Fixing Windows Update on Windows XP

On the 4/19 the virus software we use falsely detected the system file wmiprvse.exe as a virus/malware threat.  The specific detection reported the file as Backdoor.Win32.Agent.afqs.  This happened on at least three of our workstations.  Some research on the web shows that more than one virus company had the same problem at around the same time which makes me wonder what happened.

While we were able to recover the file, some things just weren’t right.  The biggest problem ended up being with Windows Update.  When going to the site, it would simply hang on the part where it was checking your system for updates.

Investigation turned up mismatched versions of several of the wmi…. family of components.  Presumabl this was due to an incorrect file being restored by the system after the false positive event.  Trying to get it matched up correctly by had turned out to be problematic at best.

Finally I ran across an obscure post (sorry, I no longer have the link) where someone claimed that reinstalling a certain security patch from Microsoft fixed his problem.  After going through the re-installation of this patch on the first affected machine, it indeed worked!

The post referred to the MS09-12 securyt bulletin from Microsoft.  Most of the page refered to using Microsoft or Windows update to install the patch, which of course was not possible.  I was able to track down the direct download link for the file and I thought I would post it here for posterity.

Serious phone fraud you should warn your loved ones about

Most emails that I receive concerning some new scam turn out to be little more than a hoax.  It’s the sad state of our society that many find easy methods to waste time of those they do not know.

Today I received an email from a source I trust which sounded like an example of the above; however, I did my due diligence to make the determination for myself due to the regard I have for the person who sent it.  To my surprise it turned out to be the one in a thousand (or more) that is true.

If you have loved ones that may not be savvy to official sounding phone calls, who are perhaps not as skeptical as you are when someone asks for information, please, I implore you to make them aware of this and impart the seriousness. This is identity theft via social engineering at its worst.

According to, the scam first surfaced in 2001.  It has cropped back up several times in different states up to at least 2005 which probably means it is destined to show up again.

First the corroborating links, then the story:

Jury Duty Scam

From the Tinley Park Police Department,
This has been verified by the FBI (their link is also included below).
Please pass this on to everyone in your e-mail address book. It is
spreading fast so be prepared should you get this call. Most of us take
those summonses for jury duty seriously, but enough people skip out on
their civic duty, that a new and ominous kind of fraud has surfaced.

The caller claims to be a jury coordinator. If you protest that you never
received a summons for jury duty, the scammer asks you for your Social
Security number and date of birth so he or she can verify the information
and cancel the arrest warrant. Give out any of this information and
bingo; your identity was just stolen.

The fraud has been reported so far in 11 states, including Oklahoma ,
Illinois , and Colorado . This (swindle) is particularly insidious
because they use intimidation over the phone to try to bully people into
giving information by pretending they are with the court system. The FBI
and the federal court system have issued nationwide alerts on their web
sites, warning consumers about the fraud.

How to use Windows Mobile Sync Center on Vista with F-Secure Client Security

We’ve been using F-Secure as our virus/malware protection in our company for a little over a year now. I have been and continue to be impressed with the product and the company support.

Recently I purchased my new laptop with Windows Vista installed. More recently I purchased a new HTC P4300 smartphone with Windows Mobile 5. It’s been working great, and I love the phone. The only weird issue has been syncing with the USB cable. In order to make it work I had to temporarily turn off the firewall inside of F-Secure Client Security. Syncing via Bluetooth was working fine so I tended to lean on that.

Today I decided it was time to fix the issue. I gave a call to the business support line at F-Secure, explained the problem quickly to the technician. She told me right off the bat that this was an issue she had no experience with, so she asked if I minded giving her a little time to investigate. Of course I said that was fine.

Within 30 minutes I had an email from her outlining the solution. My total phone time was about 5 minutes and then another 5 to put the fix into place. Thank you!

The problem is simply that the Sync Center in Vista uses some ports over the USB connection that are new enough not to be included as a standard. After adding the ports and making sure that one of the applications was allowed, everything worked great. Since I do not believe they have a technical article yet, I thought I would outline the solution here in case anyone else needs it.

Please note that these steps only work if your security policy allows you to edit a few things. If you are running in a corporate environment you may need to give these instructions to your network administrator to include in the corporate policies for your virus protection.

Step 1

Windows Mobile Sync Center on Vista with F-Secure Step 1

The first thing to do is to get into the Client Security configuration screen where we’ll be doing most of the work. Right click on the F-Secure icon in your system tray and choose Open F-Secure Client Security. This will bring up the main window. You will want to choose the Internet Shield menu option on the left, then click on the Change link next to Application Control.

Step 2

Windows Mobile Sync Center on Vista with F-Secure Step 2Next you need to add the application that does the communication to the allowed list in Application Control. wmdHost.exe is the component that performs the actual communication requests. It is possible that this application may already be there, but if it is not, simply click Add it to include it in the list. If it is not in the list it should be found in C:\Windows\WindowsMobile\ If you do have to add the file, I’ve noticed that my Client Security software will default to the access level of prompt for a new application. The other bit that is odd is that it will not let me change it when I’m adding the file. I complete the addition to the list, then go back in to the details to modify it. At this point it will let me change the behavior to Allow.

