As was reported in How Windows Update Keeps Itself Up-to-Date Microsoft customers who use the Windows Update received an update to the service. Unfortunately, this change has affected customers who repaire their systems using a Windows XP CD. This method or repairing the system replaces all system files (including Windows Update) on the machine with older versions of those files and restores the registry.

The problem, as explained by Nate Clinton (Program Manager, Windows Update) is

“the latest version of Windows Update includes wups2.dll that was not originally present in Windows XP. Therefore, after the repair install of the OS, wups2.dll remains on the system but its registry entries are missing. This mismatch causes updates to fail installation.”

If you are affected, contact Product Support Services. In the U.S. and Canada, help with security update issues or viruses can be obtained at no charge using the PC Safety line (1-866-PC-SAFETY). For locations outside the U.S. and Canada, go to http://support.microsoft.com/security for the number in your area.

See the blog post by the Windows Update Team and Microsoft Knowledge Base Articles:

• KB 943144: Updates are not installed successfully from Windows Update, from Microsoft Update, or by using Automatic Updates after you repair a Windows XP installation

• KB 916259: The Windows Update Web site and the Microsoft Update Web site do not scan for updates when you repair a failed installation of Windows XP Service Pack 2 or of Windows XP Service Pack 1

Care to discuss Windows Update, this issue or similar topics? Discuss it with us in the forum topic.

Remember - “A day without laughter is a day wasted.”
May the wind sing to you and the sun rise in your heart…

A new online malware encyclopedia has launched and it goes by the name of Threat Expert!

“Threat Expert marks a new era in malware detection as it produces reports with the level of technical detail that exceeds antivirus industry standards,” said Simon Clausen, chief executive at Threat Expert.

“Threat Expert can analyse and generate up to 1,000 highly detailed threat descriptions per server per day. This provides for virtually unlimited scalability to handle hundreds of thousands of threats a day.”

Read more about this at Personal Computer World! Or read and discuss about this in our forum. Is this good or bad?

Link - Threat Expert

Security Cadets are looking for individuals that are experienced using wiki software. The MediaWiki type.

This is a new project for us and has not gone live. Before we go live we need to customise it, add articles and make it acceptable to a standard we work too.

Read more about this in our announcements forum.

… There are a few articles we’ve posted in our Security, Virus, Malware & Spam News Subforums. Some are a few days old others are new. It includes:

• New Skype P2P worm spreads through VOIP chat facility
• Microsoft updates Windows without users’ consent
• Banner Ad Trojan Served on MySpace, Photobucket

Plus more. It’s just a excuse to go and read good news and to bookmark the forum for future items! I would.

A little history here. We all know about the main add-on named MSNPlus. The one that comes bundled with all kinds of crap. Well, that simply isn’t the only one that comes with crap. There are more.

Add-ons certainly need a second look before installing them along side IM programs. Make up your own mind about what I find and publish, but I will post my opinion towards the end and what I advice.

Messenger Discovery Live:-

You may recognise this add-on and you may not. This add-on has a few questionable areas.

There are several issues’ users have raised about the program and described that their anti-virus programs are detecting the add-on as a trojan or other related terms for malware. But also about the adverts that it serves with it.

The general response what you get from a forum admin or mod is, it isn’t spyware. If you don’t like it, remove it! If you don’t like the adverts, don’t use it.

What is this program serving up? Well the following:

(Click to Enlarge)

The famous Starware Advert which leads to the Starware toolbar. It also comes with AzoogleAds, PartyPoker ads and plenty of those annoying smiley ads.

But why would I be posting to you about this just on the basis of those adverts? It’s not only that! I actually asked it’s creator about this. Asked if the program uses a sponsor. And if he tracked any sponsors (if it has one) or tracked the adverts.

(Click to Enlarge)

Make your own mind up. Sadly my account no longer exists. I can’t say I’m all that bothered.

Just for the record, the program does get flagged by a few vendors as a BackDoor.Generic8.ECO (AVG), not-a-virus:AdWare.Win32.NewDotNet (Ikarus) and Generic.Malware (Prevx1). We got this from VirusTotal - VirusTotal Results (pdf).

