I have 40 items listed on the Windows XP Firewall "Exceptions" list. Out of those, there are 24 that can readily identified as being for use with installed software programs and utilities. I have 14 items listed with a somewhat vague term called "Services". I've checked the listings for these TCP ports on the internet and I've found that 5 are named or classified as "Unassigned". The other ones have names which do not correlate to anything that I have installed on my computer; such as Dynamic and/or Private Party, Synapse Non-Blocking HTTPS, NUTS Bootp Server, Instantiated Zero-Control Messaging, CosmoCall Universe Communications Port 2, ATI Sharp Logic Engine, DVT System Port, and SecureSight Event Logging Server. The others are DCOM (135), UPnP Framework and they are often refered to a being obsolete, according to various online sources.It should be our responsibility as computer users and/or administrators to utilize measures to protect our operating systems by using up-to-date antivirus and antispyware programs and insuring that our operating systems and other software are updated regularly. One thing that many of us may overlook is how our firewall settings are configured, including what is checked off on our lists of Firewall "Exceptions". Sometimes you may need to delete a checklist item because the software it applies to is no longer installed or when a reliable on line source verifies that a checklist item is obsolete and can be safely deleted. Unfortunately, there is not enough on line information to properly identify some of those Firewall Exceptions as being secure, still in use, and for the legitimate transfer of information. There are several Exceptions for Services on my computer that will end up being rechecked when Windows is restarted by two programs (svchost.exe and another one that I have not identified as yet). How do we identify each function as being legitimate?We have a lot to contend with when we are protecting our information. Spyware, Viruses, Worms, Root Kits, and even our own programs and settings can jeopardize the security of our computers. It's getting to the point where we'll have to develop better software which will keep a log of every file that is added, altered, or removed from our operating systems while they are being meticulously scanned for signs of being used as a form of Malware. Using antivirus and antispyware programs, alone may not be enough protection. Our Firewall settings are just as important. We cannot just block all Firewall exceptions, because we need to have open ports for software programs, maintenance monitoring programs, email, and security programs. The big problem is identifying which one is which and what they are supposed to do when they are vaguely identified as "Services" How do we determine which one is which and which one can be safely deleted? 1 person got this answerI do too

Hi,Forty programs is too many to have on Windows Firewall. I guess most of them could be programs that check for periodic updates. Still it is always better to be on the safe side:1. Download WinPatrol from winpatrol.com. It helps you monitor each and every activity on your computer. It even alerts if any program changes your home page, so you can imagine its use.2. Next, click on the Advanced tab and click Restore defaults. You'll be left with four to five exceptions.3. Click the Exceptions tab, remove the ones you don't need and click on the "Notify when Windows Blocks any Program" option. Click OK and exit.4. Though you get notified when any program is blocked, there is no option that informs you when Windows adds an exception on its own. However, Windows adds exception based on the signatures of the applications so you can trust some like Outlook, Google Chrome, etc.5. I recommend you check the firewall exceptions time and again. If you see programs are again being added like anything... it could a malware problem. Use the MS online scan to identify and remove the malware and again restore defaults.The main point is that Windows Firewall will not allow all programs to access Internet or external network unless it is signed by a trusted vendor. And DEFINITELY NOT for programs trying to access Internet for updates such as Adobe, Java etc.Check this out and if you still face problems, get back to me.--Best Regards,DreamsCentralTwitter: @DreamsCentralSigned: Wednesday, February 24, 2010, 6:25:21 PM IST

