Spyware Sucks

Fake USB drives being sold in Brazil

Saw this on Sharkbait. Shonky street vendors are putting the chopped off end of a USB cable in an old Dlink wifi adapter case and selling them off as cheap USB flash drives.  Cheeky.

http://img474.imageshack.us/img474/9779/pendrivefg7.jpg

HOTFIX: Windows IE7 may crash when you vist a Web site

Windows Internet Explorer 7 may crash when you use it to visit a Web site. This problem occurs when the following registry subkey is enabled:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UseCoInstall

http://support.microsoft.com/default.aspx/kb/935544

Information: A Web age may not be displayed correctly when you use the zoom feature in IE7

When you use the zoom feature in Windows Internet Explorer 7 to zoom in or to zoom out on a specific Web page, the Web page may not be displayed correctly.

For example, you may experience one or more of the following symptoms:

• On the Web page, there is an image between text strings and an input object, such as a button or a text box. When you zoom in or zoom out on the Web page, the text strings may be truncated, or they may not be displayed. This problem occurs because the input object overlaps the text strings. 
• On the Web page that you are viewing, there is a text string or a table that has a border. When you zoom in or zoom out on the Web page, the border may not be displayed.
• The Web page contains content that uses the "DISPLAY:block;VERTICAL-ALIGN:bottom;" parameters. For example, the Web page contains the style for an "A" tag. When you zoom in or zoom out on the Web page, there may be an extra hyphen (-) that is displayed after the strings or after the images. To verify the decoration of an "A" tag, click View Source on the Tools menu.
• When you put the focus on a link object on the Web page, and then you move the focus to another link object, the focus position may not be on the display position of the link object.
• You cannot zoom in or zoom out on any part of the Web page that is drawn by an ActiveX control. 

http://support.microsoft.com/default.aspx/kb/933053

HOTFIX: Session cookies may be lost after you open a file that has a local file path or a UNC file path in IE7

When you use Windows Internet Explorer 7 to open a file that has a local file path or a UNC file path, session cookies may be lost after later operations. These later operations may include opening a new window or closing a new window.

http://support.microsoft.com/default.aspx/kb/935778

Norton screws things up for Chinese Windows XP SP2 users

Yay Norton.

For a period of time Norton was detecting two essential system files, netapi32.dll and lsasrv.dll as Backdoor.Haxdoor after the Chinese users installed the Microsoft security update MS06-070.  Norton was deleting the two files causing severe problems.  Affected systems bluescreen and then display the following Windows File Protection alert:

Screenshot of the Norton false positive:

Note: the false positive is fixed by definition 20070527 version 71.

Fix:

The files can be restored using the Windows Recovery Console, which is can be accessed by booting a PC from the Windows XP installation disk, or by booting using a PC manufacturer's Restore Disk.

Information about Recovery Console:

http://support.microsoft.com/kb/307654
http://support.microsoft.com/kb/314058

1. ValueClick and malware - the problem continues 2. The FTC investigates ValueClick

ValueClick seems to be facilitating more than the distribution of malware like Winfixer.  Check out Mike's latest entries on the subject of ValueClick/Mediaplex:

ValueClick involved with Trojan.Zlob.N
http://msmvps.com/blogs/hostsnews/archive/2007/05/18/valueclick-involved-with-trojan-zlob-n.aspx

ValueClick turns to the Dark Side
http://msmvps.com/blogs/hostsnews/archive/2007/05/18/valueclick-turns-to-the-dark-side.aspx

On 8 May I received an email from ValueClick advising me that ValueClick were still investigating the reports that I made to them on 25 April regarding the distribution of various Winfixer variants via Mediaplex.  As of today, I have received no word as to what they have done or plan to do, if anything, despite more than 3 weeks having passed.

On a related point, I've been reading up on the various acquisitions of advertising networks that have happened recently:

• Microsoft announced Friday it is buying online ad agency aQuantive in a $6 billion cash deal for $66.50 a share, an 85 percent premium over Thursday's close price;
• 24/7 Real Media is to be taken over by ad agency WPP Group (the world's #2 advertising firm, according to some) for $649 million;
• Google announced in early April that it was buying privately held DoubleClick for $3.1 billion;
• Yahoo! announced it was going to purchase the remaining 80 percent in Right Media that it didn’t already own for $680 million.

