Terry's Computer Tips - Newsletter
January 8, 2006

Terry's Computer Tips Newsletter
http://www.terryscomputertips.com
A computer tips newsletter for users of PC's.

Volume 1, Number 30 — Sunday, January 8, 2006

Part 1  Part 2  Part 3

IN THE EMAIL ISSUE:
   0.   JUST FOR SUBSCRIBERS — EMAIL ONLY
   0.1   Welcome to New Subscribers
   0.2   Gmail for Free Web and POP3 Email
   0.3   My Recommendations for Computer Security Software
   0.4   Recommend Terry's Computer Tips to Your Friends

IN THIS ON-LINE ISSUE:
   1.   Why is svchost.exe running so many copies?
   2.   Updates Last Week
   3.   How Bad Was/Is the Windows WMF Problem?
   4.   Backing Up Your Mozilla, Firefox, Thunderbird and Netscape Profiles
   5.   My Computer Security Software Recommendations
   6.   Cyber-Security Webcast Presentation Archive
   7.   Recommend my Terry's Computer Tips Newsletter to Your Friends
   8.   Send me some email!

Welcome to the online version of my Terry's Computer Tips newsletter.

My free, emailed newsletter includes a special "Just for Subscribers" article, an announcement that the new issue of Terry's Computer Tips has been published online, and the table of contents for the issue.

The emailed newsletter is sent weekly to individuals who have subscribed to the newsletter, have received an email confirmation notice that required them to confirm their subscription request, and who confirmed their request.

Click here to subscribe. It's free!

1.  Why is svchost.exe running so many copies?

Someone asked me recently about the program svchost.exe, which they found on the Processes tab in Windows XP Task Manager (Control-Alt-Delete to open the Task Manager). They had a number of copies of the program running and wanted to understand more about it.

Here's a look at some of my currently running processes, sorted alphabetically. As you can see, six copies of svchost.exe are running on my system right now.

The file svchost.exe is a Windows XP service that actually acts as a conduit for many other programs to perform their functions. The other programs are collections of code in DLL (dynamic link library) files.

In other words, it is a tool that is being used -- a conduit -- not the actual working program. It's like the rundll.exe function from Windows 98.

After looking at the illustration above, here's a view of the running processes using the free program WinPatrol, which I discussed in the Slow Windows XP Boot Times article in my October 31st issue.

WinPatrol's Services tab shows the many services that are running and is one of the few tools which shows the DLLs that are actually running via svchost.exe, rather than just telling you that you have multiple copies of svchost.exe running (which is what the Windows XP Task Manager does).

Once you know the DLL's name, you can Google search for what each DLL does, in case you need to take action on it.

Of course, if you purchase WinPatrol Plus, you get access to their online database which you can access from within WinPatrol. I recommend this inexpensive purchase if you are interested at all in optimizing your PC. WinPatrol and WinPatrol Plus (the same program + a license code) are available via www.winpatrol.com.

2.  Updates Last Week

Microsoft (operating systems, email, web browser, office suites):  After much bad press because of delays and even reputable security sources recommending temporary installation of an unofficial patch written by a third party, Thursday afternoon January 5th, Microsoft released their patch to the Windows Meta File (.WMF) security problem.

It you installed the unofficial patch, be sure to go to Control Panel, Add/Remove Programs and uninstall the temporary patch before doing your Windows Updates. The patch is available directly from Microsoft at MS06-001 patch page. Clicking on the patch triggers Windows Updates. For best performance at Microsoft's site, use Internet Explorer there even if you use Firefox or Opera everywhere else.

Firefox (web browser, www.mozilla.org, free):  No updates this week. Current version 1.5.

Opera (web browser, www.opera.com, free):  No updates this week. Current version 8.51.

Eudora (email, www.eudora.com, options: paid, sponsored or free/lite):  No updates this week. Current version 7.0.1.0.

OpenOffice (office suite — spreadsheet, word processor, presentations, graphics, web design; www.openoffice.org; free):  No updates this week. Current version 2.01.

3.  How Bad Was/Is the Windows WMF Problem?

Those readers who subscribe to my email newsletter received a Special Edition on Tuesday about the Windows Meta File (WMF) program bug and the security problems. More importantly, I was sharing the news that there was an unofficial patch available. I had just installed the unofficial patch on three of my computers.

