Free Computer Consultant ………. Daily Insights

With this mornings update (3/5/08), C:\Windows\System32\WUAUCLT.exe (windows update agent) is being stopped by Comodo BOClean as DRP-AGENT.SCK malware.

Is this another false positive like the USERINIT.Exe fiasco of a few weeks ago or is this real?

I posted to Comodo’s BOClean forum and someone else promptly indicated the same thing happened to them. I have had quite a few clients receive this prompt, with at least one selecting “Yes” to BOClean’s offer to delete the file.

As of 24 hours later, Comodo has not chimed in; although my laptop, the first to experience the problem, updated the definition file again around 4pm and then no longer reported the problem.

This is frustrating. Yes, Comodo gives away BOClean for free, but I have a number of clients who paid for it just a year or two ago.

Compound this with the ongoing “file corrupt” message that only goes away if you know the trick (I have a video), and the UserInit.exe false alarm just a short time ago that rendered many PC’s unable to login (and me glad I typically install Windows Recovery Console on PC’s), and I’m about to pull my support of the formerly fantastic product and uninstall from all of my client computers.

Very sad. As another poster commented: “This never happened when Kevin (owner of NSClean who created it) was running the show”.

Software as a service is a generally bad idea that I have written about before.

For those who don’t value my opinion, perhaps you will listen to security expert Bruce Schneier or Marcus Ranum. In Bruce’s most recent Crypt-O-Gram he and Marcus mention how Software as a Service is really a trick that allows businesses to lock up their customers indefinitely.

He specifically mentions the phenomenally popular iPhone which allows only certain companies to provide software for it. And on the other side of the PC - Mac gulf, Microsoft’s Trusted Computing initiative is really another lock-in measure, one touted as a security measure.

Nice to be in good company.

A couple days ago my wife got one of those annoying emails warning of the “Life is Beautiful.pps” powerpoint attachments which, if opened, it warned, would wipe out your entire C: drive. And, and this is the good part, they get your PASSWORD too!

Just so you don’t check it out yourself, at the bottom of the email it says “verified by Snopes.com”. Which of course, it isn’t..Snopes exposes the hoax. So does TruthOrFiction.com. But people don’t check things out for themselves.

It’s a hoax that dates back to 2002.

Your first clue is the “it will wipe out your hard drive”. Very few viruses ever did. Why would they? They want to profit from their work and wiping out your hard drive just doesn’t pay. They want to turn your machine into a spam bot that they control. At least nowadays they do. There have been some malicious, destructive viruses, they just aren’t that prevalent.

My wife of course sent that family an email with a link to both snopes.com’s review of the hoax and truthorfiction’s with the suggestion that they send out a correction to everyone.

With one BIG difference.

We suggested they use BCC (Blind Carbon Copy) instead of the CC that they used on their email. Why? We sent this link also:

Why and How to use BCC.

Bottom line is that not using BCC exposes our email address to spam and gives our address to everyone they know. Sorry, but our email is kinda private - primarily because we don’t like spam.

Making that person look bad

We chose not to make that person look bad and sent our email to just them (She replied instead of “reply to all”). But you know what? They never did send out a correction. Probably didn’t read about BCC either. That’s just rude, IMHO. If I ever send out faulty info, I send a correction as soon as I’m made aware of it. Everyone should.

The next day someone else did a “Reply to All”. Another reason to use BCC. This other person pointed out the hoax for them to everyone else. Makes them look kinda stupid. Much more so than if they would have sent the correction themselves.

But even this second person used CC instead of BCC and the resulting email was such a disaster that I didn’t even look at it the first time. Only when I wanted to blog about how bad it was did I see, clear at the bottom, the purpose for their correspondence.

Folks, I know it sounds like I’m just trying to generate sales, and yes, I do appreciate the sales, but take a look at my email etiquette ebook - I’m still selling it for less than 10 bucks.

Is it worth 10 bucks to not look so inept? Is it worth 10 bucks to have people read your email instead of deleting it on sight?

