to send urgent messages about the network status, but even if that applies to you then they should really get sent by email too (and if you are then you should shout at your sysadmin for allowing external traffic to use it as well).

Frazer, Tuesday, 22 April 2003 22:15 (twenty-two years ago)

Thanks, cheers a lot, Frazer, and thanks too everyone else for offering your kind help. I downloaded Ad-aware, did a few scans, but the pop-up kept doing what comes natural to all its species. So I decided to go onto the Ad-aware forum, where it seems other people are having a very similar problem (Adaware failing to rid systems of recidivist pop-ups).

I'm not sure if it's solved my problems yet, but perhaps it's worth stating here what advice the Ad-aware forum's moderator gave, in case any other green ilxor's ever find themselves in a similar pickle: it was suggested that I also download Hijack_this, scan my system once more, then send this software's logfile to moderator. He looked it over and I, very trustingly, deleted the things he felt looked dodgy (like my default start-up page and related gubbins). I'll report back whether it works or not.

James Avon, Wednesday, 23 April 2003 06:55 (twenty-two years ago)

When I say 'like my default start-up page and related gubbins', I mean the page where my computer takes me automatically once I've logged onto the internet. It was Freeola's page - I don't know why, just was, so I didn't miss it. Sorry this is getting so prosaic.

James Avon, Wednesday, 23 April 2003 06:59 (twenty-two years ago)

I have been told by someone who is unfamiliar with Norton Internet Security (the brand of firewall protecting my XP PC) that all I need to do to sort this problem out (i.e.: to Stop Vendor Pop-ups) is to block Port 135. However, they can't tell me how I get Norton to do this. Does anyone know? Very sorry to be a drip.

James Avon, Wednesday, 23 April 2003 19:26 (twenty-two years ago)

have you considered using a browser that blocks popups? opera7 has the option to 'allow only requested popups' but unfortunately the prog has a few bugs left (though with the 7.1 release, i'm quite happy with it overall) opera6 is probably a bit more stable, but can only block popups outright. it also doesn't have the nifty mail client or the almost-completely-customizable toolbars

i'm sure other browsers can do this (?) - there are softwares made specifically for blocking popups, but i don't know how they work. as plug-ins for the browser??

ron (ron), Wednesday, 23 April 2003 23:28 (twenty-two years ago)

try this:

http://service1.symantec.com/SUPPORT/nip.nsf/e584eff20b611f7988256a9b007e63c1/8fc3f3e47c1f87e98825698200798cb1?OpenDocument

ron (ron), Wednesday, 23 April 2003 23:29 (twenty-two years ago)

Cheers ron, But I hopefully might have solved the problem now. According to several people I've recently consulted, this phenomenon (where sleazy ad. vendors penetrate computers through ports 135, 137 and 139) is relatively new, and mushrooming. Port 135 is targeted in particular, I understand, and since home computers don't usually need it, it's apparently OK to block it if necessary. It's possible that this problem might happen to someone else on this board in the future; and in case anyone has reached this thread through having searched ile for associated keywords, here are the steps I used to troubleshoot (If Norton Internet Security is your installed firewall):

1. Open Norton Internet Security (NIS) window.
2. Click on Personal Firewall.
3. Click on Configure.
4. Click on Advanced Tab.
5. Click on General Rules.
6. Click on Add Button. The Add Rule dialog box appears.
7. Select Block and then click Next. A new dialog box appears.
8. Select Connections to and from other computers and click Next. A new
dialog box appears.
9. Select "Any Computer"
10. Click OK to close this dialog box and then click Next. A new dialog
box appears.
11. Select TCP and UDP, select "Only the types of communication...",
and then click Add. The Specify Ports dialog box appears.
12. Select "Known ports from list", select "Local", scroll down and
check port 135.
13. Click OK. The Tracking dialog box appears.
14. You can select tracking options if you choose and then click Next.
A new dialog box appears.
15. Give your new rule a name and click Next.
16. Click Finish.
17. Scroll to the bottom of the rules list.
18. Select your new rule and click the MoveUp button so that the new
rule is moved to the top of the list.
19. Click OK.

Basically, whatever your firewall, I've been told that the required measure is to block port 135.

James Avon, Friday, 25 April 2003 09:57 (twenty-two years ago)

http://www.nacs.uci.edu/security/netbios.html

illustrative link

James Avon, Friday, 25 April 2003 11:23 (twenty-two years ago)

three weeks pass...
Well, blocking those Netbios ports (135-139) seems to have solved that specific 'www.byebybeads.com' problem; but general signs tell me I still have ad/spyware on my system: shortly after disconnecting from the net, my comoputer flashes a message saying 'you, or a programme, has requested information from www.optimasoft.com - would I like to re-connect. So I downloaded adaware, I've used hijackthis, but still this message, so what now?

My latest question is I've been thinking about clearing the Prefetch on my XP, 'cos it seems to be littered with exe. files from unknown applications. http://www.pcmag.com/article2/0,4149,601413,00.asp says fine -- but Can anyone confirm whether it's safe to clear the Prefetch? And might there be spyware among the files in this location?

Jaes Avon, Thursday, 22 May 2003 14:45 (twenty-two years ago)

Well, blocking those Netbios ports (135-139) seems to have solved that specific 'www.byebybeads.com' problem; but general signs tell me I still have ad/spyware on my system: shortly after disconnecting from the net, my comoputer flashes a message saying 'you, or a programme, has requested information from www.optimasoft.com - would I like to re-connect. So I downloaded adaware, I've used hijackthis, but still this message, so what now?

My latest question is I've been thinking about clearing the Prefetch on my XP, 'cos it seems to be littered with exe. files from unknown applications. http://www.pcmag.com/article2/0,4149,601413,00.asp says fine -- but Can anyone confirm whether it's safe to clear the Prefetch? And might there be spyware among the files in this location?

James Avon, Thursday, 22 May 2003 14:45 (twenty-two years ago)


You must be logged in to post. Please either login here, or if you are not registered, you may register here.
Site New Answers Search Boards ILM ILE Answers New Question New Questions New Poll Blog View Register Login