This patch was written by a third party (not Microsoft), had been reviewed in detail by several security firms to verify that it did only what it was supposed to do, and was being recommended by respected security firms. They were recommending that we install this unofficial patch because of the number of contaminated WMF image files being delivered by malicious web sites, instant messaging and spam. SANS.org's Internet Storm Center was hosting the patch, since Microsoft could not seem to issue the official patch.

After my Special Edition, reader and regular contributor Clif of the Clif Notes Newsletter wrote me. Although the malicious WMF files could do anything, including delivering spyware, downloaders and trojans, most of them were reported to be destructive. I think you'll be glad the bullet missed you on this one — I am!

Hi Terry,

It's been an interesting day. I saw your security issue and thought you might like to be aware of an alternative. Here's a post I made recently in a security forum I frequent called Temerc. Since I use mostly Win9x machines at home, I was forced to find an alternative patch for the WMF exploit.

*** From me at http://www.temerc.com ***
Hi all,

Today at work we saw our first casualty due to the WMF exploit. One of my co-workers was foolishly searching for and downloading screen savers. Fortunately our IS department noticed the infected machine probing our intranet. The machine was taken offline and given a complete wipe. My co-worker will now spend a good part of tomorrow re-loading all the special software they were running. It's a hard lesson, but not nearly as hard to take as the chuckles around the water cooler. LOL

I'm guessing it will be a while before they load any screen savers.

Based on what I saw today, I'm becoming more concerned about this exploit. I went out and loaded a temporary fix I found at NOD32. This one works on Win9x, ME, and the rest. It can also be uninstalled at any time through the add-remove panel.

Have fun!

Clif @ http://clifnotes.tk

WMF Patch by Paolo Monti @ http://www.nod32.ch/en/download/tools.php

QUOTE FROM NOD32.CH Paolo Monti has released a temporary patch for the WMF vulnerability ( see Microsoft Security Bulletin 912840 ). This patch intercepts the Escape GDI32 API in order to filter the SETABORTPROC (function number 9). It uses dynamic API hooks avoiding patching/modifying of the GDI32 code. Advantages of this approach: fully dynamic - no reboot is required. This patch also works on Windows 9x/ME. Administrator rights are required to install it on WinNT,2000,XP, 2003 systems.

Installation: unzip the file WMFPATCH11.ZIP and run the provided INSTALL.EXE file. Follow the instructions of the installer.

Uninstallation: go into Windows Control Panel, Add/Remove Programs, select "GDI32 - WMF Patch" and remove it.

Download: WMFPATCH11.ZIP

The advanced detection methods used by ESET's NOD32 anti-virus stops hackers from using this exploit. Customers running an up-to-date version of NOD32 are protected without having to take any special actions.

*** END ***

As I wrote to back to Clif, I think it's cool that NOD32 was providing this patch. I use the NOD32 antivirus program, which automatically protected against this problem. I realized this after getting Clif's email and checking the NOD32 web site. I didn't even need to install the interim patch. But, I'm glad Microsoft released the official patch on Thursday. This is another problem that was getting out of hand very quickly.

Support Terry's Computer Tips — Shop at Amazon.com

Use an Amazon.com search box at TerrysComputerTips.com, or the Amazon.com ad or link on the left of the page, for all your Amazon.com shopping.

Search: All Products Apparel & AccessoriesBabyBeautyBooksCamera & PhotoCell Phones & ServiceClassical MusicComputer & Video GamesComputersDVDElectronicsGourmet FoodHealth & Personal CareHome & GardenJewelry & WatchesKitchen & HousewaresMagazine SubscriptionsMiscellaneousMusicMusical InstrumentsSoftwareSports & OutdoorsTools & HardwareToys & GamesVHS Keywords:

Put the item in your "shopping cart" during that visit,
and complete your purchase within 60 days. I'll receive a referral fee, if you do.

---

Continued in Part 2 and Part 3

Volume 1, Number 30 — Sunday, January 8, 2006

Part 1 | Part 2 | Part 3

Copyright © 2005 Terry A. Stockdale.  All rights reserved.

 

Thank you for visiting my site — I hope you found the site and articles helpful. If you did, please consider supporting my efforts by making a purchase (if you have one to make) via one of the links in my articles, one of my recommendations, or in my "Ads by Terry" to purchase the item. You can also shop via these links to major Internet retailers
Amazon.com, Buy.com and NewEgg.com or this Shopping page...

TerrysComputerTips.com
Contact | Join Mailing List
Hosted at HostGator Copyright © 2005-2010 Terry A. Stockdale. All rights reserved.
Terms & Conditions Disclaimer Privacy Sitemap