Check out my email etiquette ebook here.

Want to see what this disaster of an email looked like? Get your barf bag ready…

(intentionally blurred to protect the innocent)

Then, eventually..

here’s the original message: (Direct from Microsoft & Norton! - rrriiiiight!)

>
> Many of you may have already received this – but am passing it along.
>
>
>
> Anyone-using Internet mail such as Yahoo, Hotmail, AOL and so on.
>>>
>>> This information arrived this morning, Direct from both Microsoft
>>> and Norton.
>>>
>>> Please send it to everybody you know who has access to the Internet.
>>>
>>> You may receive an apparently harmless e-mail with a Power Point
>>> presentation ‘ Life is Beautiful’
>>> If you receive it DO NOT OPEN THE FILE UNDER ANY CIRCUMSTANCES, and
>>> delete it immediately.
>>>
>>> If you open this file, a message will appear on your screen saying:
>>> ‘It is too late now, your life is no longer beautiful.’
>>>
>>> Subsequently you will LOSE EVERYTHING IN YOUR PC, And the person who
>>> sent it t o you will gain access to your name, e-mail and password.
>>>
>>> This is a new virus which started to circulate on Saturday afternoon.
>>> AOL has already confirmed the severity, and the anti virus
> software’s are
>>> not capable of destroying it.
>>>
>>> The virus has been created by a hacker who calls himself ‘life owner’.
>>>
>>> PLEASE SEND A COPY OF THIS E-MAIL TO ALL YOUR FRIENDS, And ask them
>>> to PASS IT ON IMMEDIATELY!
>>> THIS HAS BEEN CONFIRMED BY SNOPES
>
> ———————————————————————-
> –

Then a signature block here with a favorite quote (omitted)

>
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.503 / Virus Database: 269.16.6/1150 - Release Date:
> 11/24/2007 5:58 PM
>
>———————————————————————–
>-
>
>No virus found in this incoming message.
>Checked by AVG Free Edition.
>Version: 7.5.503 / Virus Database: 269.16.8/1154 - Release Date:
>11/27/2007 11:40 AM
>
>

Then FINALLY, we get to the message that the sender wanted us to know:

This email has been circulating for a long time. Click on the Snopes check below

Snopes.com <http://www.snopes.com/computer/virus/life.asp>

How many people will scroll that far down (past all of that GARBAGE) to read what you have to say?

Which is why I prefer to put my reply at the top, and if the person needs to read the history, they can keep reading.

But do you see what I mean?

Enough said.

Good news for privacy advocates and Skype users. In fact, this is likely applicable to most VoIP telephony solutions.

German Police report that they cannot decipher the encryption used by Skype to monitor calls. One of the problems is not just the encryption, but the way in which VoIP calls are conducted. Skype and other VoIP calls are broken into small data packets and routed over many internet paths and routers to get from one end to the other.

This means that Police really need to have access at the source, before the encryption preferably, in order to monitor the call.

I’m sure they’ll be working on that. They likely will be trying to install Trojan Horse programs on the originating PC of the suspect. In the U.S., I think that would fall under the category of a clandestine entry of the property.

Read the full story here.

Comodo’s BOClean is quite adept at fighting Trojan Horse programs, and it’s free.

I had a discussion yesterday with a client about security and trusted third parties. The point I am always trying to make is that when you trust a company, you not only trust them, but every employee they have. Think about that before trusting.

Related in a different way is an article in Wired titled Encrypted E-Mail Company Hushmail Spills to Feds. Hushmail provides secure web based email in that it normally is encrypted with a Java client on your PC and decrypted at reader’s PC. Hushmail servers only see encrypted data.

But that method is slightly inconvenient, so Hushmail offers another option. With the other option, the encryption key is known to the Hushmail server for a short time. You really need to read the article to understand the full details, but the bottom line is this: convenience will cost you security.

Is anyone surprised by this?