Hello, Yes, I agree that 40 exceptions are too many. Ten of them are for my HP printer's various .exe programs, alone. Fourteen of them are identified as "Services" which have increased in number from nine in the past three weeks. I believe that these extra ports are being added and checked upon system reboot because I have been unchecking the one for DVT System Port (TCP 3246). I suspect a possible root kit based on some on line discussions. It seems that for the past few weeks I've been having problems with an uninvited guest using Remote Desktop to enter my system and forcibly download a user file called "HelpAssistant" which is two large for my system (5GB). I have to unplug from the internet during restart so that I can uncheck DVT or one of these these alternating Services before I reconnect to prevent this from happening. I have a feeling that if I opt to restore defaults, that these service ports will return when I restart my computer. It has already created five additional ports to alternate each time I restart and according to IANA.org they are classified as "Unassigned". I don't know for sure what is going on here or if it is a function of Windows to do this or if it is a Malware program doing this.I will try what you suggest and see what happens. However, I suspect that my system is so badly compromised that I may have to start all over by reloading my operating system onto a new hard drive. I've run several scans with my updated Spysweeper antivirus and Antispyware and the Microsoft Malicious Software Removal Tool with no detectable malware in both regular mode and safe mode with the internet and without the internet connected. Some online formums are offering these elaborate and complicated and risky methods for removing some kind of suspected root kit that is capable of disabling malware detectors. I already have Firewall set to alert me when it blocks a program. There has never been any alerts to indicate that it is blocking a program. Webroot has offered a free email method for determining if it is a virus or root kit however it is very complicated and may take several weeks of back and forth correspondence to find the cause and the cure. I'm currently unemployed so I'm trying to keep expenses at a minimum. Therefore, I can't afford to have a professional technician run a diagnostics and make repairs.Update: I've installed WinPatrol and reset the default on Windows firewall and these Services exceptions ports are then regenerated and reactivated by either one or more startup programs. WinPatrol lists over eighteen startup Microsoft type .dll programs located in an "undocumented system startup location" which are suspected along with suspected registry keys. These ports cannot be specifically linked to a startup program. I've decided to forgo the troubleshooting and repair method and do a clean install of Windows XP on a new hard drive, instead. I have a feeling that the source of the problem is too complex for investing the time and expense involved in removing whatever is causing this problem. My hard drive is over five years old and it has too many junk files left over from programs which were uninstalled long ago. Everything has been backed up in preparation for this.

The activations of these Windows Firewall "Exceptions" for Services were created by a Master Boot Record (MBR) infection caused by the Troj/Mbroot-H virus. It cannot be removed without rewriting the Master Boot Record. Unfortunately my operating system has a customized boot partition. Which means that changing it could damage my Windows XP hard drive to the point of losing access to the operating system.For those who have a standard boot partition, using using FIXMBR and a good anti-rootkit program to identify and delete the infected files and registry files should elimate this infection. In my situation, a clean reinstallation the operating system on a new hard drive is the only solution. All of my personal files have been backed up manually to an external Hard Drive, which has been scanned for viruses and spyware and detached from the system. This is directly related to the "HelpAssistant" virus discussed in another thread in this forum. I've identified Services port TCP 3246 and at least five other Services unassigned ports as the entry point for the hacker who is taking advantage of this situation. If you delete them they are configured by the systems corrupted registry and files to be replaced and reopened each time the computer is restarted. One port is being used at a time and the system is being manipulated in a way where they are being replaced and reopened with alternates on restart. I recommend that all users be aware of the items listed under the Exceptions tab for Windows Firewall. If you are not sure what each one is for, you'll need to find out so that you can protect the privacy and security of your personal information. The internet does not provide specific or in depth information on the Services port. Iana.org lists them with either a title or as unassigned with very little information about about what they are for or how they relate to the care, updating, condition, and maintenance of your operating system. I believe there are a few of them which are being used for some kind of illegal hacker mischief.Spacejunkie1

Well, If I were in your place, I would not have kept any programs except the default ones (Not even Remote Connection or Sharing as I dont use them). For others that it adds as exceptions, I would have checked them on: Microsoft.com and msdn.microsoft.com. If the programs are related to MS, you will always get an answer. If there is no answer and/or if I am left in doubt, I will remove it from the exceptions list. Finally, if any program is affected by this and creates problem connecting, I would have added it to exceptions. Other than these, I would NOT allow any in Exceptions. THE RULE OF THUMB IS TO DENY ANY PROGRAM THAT YOU DO NOT KNOW AND IF YOU ARE IN DOUBT. IF YOU EXPERIENCE ANY PROGRAM CREATING PROBLEMS, YOU CAN ALWAYS ADD IT LATER. -- Best Regards, DreamsCentral Twitter: @DreamsCentral LinkedIN: Linkedin.com/in/DreamsCentral Signed: Sunday, March 14, 2010, 2:46:38 PM IST