Step 3

Windows Mobile Sync Center on Vista with F-Secure Step 3Finally you need to create a new service and add the necessary ports. There are 5 inbound and 1 outbound port necessary.

Start by switching to the Firewall configuration screen, then to the Services tab and add a new one. I simply called it Windows Mobile Sync Center. Make sure to choose the TCP protocol.

On the screen where you add, there are two areas for ports. They are termed Initiator ports and Responder ports. These map to inbound and outbound. Here are the correct settings:

Initiator (inbound) ports:

  • 990
  • 999
  • 5678
  • 5721
  • 26675

Responder (outbound) ports:

  • 5 679

Windows Mobile Sync Center on Vista with F-Secure Step 4Once you’ve made all of those configuration changes you are ready to give it a shot.  Grab your Windows Mobile device and your USB cable and hook them up.  You should get the Connected check box and see it synchronize as expected.

I hope that helps you out!

Happy Sysadmin Day!

Yes, it is the last Friday in July and that means the 8th Annual System Administrator Appreciation Day.  If you’re able to read this post, thank your sysadmin!  Let’s face it, they go mostly unappreciated and at times cursed for the efforts they take to keep you online and safe.

The official site has some good information about how the diligent sysadmin affects your daily online life.  Let’s give it up for him/her and help promote this international day of recognition!

NFS Server on Windows; What a pain!

We use a nice open source package called BackupPC.   It is a nice system with a powerful web interface that has many capabilities to interact with other nix and windows based hosts.

We had been using smb (Samba) to do most backups from windows hosts, however there was one problem with our Exchange Server.  The backup file was huge, roughly 16GB using ntbackup.  Samba has a limitation of 2GB files for transfer, so that was a killer.

Initially I took the “quick and dirty” route.  I created a batch file that ran the backup and use the split command to split the backup file into 500mb chunks.  It worked, but what a hack!  Recovery means restoring the files and using join to get them back together.  Not a fun prospect.

I recently ran across the the Windows Services For Unix (SFU) on a different server and found that it had the ability to add NFS server functionality to a Windows 2003 server.  Hallelujah!  No more 2GB limitations!

I looked up documentation on installing and configuring things.  I found that I had to implement User Mapping in order for Windows to translate UNIX users to Windows accounts.  No problem, it all seemed very straight forward.  I set up my shares, made sure my permissions were correct and that my users were mapped.   The drive mounted on my Linux box perfectly!  Then I tried to list the contents:

Permission Denied

Dang, so close!  I must have mucked up permissions, right?  Wrong.  I went through all of the standard troubleshooting, opened the share up to everyone including root access, mapped, remapped and changed other settings.  Still nothing.  Ugh!   Time to search Google.  I found many similar issues, but nothing that was what I really needed.  Many people had permission denied problems that turned out to be issues with user mapping or root access.  Not my problems, although I tried everything I found.

Finally I went directly to Google Groups and began searching.  After a few pages of things I’d seen before, I ran across a post that pointed me to this TechNet article.  I do not know why it was so hard to find this.  Searches at the MS Knowledge base did not yield these results.

Anyway, it turned out the only problem was a single initial setting all the way at the top of the SFU snap-in.  It is under the Settings tab and it simply says Server Name.  It was blank!  I would have thought that it would put the default name of the server in there, but it did not.  No biggie, I changed it and viola, everything worked!  I backed out of all my troubleshooting changes to give access only to Backup Operators and no root access to the share and things ran very smoothly.

Hopefully someone may find this pointer faster than I did, if so then my work here is done!  Until the next problem of course.  🙂

Phishing with Flash

In F-Secure : News from the Lab – January of 2007 describe sites that are popping up ising Flash to illicitly gain information about you.  This technique (the illicit information gathering, not that it is using Flash) is called Phishing, and while it’s been around a while I am still amazed at the number of people that do not understand what is going on.

The trick is for the Phisher to create a website that looks exactly like a site you would trust complete with a URL that is close enough to the real one to seem legitimate.  The website simulates something such as a PayPal login.  Some are sophisticated enough that they pass you off to the real site after you have attempted to login, but by then it is too late!  The Phisher has your account information and before you know it, your money is gone!

If you, as I, are among those that understand this threat then I encourage you to take the responsibility to educate your family, friends, and when the opportunity presents itself others that you meet or know.  If you are having a conversation that is related to computers or the Internet, actively guide it to bring out the facts about Phishing!  These Phishers are illegally stealing information from people, and who knows, the next person could be your mother.  Add to that the fact that they are becoming more sophisticated all the time and it is a scary thought.

According to the F-Secure article on why Phishers are moving to use flash;

Probably the main to reason to do this is to try to avoid phishing toolbars that analyze page content.

That makes sense.  They are immoral punks, but they are also smart punks.  Why do they do it you may ask?  Because it is big business!  They make a lot of money doing it.  It is hard for the authorities and the legal system to make a difference, it is just too easy for them to avoid prosecution.  A few do find their way into the courts, but it is obviously not much of a deterrent.  The best way to fight them, in my opinion, is to make the practice not profitable.  Let’s do that by educating people!  Tell the ones you know and love about the dangers and how to avoid them!  Make a difference!