I was at a conference recently where I was discussing secure communications with a person who has ties in high places. He assured me that no level of encryption is more than a slight inconvenience to the Feds. This article, to me, indicates otherwise.

But just sending encrypted data is a red flag that says “look here”. So weigh those options before encrypting anything. Unless of course you have a high volume of junk you can encrypt to act as red herrings.

The real Federal Trade Commission is warning email users NOT to open emails that appear to be from frauddep (at) ftc.gov. These emails contain a virus that is designed to steal passwords and account numbers.

It isn’t hard to spoof, or fake, the return address of an email. This has been done before with the FBI, CIA and other .gov addresses.

As usual, don’t open suspicious emails of any kind. If the government wants to talk to you, they’ll be happy to break down your door in the middle of the night, not send you an email.

Further info is available at this government computer fraud website.

Windows Live OneCare is a $49.95/year security suite from Microsoft. And Performance Tune-ups. And Backup and Restore. And I think I’m gonna be sick.

I was reading an e-newsletter this morning detailing that Live OneCare was turning on Windows Update to download, install and, if necessary (isn’t it always?) reboot the PC at the default time of 3am. Live OneCare was doing this without telling the user. Some users had wisely turned off auto download and auto install.

Even if you had DISABLED the appropriate services, Live OneCare was turning them back to “automatic” which means they startup when the PC boots.

People who had been finding this out (the hard way - they wondered why their PC’s were rebooting) seemed shocked.

The average user I will give a small break to; maybe they don’t read much - or watch any news. But any PC professional using Live OneCare instead of a competent security suite (no, not McAfee or Norton) like Trend Micro or ZoneAlarm needs to stand back and think for a moment.

Microsoft? Security Suite?
Microsoft? Performance?

Isn’t that an oxymoron of some type? Multi-Oxymoron?

Here is my email that I sent to the writer of the e-letter:

Why anyone would trust Microsoft for a security package is beyond me.
Microsoft cares about themselves only, and to find that they make changes to your PC that you don’t want made does not surprise me one bit. And their security reputation is so tainted, nay bludgeoned, that it just doesn’t make sense to pay them almost $50/year to screw up your PC.

Do you want me to tell you how I really feel?

Most people use Windows because it’s defacto, or because they can’t afford a Mac.

More people are moving to Linux (like Ubuntu) everyday. I don’t think that trend is going to change, and Vista is just speeding it up.

About 2 weeks ago I had to clean a client’s home PC. AOL 9 would not run at all (no loss in my mind but…), Internet Explorer would lock up.

This machine was protected by Norton 360, however it appears that the malware was imitating Norton 360 pop up boxes to coerce the user to actually install more malware.

The user had decided not to install the WiFi router on his cable modem since he didn’t need the wireless currently and he apparently forgot that sending out a wireless signal is not the only use for the router!

I cleaned the PC up, installed Firefox, reinstalled AOL 9 and it appeared they were good to go.

Long story short, junior was home alone all day on Wednesday and by Thursday it was malfunctioning again - big time. Junior claims he spent the day only on Facebook. Hmm. (Like that’s a wise use of time.)

Maybe a solution is at hand.

Virtual Machine (VM) software has been around for quite a while. In a nutshell, Virtual Machine technology allows you to run a copy of Windows (like XP) inside another copy of Windows (XP, Vista). Anything that happens to the second copy is trashed as soon as you are done and exit.

So if junior surfs the web, I mean, spends all day on Facebook using a Windows XP Virtual Machine, and loads up all kinds of malware, all he needs to do is exit when he’s done and Dad’s PC is right back the way it started when he fired up the VM Copy of Windows.

Sounds cool, but what’s it cost and where do you get it? Well, Microsoft offers Virtual PC free to anyone. Then you download an appropriate “image” of the “guest” PC you want to run inside of your “host” PC and you’re ready to go.

You are safe while surfing because the Virtual Machine technology builds a barrier between the guest PC running inside of your host PC platform. Changes to the guest do not affect the host.