Hello DreamsCentral;I reset my Windows firewall to the default settings and the remaining listed Exceptions were as follows;File and Printer Sharing (always Unchecked)??? not usedRemote Assistance (this item received an addition checkmark where none existed before) unchecked and not usedRemote Desktop (unchecked except when HelpAssistant virus or TroJ/Mbroot boot sector virus changes MBR for outside access) not usedUPnP Framework (always unchecked)???After I restarted my computer there were four additional ports for Services (each one had a checkmark)They were for; Services TCP 65533 Dynamic and/or Private Party Services TCP 52334 " " " "Services TCP 9034 UnassignedServices TCP 2470 Secure Event Logging ServerEither one or all of them are a direct result of a boot sector virus.I suspect services port 9034 and six alternative ports as the entry points for activation of the HelpAssistant user account, the remote desktop activations, and the downloading of the Help Assistant File folder in Documents and settings.Since these ports are added and active when the system restarts, I've had to disconnect from the internet and delete them each time.Restoring defaults always adds a checkmark to Remote Assistance so I have to uncheck it each time because that is Boot sector virus related.I can't afford the expense of reloading my operating system because of this virus. Because of my custom Dual-Boot partition I may risk losing access to my Windows XP operating system if the MBR is rewritten. Disabling or deleting the functions that this hacker uses may keep them from invading my system until I can afford to replace my computer.Webroot cannot remove the virus and has recommended servicing by a professional technician which may include reinstallation of my operating system.I have Winpatrol to notify me when someone is attempting access to the system in a specific way, and Webroot Antivirus with Spysweeper monitors incoming activity in another way (without a firewall). The virus has somehow disabled the Notification feature in Windows Firewall when the box is checked so there are no warnings of intrusions. Sometimes the clues for system intrusion are symptoms, such as minor freezes or slowdowns. The only entity that has been blocked in the past was one of the ten .exe programs for my HP AIO printer that was part of the Listed exceptions in Windows Firewall. I don't know if they are truely needed, but according to HP all ten of them should be open. I'll have to wait and see if they ask for entry into my system.

Hi SpaceJunkie1, From what you have written, I can sense that you have a good knowledge over Windows OS. It sounds true that these extra four ports are result of a virus. In my opinion, you should go ahead and reinstall the OS after a backup of important data (normally, I do not save anything to the system partition - not even use the My Documents; saves your time while clean reinstalling). No need to tell you: format the system partition before the reinstall. If the other OS is Vista or Windows 7, chances of loosing XP are less. Still, if you find that the Boot Loader is not showing XP, you can use the following commands to correct the problem: bcdedit –set {ntldr} device partition=C: bcdedit –set {ntldr} path \ntldr bcdedit –displayorder {ntldr} –addlast bcdedit -set {ntldr} description "XP" Make sure you enter these commands from VIsta or Windows 7 command prompt. For additional details, you may check out my article on multi boot Windows 7 Hope this clarifies the situation. I mean you are further risking your files by allowing the virus to remain while also being prone to some mal intentions of a hacker. Please think over it and let me know. -- Best Regards, DreamsCentral Twitter: @DreamsCentral LinkedIN: Linkedin.com/in/DreamsCentral Signed: Monday, March 15, 2010, 1:36:26 PM IST

