PDA

View Full Version : Live OneCare and The Meaning of Life


rlohmann
March 20th, 2007, 07:05 PM
I got a rootkit.

I dunno how, unless it was from poking around the Hillary-for-President websites, but somehow I got a rootkit.

The first thing that happened was an error message from Live OneCare to the effect that it was aborting a scheduled backup because it couldn't write to my external USB drive. Shortly after that, my Internet access failed. (I can provide details of the progressive deterioration after that, if anyone's interested.)

I ran a lot of diagnostics, all of which failed.

I rebooted, and the boot process hung. I did it again. Same result. Encore trois fois. Plus ça change, plus c’est la même chose.

So I took the machine to my sometimes reliable geek shop in West Ocean City (Maryland).

The place was empty; they'd gone out of business.

In despair, I took it to Best Buy in Salisbury and handed it over to the "Geek Squad," whose advertising always struck me as a little too cute to generate confidence.

They kept it for two weeks, failed to diagnose the problem (which I'd told them was in all likelihood a rootkit, because I have enough firewalls and spyware detectors to keep routine viruses out), and purported to wipe the hard drive.

They didn't.

When I reloaded XP, strange things happened, starting with the designation of the boot drive as F:\. Other strange things happened, also.

An acquaintance suggested another geek shop, so I took it there.

They fixed it.

When I tried to restore my carefully maintained Live OneCare backups, virtually all of the backed-up files, except for the image files (.jpg, mostly) were gone.

Yesterday, Live OneCare sent me a renewal notice.

Judy G. Russell
March 20th, 2007, 07:18 PM
IWhen I tried to restore my carefully maintained Live OneCare backups, virtually all of the backed-up files, except for the image files (.jpg, mostly) were gone. Yesterday, Live OneCare sent me a renewal notice.I hate to say this but... Live OneCare is Windows, no? Microsoft, even, no? So this surprises you, how?

Having said that, however, make sure you ask your geek shop to see what they might be able to restore from your external drive. It may be some setting or something that's stopping you from being able to see / restore more.

Sigh... I think I'll run another backup tonight...

davidh
March 20th, 2007, 09:18 PM
I forget the name of the Microsoft security suite. I don't remember whether it had "OneCare" as part of its name or not. But, IIRC, it recently received the worst rating of any security suite in an independent evaluation, I think.

DH

davidh
March 20th, 2007, 09:53 PM
(which I'd told them was in all likelihood a rootkit, because I have enough firewalls and spyware detectors to keep routine viruses out)


I'd hardly consider firewall plus anti-virus plus anti-spy to be adequate protection if one is browsing random or disreputable web sites. Most detection is based on signatures and AFAIK there is no security vendor who has really strong heuristic malware detection. Zero-day exploits and malware polymorphism (chameleon-isms) are just too widespread these days.

At a minimum, I'd set the default security level to high (disabling scripting) in the MS IE internet zone and using McAfee SiteAdvisor.com.

Or, using Firefox together with NoScript extension plus SiteAdvisor.com.

Adobe Acrobat Reader, Quicktime, Adobe Macromedia Flash Player, other plug-ins, etc. must be kept uptodate to latest versions (or disabled in browser).

I use FlashBlock extension in Firefox to block Flash movies or I disable Flash completely.

Some web sites FORCE scripting even tho' the site hardly uses it, so you end up seeing a blank main page. Internet Storm Center (techie guys) recommend using browser "view source" capability to dump HTML for main page to find out the name of the particular file to load in the URL in the address bar to allow one to get around the forced scripting. Too bad people have to go under the hood to work around the stupid glitz some web people put up. OTOH one might just conclude that if the web master is so pigheaded one might as well ignore the site completely.

Another thing to consider is that other Internet applications, e.g. RSS readers, IM apps, may use MS IE components as part of their interface to the Internet. As such they are inherently insecure. Since I do use such apps, I keep my MS IE "internet zone" security always set to HIGH, except for short periods of testing of MS IE on known safe sites.

DH

P.S. You might want to reset your broadband router back to factory configuration and then immediately change the password. Any suitably infected web site can have javascript that can reprogram your router to point a bunch of reputable domains to hacker,spy,criminal domains.

earler
March 21st, 2007, 04:51 AM
1. Avoid sites pimping for hillary.

2. Avoid one care. It is a mediocre program.

3. Get a router. It is the first line of defense. An excellent firewall in itself, it by itself can do a good job, though it is wise to have another firewall, an anti-virus program, and 2 spyware programs. Cost for a decent router is about $50. Even if you have only one computer you should use a router.