It makes me wonder who may want to buy ValueClick, and why hasn't it been snapped up yet.  Yes, it is possible that there may be hush hush talks going on in a boardroom somewhere that the world at large does not know about, but what company would want to buy ValueClick when it has problems like this and this and this?  Reality is that as ValueClick's reputation for facilitating the distribution of malware spreads (and, more importantly, as word spreads that the distribution via ValueClick has continued despite complaints and negative publicity), more and more people will simply block ValueClick content in it's entirety and that, gentle reader, will have a direct impact on income of legitimate advertisers and ValueClick itself.

Mike Burgess says:

"Way to go ValueClick! ... enjoy the Dark Side and your ill-gotten gains (for now)

Knock-knock ... who's there? (hopefully) The FTC"

Mike, in a way your wish has come true.  The FTC is investigating ValueClick (cite: http://www.nypost.com/seven/05192007/business/ftc_probing_valueclick_business_.htm, http://news.moneycentral.msn.com/provider/providerarticle.aspx?feed=AP&Date=20070518&ID=6924416 and http://www.fool.com/investing/high-growth/2007/05/18/win-a-free-ftc-inquiry.aspx)

Ok, so now that the FTC have got ValueClick in their sites because of potential violations of the Can-Spam Act, maybe the time is ripe for a publicity push regarding ValueClick's involvement in facilitating the distribution of Winfixer and other malware to encourage the FTC to have a close look at that as well.

WARNING: "Dell online store" trojan emails

Overnight many people were were slammed by Dell trojan spam and yes, I know of people who clicked on the link in the email.

Word is spreading about this latest attempt at social engineering, but I find it disconcerting that despite the email using an IP based URL, despite it having no graphics (even in HTML mode), and despite only cursory attempts being made to make the email appear legitimate, that people are still being fooled. 

Info about the incident can be found at these URLs:

Australian Computer Emergency Response Team
http://www.auscert.org.au/render.html?it=7595

Websense Security Labs .. "The site is encoding there code via Java Script which decodes to 8 different IFRAMES, all which attempt to load exploit code and download and install new malicious code. The site itself appears to be going up and down sporadically."
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=774

Dell's official blog and Dell Australia Web site
http://direct2dell.com/one2one/archive/2007/05/16/15050.aspx
http://www1.ap.dell.com/content/topics/topic.aspx/ap/topics/main/en/email_hoax?c=au&l=en&s=gen

Below is a screen shot of the dangerous email, and a snippet of just one page of a GFI console that shows just how heavy the flood of emails was on one site ...

Snap quiz..

Supported operating system = Windows Vista

System Requirements = IE6

We all know that there are sites and applications that don't work well with IE7 because of security improvements - is that the case here?  The fact that the question can be asked indicates that some clarification is in order.  Perhaps IE6 is the *minimum* browser version, not the only browser version, compatible with the MSAT.

PRESS RELEASE: Phony Email Sent from Attorney General Listserv Address

Consumer Alert:

A listserv account used by the Washington Attorney General’s Office to send news items was hijacked as part of a “phishing” scam. State agencies have resolved the problem to ensure further unauthorized e-mails are not sent.

Subscribers received a e-mail message that appears to come from “Military Bank Online” but includes the listserv address in the “from” line. The message aims to trick readers into clicking on a link that resembles a Bank of America Web site and asks for account login information.

Do not follow the link. Do not provide any identifying information. Delete the e-mail.

These emails did not originate from the Attorney General’s Office or a bank. The perpetrators of this scam aim to prey on unsuspecting members who follow the link and then enter their account user name and password. They could become victims of identity theft and fraud. Never reply to e-mails that ask for personal information and don’t click on links in e-mails or pop-ups. Legitimate financial institutions will never ask you to verify your identity online.