I have 40 items listed on the Windows XP Firewall "Exceptions" list. Out of those, there are 24 that can readily identified as being for use with installed software programs and utilities. I have 14 items listed with a somewhat vague term called "Services". I've checked the listings for these TCP ports on the internet and I've found that 5 are named or classified as "Unassigned". The other ones have names which do not correlate to anything that I have installed on my computer; such as Dynamic and/or Private Party, Synapse Non-Blocking HTTPS, NUTS Bootp Server, Instantiated Zero-Control Messaging, CosmoCall Universe Communications Port 2, ATI Sharp Logic Engine, DVT System Port, and SecureSight Event Logging Server. The others are DCOM (135), UPnP Framework and they are often refered to a being obsolete, according to various online sources.It should be our responsibility as computer users and/or administrators to utilize measures to protect our operating systems by using up-to-date antivirus and antispyware programs and insuring that our operating systems and other software are updated regularly. One thing that many of us may overlook is how our firewall settings are configured, including what is checked off on our lists of Firewall "Exceptions". Sometimes you may need to delete a checklist item because the software it applies to is no longer installed or when a reliable on line source verifies that a checklist item is obsolete and can be safely deleted. Unfortunately, there is not enough on line information to properly identify some of those Firewall Exceptions as being secure, still in use, and for the legitimate transfer of information. There are several Exceptions for Services on my computer that will end up being rechecked when Windows is restarted by two programs (svchost.exe and another one that I have not identified as yet). How do we identify each function as being legitimate?We have a lot to contend with when we are protecting our information. Spyware, Viruses, Worms, Root Kits, and even our own programs and settings can jeopardize the security of our computers. It's getting to the point where we'll have to develop better software which will keep a log of every file that is added, altered, or removed from our operating systems while they are being meticulously scanned for signs of being used as a form of Malware. Using antivirus and antispyware programs, alone may not be enough protection. Our Firewall settings are just as important. We cannot just block all Firewall exceptions, because we need to have open ports for software programs, maintenance monitoring programs, email, and security programs. The big problem is identifying which one is which and what they are supposed to do when they are vaguely identified as "Services" How do we determine which one is which and which one can be safely deleted? hi , hmmm , first of all get a good router with build in hardware firewall , or a seperate hardware firewall with maximum settings , .... if you can get a dsl line , its safer and harder to break in .unless you provide details about what programs need to get a connection there is not much we can do , ....i advice you to contact microsoft support , why ? >> they have tools that can analyse and see what is going on and are in a better position to help you ( !! )click the link ' microsoft support ' below in my signature and follow , get a chat with the microsoft support staff .you can also see what ports etc are needed and what uses them true this link grc.com >> shields up and do a port testhave a nice dayScan with OneCare + Support ENDING for windows Vista & XP ! + Plagued by the Privacy Center? REMOVE IT + Threat Research & Response Blog + Sysinternals Live tools + TRANSLATOR + Photosynth + Microsoft Security + Microsoft SUPPORT + PIVOT from Live Labs + Microsoft Live Labs + Get OFFICE 2010 FREE ! + Windows LIVE !

Hello DreamCentral,I've been using the strategy of disconnecting from the internet during each system restart so that I can edit the Firewall Exception list before going back on line. As long as these Exceptions are deleted, the effect of the virus has been temporarily halted. This should buy me some time to raise some money to buy a new computer.I have to keep an eye on my POP and STMP ports in Outlook and my Webroot Antivirus and Antispyware utilities for my email to insure that these numbers aren't changed from those provided by my ISP (I've experienced two instances of that).I've abandoned Window Vista due to frequent hard drive failures (Seagate and Western Digital) and other issues. So, I'm going to use a single hard drive with externals for backup on my next computer. Because of this problem I think it would better to simplify hard drive installation so that these intrusions can be dealt with more easily.I believe that this virus was istalled by one of those fake malware alerts that are common on Myspace and its associated links. My Nieces and their friends were avid users of this site for there social activities. I've instructed them to never click on anything assoicated with a fake virus or malware popup. I've learned that just by passing the mouse cursor over the popup's activation links causes several viruses to be downloaded and that they are rigged to pop up under the cursor unexpectedly. I have instructed them to disconnect from the internet and not to shut off the computer unless the system freezes and to let me know so that I can run several scans without the internet connected in the normal mode and the safe mode and to check all settings. If you shut down the computer with these viruses installed and intact they can infect the MBR during restart and that is what the hacker anticipates that you will do. If the virus does cause the system to freeze up, then it may be too late; there is nothing you can do except for shutdown and look for viruses and an MBR infection. This stategy may not apply to all types of viruses. In this case it was because the system was frozen after the viruses were introduced and that is why the MBR infection occured after restart.I really like Windows XP alot; and the only problems I've had with it are security related and with Media Center issues. If I can afford it, I may give Windows 7 and its XP application a try by installing it on my next computer.Thank You for the advice. Best RegardsSpacejunkie1

Hello Dabur972;Getting a router with a built in firewall or a separate hardware firewall would be a good idea, for future reference. The issues with my computer have already been identified and a course of action has already been determined. However, most of this stuff costs money that I don't have at this time.For now Windows Firewall will have to be monitored for added Services Exceptions ports which are generated by the existing boot sector virus on each computer restart. Deleting them is the only way to minimize the hacker's mischief.I'm going to contact my ISP (Comcast) and see if a router with firewall is compatible with their system. I've Tried using the Webroot version of firewall, but there were too many recurring popups with too little information on them to allow a program entry into the system.My operating system is toast; because of its custom boot partition the MBR cannot be rewritten without losing access to my current operating system. Thanks for the adviceSpacejunkie1