Can these adverts been turned off? Luckily they can, but only after you have installed it, been hit by adverts whilst installing it and changed the setting inside the program which half of the users will probably not know.

The program itself allows several questionable features. One of them is getting alerted when someone has deleted you from their list.

(Click to Enlarge)

Look at the arrow. If checked, you get alerted when someone has deleted you. Doesn’t this break some kind of privacy law? Or is that only when someone has blocked you and you get to know via third party software. What about this then:

(Click to Enlarge)

Another funny feature whereby you can steal a display picture of whom you have on your contact list. Nice term to use, steal. Very nice in fact. So nice I need to laugh out loud. Because out of 100 users that may use this, how many will have asked they can take a picture from the respective contact? A very low amount depending what the audience is that’s for sure.

So not only are you spying on your contacts trying to determine if you have been deleted, you are also letting others steal your display picture. What if it’s a personal one?

Everything I have highlighted in this post is giving out the wrong signal. This add-on may not have WinFixer like MSNPlus has. But it did or still does have a adware related toolbar. This when no adverts are getting tracked. Clearly new measures need to be brought in.

Want my recommendation? Be careful of any add-on. Research it fully before you install. In the long run they could give you a big headache and if you’re lucky serve you with adverts and other crap. Thus get a system full of crap!

What would be nice is to find an official party that officially approved IM based add-ons. Otherwise I can see this getting out of control.

This is an open debate and anyone can comment within reason. Join us on our forum about this. Let us know your stories. Should there be an official party that approve add-ons so that users get the best quality? Or do you have another opinion?

…On tomorrow’s show I’ll have another IM add-on that will be highlighted. I hope.

Several experts researched what has been mentioned in the article. Credit goes to everyone involved.

Update - Remember my Messenger Add-On rant? & VitalSecurity.Org.

Wow, it seems that the last time I reported a new rogue was forever! I’m now back in business after a period of time away with other matters!

And to break the ice gently, let’s welcome a new rogue into the database. AntiVirGear!

First reported by Nick Skrepetos (SUPERAntiSpyware.com) this rogue looks all to familiar to older rogues. Like VirusProtectPro, SpyLocked and others.

(Click to Enlarge)

The details of who it belongs to hasen’t changed either. It’s still an Estdomains Inc piece of junk like the whois shows:

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: hxxp://www.estdomains.com

Domain Name: ANTIVIRGEAR.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 65
All Postal Mails Rejected, visit Privacyprotect.org
Monster
null,2680 AB
NL
Tel. +45.36946676

Creation Date: 14-Aug-2007
Expiration Date: 14-Aug-2008

Domain servers in listed order:
ns4.sigmacode.biz
ns3.sigmacode.biz
ns2.sigmacode.biz
ns1.sigmacode.biz

It’s IP, 64.28.186.68, is blacklisted.

The interesting thing to point out is that the install file is named as avg_install.exe. Do not get confused with that install being anything from AVG Grisoft. As silly as it sounds, people do trip up on things like this.

This rogue needs to be avoided at all costs. Obviously in some cases it will be hard to avoid. But do not purchase it. It’s fake. Instead get help in our malware removal forum.

Simple steps will make sure this is removed and advice is given to avoid getting it again. You can also join the debate about this in our forum. Give us your opinion on this.

Update - 15th of Sept - Automated Removal Guide <–Click there

Quote from a site/forum admin:

“The bloody advertisements are there to pay for hosting and our forums Software (How else are we going to pay for it). If you think -program in question- has a virus on it then don’t use it simple as that. As I’ve said before Nemours times, we have thousands of users who use -program in question- everyday and only a select few report -program in question- as a Trojan. We don’t want your password or personal information, so there isn’t anything to worry about”

Note the nice language used. The quote is from a site admin in reply to a question asked many times by users. Each thread gives a similar response like above then the topic is closed.

This is simply an unacceptable practice and there is more to come. The program in question is an add-on for a popular IM service. It will be revealed soon … Spread the word!

Update - 13th of Sept. - This is taking me a little longer than expected. They deleted my forum account and removed any topics about their ads. Good job I have everything as a screenshot. Owned!