If you have responded to this fraudulent e-mail, your financial and personal information could be compromised.

·       Please contact your bank immediately to protect your account.

·       Carefully check credit card and bank statements for unauthorized charges each month.

·       You can contact the fraud departments of each of the three major credit reports to request a fraud alert be placed on your file.  For instructions on requesting a fraud alert, visit the Attorney General’s Office Web site at http://www.atg.wa.gov/ConsumerIssues/ID-Privacy/SecurityFreeze.aspx#fraud

For more information how to protect your identity, visit the Attorney General’s Web site at http://www.atg.wa.gov/ConsumerIssues/ID-Privacy.aspx

HOTFIX: Windows IE7 does not download an ActiveX control that is referenced in a CODEBASE attribute when you open a Web page that contains the OBJECT element and the CLSID attribute is missing

Internet Explorer 7 requires the CLSID attribute when you use the OBJECT element together with the CODEBASE attribute to download controls.

http://support.microsoft.com/default.aspx/kb/934014

Error message when you try to use a dial-up connection in Windows IE7 on a Windows Vista based computer: "Cannot write to the telephone book"

On a Windows Vista-based computer, you try to connect to a network by using a dial-up connection in Windows Internet Explorer 7. However, you may receive an error message that resembles the following:

Cannot write to the telephone book.
Error 624 : Telephone book file cannot be updated.
The dial-up connection attempt is unsuccessful.

http://support.microsoft.com/default.aspx/kb/934588

FIX: After you install IE7, the inetinfo.exe process may stop responding on a computer that is running both Windows Server 2003 and IIS 6.0

After you install Windows Internet Explorer 7, the Inetinfo.exe process may stop responding (hang) on a computer that is running both Microsoft Windows Server 2003 and Internet Information Services (IIS) 6.0.

When this problem occurs, you may receive an error message in the System log in Event Viewer. The error message resembles the following:
Event Type: Error
Event Source: Service Control Manager
Event ID: 7031
Description:
The IIS Admin Service service terminated unexpectedly.

http://support.microsoft.com/default.aspx/kb/934819

The "File Download - Security Warning" dialog box opens when you try to open IE7

This problem may occur on a Windows Vista-based computer if the following conditions are true:

• The "Temporary Internet Files" folder is moved to a location outside the User folder hierarchy. For example, the "Temporary Internet Files" folder is moved to another volume. 
• The Phishing Filter is enabled. 
• Protected mode is enabled. 

In this case, the "Temporary Internet Files" folder has insufficient permissions in its new location. Therefore, the Phishing Filter cannot start. When this problem occurs, Internet Explorer 7 cannot start, and the File Download – Security Warning dialog box opens.

This problem may also occur on a Microsoft Windows XP Service Pack 2 (SP2)-based computer or on a Microsoft Windows Server 2003-based computer if one of the following conditions is true:

• The folder that contains the "Temporary Internet Files" folder has been deleted. 
• The permissions for the "Temporary Internet Files" folder have been changed. 

http://support.microsoft.com/default.aspx/kb/937409

Provocation.net says go away if you're using IE....

Webmaster says "You were landed on this page because you are using Microsoft Internet Explorer."

Umm... screenshot of Firefox 2.0.0.3, default settings.

Problems at www.ie-vista.com and inetexplorer.mvps.org

The servers are down for emergency maintenance

www.ie-vista.com is affected, inetexplorer.mvps.org is affected, as is email.  SpywareSucks is the only service unaffected.

No word on when things will be back up.

IE with Outlook - When typing a new email in Outlook, or replying to an email, in html format there is a significant delay from when the letters are typed to when they appear on the screen

This problem is caused by a "protective" protocol that I do not support or recommend, that is, loading down the registry by adding a slew of sites to IE's Restricted Sites zone - sometimes tens of thousands of URLs.  Products that "protect" you by loading down the registry in such a way include Spybot, IE-Spyad and Spyware Blaster.