Hello Dabur972;Getting a router with a built in firewall or a separate hardware firewall would be a good idea, for future reference. The issues with my computer have already been identified and a course of action has already been determined. However, most of this stuff costs money that I don't have at this time.For now Windows Firewall will have to be monitored for added Services Exceptions ports which are generated by the existing boot sector virus on each computer restart. Deleting them is the only way to minimize the hacker's mischief.I'm going to contact my ISP (Comcast) and see if a router with firewall is compatible with their system. I've Tried using the Webroot version of firewall, but there were too many recurring popups with too little information on them to allow a program entry into the system.My operating system is toast; because of its custom boot partition the MBR cannot be rewritten without losing access to my current operating system. Thanks for the adviceSpacejunkie1 hi , a good router cost around 100 usd or euro , check with your isp , many will offer them for free in return for a year or longer subscription . some you can rent or pay for every month , is the cost worth it ? yes every penney ! yes comcast has a few routers , i dont recommend them and with any decent router you will be able to get whatever isp you choose ( !! ) windows firewall with the right settings is good , as long as you keep windows updated and check and recheck the settings !! as for customs boot installs , contact support also , one tip , let windows make it at reinstall , you dont need third party software for it have a nice dayScan with OneCare + Support ENDING for windows Vista & XP ! + Plagued by the Privacy Center? REMOVE IT + Threat Research & Response Blog + Sysinternals Live tools + TRANSLATOR + Photosynth + Microsoft Security + Microsoft SUPPORT + PIVOT from Live Labs + Microsoft Live Labs + Get OFFICE 2010 FREE ! + Windows LIVE !

ps , dsl with evry 24 hour changing ip is the key , as long as the hackers did not got a program inside , with the right modem and changing ip true dsl one needs a mainframe to hack in !!Scan with OneCare + Support ENDING for windows Vista & XP ! + Plagued by the Privacy Center? REMOVE IT + Threat Research & Response Blog + Sysinternals Live tools + TRANSLATOR + Photosynth + Microsoft Security + Microsoft SUPPORT + PIVOT from Live Labs + Microsoft Live Labs + Get OFFICE 2010 FREE ! + Windows LIVE !

Hello Dabur972;I'm not sure of how Comcast handles the security of their internet system in relation to periodically changing their IP. I'll have to so some research to understand and compare their features with that of others. I like their high speed internet service quality and the download speed they are providing (100mbps). I never thought that there was another provider that provided service at that speed and quality with the added benefit of better security for its users. At&t been visiting me regularly trying to get me to switch my services and they have nothing better to offer. I'm currently using an RCA Digital Broadband Modem for my service via a comcast cable for phone, and internet services. With bundled services for TV, internet, telephone I save quite a bit of money. I'm also installing all of the recommended updates for Microsoft and my Antivirus and Antispyware programs. It's not perfect, but I'm pretty much covered as far as reasonable system security. Windows Firewall, although imperfect, is the best one. MySpace.com and its links to other sites are the sources of this infection and a few others. It does't matter what kind of service you have; the threats from popular internet sites are the ones most likely to be used by hackers. Sometimes you have to set evaluation priorities when choosing to use a service or a product. Cost and service quality are primary considerations. The features to consider are internet upload and download speeds and security. If you have to sacrifice one feature for another to get a good price and reasonable service quality then that is what you have to do. I usually go to a reputable professional computer technician with parts and specifications to build my computers and install the operating system and software. This time I'm going to have one hard drive in a single boot configuration. The only reason that I went to dual-boot was to test out Windows Vista on this computer and one another one. I've had too many problems with the performance and reliablity of the Windows Vista operating system so I switched back to using Windows XP. All of my Vista hard drives failed, so they had to be removed from these computers. If I can raise the money, I will go with the Windows 7 operating system. My current computer and its hardware are not compatible with Windows 7.Thanks for the help and adviceSpacejunkie1