If you want more robust Virtual Machine technology, including some real cool server options, VMWare is the answer. VMWare, however, is not free. But they do have a free player.

VMWare can be considered superior to Microsoft’s Virtual PC due to its ability to run other operating systems. Want to try KUbuntu? Download here.

Virtual PC 2007 is now available from Microsoft. Get a VM Image of XP with SP2 and Internet Explorer here.

This is great technology and can save you time, money and headaches. Check it out.

The last day or so users have been calling and reporting that they get an error message (in a persistent dialog box) stating that BOC425.XVU is corrupt, go to BOClean update to correct. But doing so doesn’t fix it and you can’t get the dialog box to go away.

First, right click the BOClean icon in the task tray and select “Shutdown BOClean”. If it is not there, then you will likely have BOC425.exe in Task manager. That’s Ok too.

Next, pull up Task Manager (CTRL-SHFT-ESC) or right click the taskbar and select “Task Manager”. Click on the column heading “Image Name” to alphabetize. Look for and click on BOCore.exe and “End Process”. Do the same with BOC425.exe if it’s there. If there is more than one of either of those, do them all.

When you have BOC425.exe or BOCORE.exe highlighted and click on “End Process”, you will have to acknowledge any warnings and then close Task Manager.

Now you can go to Start | All Programs | Comodo | Comodo BOClean | Updater and the update should fix the problem. You will need to either reboot or run BOClean manually (from the Start Menu) to get it up and running and protecting you again.

I wish I weren’t such a nice guy. A gal that works for one of my clients asked where she could take her laptop to for cleaning.

There wasn’t anyone I really felt comfortable recommending and I figured “how bad can it be?”

“Bring it to me”, I foolishly said.

It’s an IBM Thinkpad, which is good, with a Celeron processor, that’s bad.

Even though it has a Windows XP Pro license sticker on the bottom, XP Home is installed - Strike two.

And this thing is so polluted you can barely move the mouse pointer. There was no working antivirus software, although I finally found some program shortcuts for Norton 2003. No sign of the software though.

Internet Explorer is absolutely useless, well, more than usual. Unless you like infinite exploding popup windows. So after cleaning out the registry and everything else that was easy to find, I loaded BOClean antitrojan, antimalware and Firefox. BOClean has found only 1 item so far (and killed it).

Firefox runs, go to Google and do a search, no problem. Try to navigate to http://housecall.trendmicro.com and the program closes.

Using a USB flash drive I copied adaware 2007 (free version) and ran it twice. Found quite a bit and cleaned it. Now it refuses to run.

Using a USB flash drive I copied SysClean from another PC where I downloaded it. It gave me fits too, but finally I was able to make it run.

Also from a USB flash drive I copied the free antivirus from Comodo. It found nothing, although much had already been cleaned.

Searching for RootKits I used F-Secure’s Free (expires Oct 1st) BlackLight. It found nothing.

The persistent file I find, loading from the registry is PRX.exe in C:\Windows\System32. Googling it brought up nothing of any use.

I keep threatening to blast the whole thing, format the drive and reinstall Windows XP Pro from scratch but:

• I’m stubborn and see this as a challenge
• The owner says there is nothing she wants on the machine, but I’ve heard that before
• I can save C:\Windows\inf off to USB before I blast it, but I still fear the potential hassle of finding all of the drivers I will need for a laptop this old

Folks, surf wisely. Check out my User Behavior page on my website. Use SiteAdvisor. Run a competent antivirus program and BOClean for malware. Don’t open suspicious emails.

============

Update

============

• McAfee’s rootkit tool found nothing
• Trend Micro PC-Cillin would not install.. reported corrupt installation file. Installs fine on other, known clean, PC’s
• Navigating to Avast.com or AVG in Firefox caused the browser to immediately close
• Even if left unattended, at some point IE windows would open at a furious rate trying to go to www.llehs.com

Final resolution: Wipe Drive and Reinstall Windows XP.