IE7 has made changes to the way that the rendering engine interacts with the Restricted Sites zone - the end result is that if you are using Outlook (not 2007), have IE7 installed and use HTML as your email format, then when you type an email the IE rendering engine will check the registry for entries in IE's Restricted Sites zone **every time you type a character***. 

FIXES:

Remove all of those entries in the Restricted Sites Zone - simply use the programme that dumped all that data into the Restricted Site zone to remove the entries (or use the Reset Internet Explorer Settings Tool) (Tools, Internet Options, Advanced tab)

- or -

Stop using HTML (switch to Rich Text instead)

- or -

Use Word as Outlook's email editor.

***DO NOT*** set Outlook to run in the Internet Zone.

SOAPBOX:

I am reading commentaries in which some complainants demand that Microsoft "fix" IE7 so that they can continue to use the Restricted Sites zone as a "Protection", ignoring the fact that using a protection that depends on adding URLs to IE's Restricted Sites zone is doomed to eventual failure in the same way as adding spam senders to a blocked sender list is doomed to failure.

It is true that in Windows Server 2003 and in Windows XP the Registry Size Limit (RSL) functionality was removed for the most part, meaning that there are no longer any limits on the total amount of space that may be consumed by registry data in paged pool memory and disk space, but this does not mean we should bog the registry down with ever increasing data like Restricted Zone URL entries (Note: On Windows Server 2003, there is a limitation for the system hive of 12 MB when we use the /3GB switch).

There is no practical limit to the number of URLs that the bad guys can create to spread their wares and we simply cannot continue to add URL after URL after URL to IE's Restricted Sites zone as a way to fight back.  If Microsoft decides to change the behaviour behind the slowdown affecting Outlook, then they should do so for reasons other than people wanting to bog down their systems with tens of thousands of Restricted Zone registry entries - it will be better for us to move away from a "protective" protocol that is doomed to eventual failure.

I can understand the thinking behind using the Restricted Sites zone - it means you can view the sites with minimal risk, whereas using a HOSTS file completely blocks access to sites, but I recommend that iIf you really want to avoid advertisements and spyware domains, use Mike Burgess's HOSTS file, available here:
http://www.mvps.org/winhelp2002/hosts.htm

IE7 and security warning/download errors involving navcancl and ieframe.dll

You have installed the Internet Explorer cumulative update KB931768 and have previously moved your temporary internet file folder from it's default location.

You see an error like this one:

File Download - Security Warning
Do you want to save this file?
Name: navcancl
Type: Unknown File Type, 2.64KB
From: ieframe.dll
Save Cancel

FIX:

If your temporary internet files folder has been moved from its default location, move it back.

An alternative is to run IE as an Administrator (right click the IE icon, select "Run as Administrator", but I *strongly* advise against this.

***DO NOT*** uninstall the cumulative update.

While we're on the topic of the IE cache, I'll take the opportunity to remind everybody about two problems with the cache that I see far too often:

Do not use the "Automatic" cache setting - anything but that.  The way the "Automatic" setting works is IE monitors how often a web page is updated.  But, there is a bug in the feature in that IE will eventually decide, seemingly at random, that a page is never updated and stop checking.  The only fix is to stop using the Automatic setting and empty your cache.  Users of older operating systems sometimes have to delete the folders themselves using deltree to get rid of index.dat.  Users of XP and later can generally delete that file from within Windows Explorer by logging in using a different admin account to that which is affected.

Check your IE cache size.  Traditionally Internet Explorer has set the size of its cache as a percentage of total hard disk size.   That was fine years ago, but now that hard drives are getting so large Internet Explorer can set its cache to ridiculously large sizes (2 Gig and more).  This is simply too large for Internet Explorer to be able to handle.  IE7 does check, and adjust, the size of the cache **the first time you click on the Browsing History Settings button, and will reduce it to 1,024Mb if larger than that, but 1,024 is still too large.  Reduce the size of your IE cache to between 50 and 250 Meg.

Oops, it looks like our new electronic ticketing system doesn't work too well....

Ok, so I've had a *real* bad day (so what else is new, I hear some say) and I couldn't resist enjoying a moment when somebody else was having issues....