Jeff
March 21st, 2007, 12:07 PM
How did you determine it was a rootkit?

fhaber
March 23rd, 2007, 08:12 AM
Don Ladron of the blue shirt:

>virtually all of the backed-up files, except for the image files (.jpg, mostly) were gone

They probably didn't meet Windows Genuine Annoyance criteria. It's a weighted average of red guy in blue state, multiplied by the square root of the number of mattress tags you've torn off over the course of a life. You must be a thief. Hillary says so.

rlohmann
March 24th, 2007, 06:04 PM
I hate to say this but... Live OneCare is Windows, no? Microsoft, even, no? So this surprises you, how? Had I been relying exclusively on LOC, it would have been my own fault. However, in addition to LOC, I was running AdAware, Spyware Doctor, and Windows Defender.

In hindsight, I may actually have been a little unfair to LOC, because it was the only application that even noticed anything: About two weeks ago, it started telling me that it had identified an intruder named "FrameRefGen.htm" that it couldn't identify or do anything with.

That should have been my wakeup call, but wasn't. Whether it was a rootkit of an extraordinarily malicious worm I guess I'll never know. (I did google it several times but came up with nothing.)

Having said that, however, make sure you ask your geek shop to see what they might be able to restore from your external drive. It may be some setting or something that's stopping you from being able to see / restore more..The external (USB) drive wasn't damaged. The stuff I lost was primarily a bunch of isolated files and applications that I'd just never gotten around to copying to the USB drive. I didn't lose anything critical; I did lose a lot of things I'd rather not have lost.

Oddly enough, the defective LOC backups captured and restored all of my .jpg files flawlessly. It was the .doc and .xls files that got trashed.

Sigh... I think I'll run another backup tonight... And in the process, watch for that "FrameRefGen.htm" file. If you see it, call Peter Norton (not Symantec) immediately. :(

rlohmann
March 24th, 2007, 06:08 PM
I forget the name of the Microsoft security suite. I don't remember whether it had "OneCare" as part of its name or not. But, IIRC, it recently received the worst rating of any security suite in an independent evaluation, I think.It was indeed Windows Live OneCare. Both PC Mag and PC World trashed it. However--see my note to Judy--I was running other protection applications as well.

(For many years, I used the Norton products, but Symantec got so invasive, took so much control over my system and got so difficult to deal with that I gave up on it.)

rlohmann
March 24th, 2007, 06:13 PM
1. Avoid sites pimping for hillary.Very well. I'll stop sending money to her campaign, too. ;)

2. Avoid one care. It is a mediocre program.I know, but I was running several other protection programs as well. The fact that none of them blocked it, and only the much-maligned Live OneCare (see my note to Judy) even noticed that anything was amiss, suggests that I had a very serious invader.

3. Get a router. It is the first line of defense. An excellent firewall in itself, it by itself can do a good job, though it is wise to have another firewall, an anti-virus program, and 2 spyware programs. Cost for a decent router is about $50. Even if you have only one computer you should use a router.I've had a router since we moved back to the States in 2004. Again, this was a more-than-routine attack.

rlohmann
March 24th, 2007, 06:18 PM
How did you determine it was a rootkit?Process of elimination. (See my notes to Judy and Earle.)

I'm still not 100% certain, but the other protective routines I was running, plus the identification by LOV of the cryptic and otherwise unidentified "FrameRefGen.htm," eliminate most of the other Usual Suspects from consideration for the prize.

rlohmann
March 24th, 2007, 06:27 PM
Don Ladron of the blue shirt:o/~
Cara al sol con la camisa nueva,
que tu bordaste en rojo ayer,
me hallará la muerte si me lleva
y no te vuelvo a ver. o/~

virtually all of the backed-up files, except for the image files (.jpg, mostly) were goneThey probably didn't meet Windows Genuine Annoyance criteria. It's a weighted average of red guy in blue state, multiplied by the square root of the number of mattress tags you've torn off over the course of a life. You must be a thief. Hillary says so.Did I tell you I'm gathering parts to build my own PC? There will be some components and software in it that may impact your group in ways that only the Vice-President knows about. :cool:

<sneering conservatively>

Judy G. Russell
March 24th, 2007, 11:25 PM
Had I been relying exclusively on LOC, it would have been my own fault. However, in addition to LOC, I was running AdAware, Spyware Doctor, and Windows Defender. And, I hope, both a hardware and software firewall? If not, install both at once (use a router for hardware).

Oddly enough, the defective LOC backups captured and restored all of my .jpg files flawlessly. It was the .doc and .xls files that got trashed.Obviously something targeted at MS files. But that doesn't help any...

Judy G. Russell
March 24th, 2007, 11:26 PM
I've had a router since we moved back to the States in 2004. Again, this was a more-than-routine attack.Yeah, but why you and why not a whole bunch of other people, and why with a file that nobody can identify? Methinks maybe you've annoyed the Admiral yourself!

rlohmann
March 26th, 2007, 06:08 PM
It's the Communists. They're everywhere.

Vigilance!

Judy G. Russell
March 26th, 2007, 10:33 PM
It's the Communists. They're everywhere. Vigilance!Vigilantes are everywhere too...