I couldn't resist taking a photo of this when travelling home tonight. It is of the screen of an add-value machine used to top up the credit balance of the smartcards used by the new electronic ticketing system used by our public transport infrastructure.

Too funny.  Too too funny.  Yay Windows!!!!

Oh, and great big raspberries at the vandals who scratched the console screen.

Oh, and as for the person who sent me this as a thank you ... (((HUGS)))  Seriously, the photo does not do the flowers justice.

Microsoft Access ODBC drivers for Vista x64

What *did* I get myself in for when I decided to do this answering support emails via blog thing   They say that variety is the spice of life but wow, talk about getting questions from all over the shop.

Here is today's question - sent to me via www.ie-vista.com and totally unrelated to Internet Explorer, but what the heck...

"I didn’t know if you could point me the right direction or not but I am trying to load Microsoft access ODBC drivers and not having any luck with the 64 bit version of vista.  The only option I get is for SQL Server and I am not having any luck finding anything on Microsoft’s site on how to get these drivers installed."

Ok, there are two copies of odbcad32.exe on Windows Vista x64, one is stored at c:\windows\system32\ and one is stored at c:\windows\syswow64\.  Our correspondent needs to run c:\windows\syswow64\odbcad32.exe

Here is a screenshot of c:\windows\system32\odbcad32.exe

Here is a screenshot of c:\wndows\syswow64\odbcad32.exe

FIX: IE is stuck at the Runonce page and weird squares and circles on taskbar buttons

Today's email says:

"I'm having trouble getting my home page (MSN.com) to open up when I hit my explorer start up button.  I get a strange "run once" reference up in my address bar.  I end up having to type in WWW.msn.com to get the home page to open.  Then, at the bottom of my screen where the websites that are open are typically indicated, I get only the blue explorer "e" icon followed by 9 or do [sic] little square boxes and three dots.  I just installed IE 7 on this Sony Vaio desktop from the MS download site a week or so ago."

Possible causes of the RunOnce problem are:

1. The Welcome page does not load completely for whatever reason.
2. Scripting has been disabled (note: blocking ActiveX does not cause this problem)

In such circumstances, the DWORD "RunOnceHasShown" may not be created in the following registry key, or it may not be set to a value of 1.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\RunOnceHasShown

If your system is stuck at the initial IE7 welcome page, shut down IE, check for the existence of the RunOnceHasShown DWORD and set it to a value of 1.

Also, ensure that the following key is set to 1:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\RunOnceComplete

and

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigrated

Also make sure you disable anything that may prevent IE from writing to the registry such as anti-malware applications before trying to install IE7:
http://blogs.msdn.com/ie/archive/2006/10/11/IE7-Installation-and-Anti_2D00_Malware-Applications.aspx

Now we shall look at the "9 or do [sic] little square boxes and three dots"

Shut down IE then go to Control Panel, Display Settings and reset your system to an default XP scheme/appearance.

If that doesn't work, try running IE7 in no add-ons mode - does the problem go away? If so, you need to look at what toolbars and other add-ons you have installed, disabling or uninstalling them one at a time until you find the culprit - one that has been reported as being problematic is Stopzilla, a pop-up blocker.

Still no luck?  Check these things:

1. Tools, Internet Options, Languages button.  Make sure that the correct language is installed.  Eg, if you are in the USA, you should be running "English (United States) [en-us]".
2. Check your computer's regional settings (Control Panel, Regional Settings)
3. Check your encoding options (Press the Alt key, then select "View", then "Encoding" on the Menu Bar that will appear).  My systems are set to Unicode (UTF-8) although Western European (Windows) or (ISO) are fine. I try to avoid Auto Select which has been problematic in the past.
4. Of course, for English speaking countries, "Left-to-right document" should be selected.
5. RIES sometimes helps with weird symptoms (Tools, Internet Options, Advanced tab - down the bottom).

Now *if* none of the above works, it is possible that there is a corrupt font on the computer in question, but if that is the case I would expect that more areas on the computer may be affected.