NirBlog

A few weeks ago, I wrote about the troubles I have from all these false virus alerts generated by Antivirus programs.
So here’s 2 more examples of serious troubles that McAfee false positives caused to other companies:

1. McAfee false-positive glitch fells PCs worldwide When AV attacks:
   In this event, that occurred only 10 days ago, McAfee Antivirus “attacked” some system files that were falsely detected as Trojan, and caused
   these computers to crash with blue screen of death.
2. Companies Struggle To Reverse McAfee’s False Positives On Yahoo Search:
   Around a year ago, Yahoo started a partnership with McAfee’s SiteAdvisor, causing some Web sites to be displayed with false red alerts on Yahoo search results.

…And finally, just a good word for McAfee SiteAdvisor: Although they have some false alerts problems like mentioned in the second article, at least they also show a good willingness to fix these kind of problems. 3 years ago, their SiteAdvisor was displayed a red alert on my Web site, but after I added my remark as the author of NirSoft, they checked my Web site and decided to turn it from red to green.
As opposed to SiteAdvisor, the Antivirus of McAfee is a troublemaker like all the others, and continue to detect my utilities as “potentially unwanted program” or “Generic PUP”.

After digging more into the MsnPass.Info scam that I reported in previous posts, I found out that this scam is a only part of possibly a larger scam that may involve in collecting emails and passwords of french users.

msn-blocked.com is a Web site that offers french users to find out who block their msn messenger user. In order to use this “service”, the users are required to provide their MSN user name and password.
Currently, it has at least 3 active servers: http://s601.msn-blocked.com/, http://s502.msn-blocked.com, http://s12.msn-blocked.com
There are some other addresses that already blocked by Firefox with “Reported Web Forgery!” message (For example: http://s11.msn-blocked.com), probably after users reported that it’s a phishing site.
But every time that a Web address is blocked, the scam owner simply replace it with a new server name.

This Web site has a terms and conditions in french, so I used the ‘Google Translate’ tool for translating them to English, and that’s what they say: “The site aims to provide you with tools to identify people who you are blocked and / or removed from their list of contacts on MSN or Windows Live Messenger. In return you grant this site (MSN-blocked.com) to include your email address in mailing lists marketing.”
In other words, the Web site owner says that he collect every email entered by the user for spamming purposes.

Just for a test, I tried to create a new MSN account (I wouldn’t give my real user name/password for criminals) and use them in http://s12.msn-blocked.com/ Web site.
After I did it, The Web site showed it’s connecting to the MSN server, and than it redirected me to a page with a few french words that I don’t understand. A few seconds later, it redirected me again… to mspass.info Web site.
So after I gave my user name/password to the Web site owner, he simply offer me to buy my own utility through SMS/phone system of allopass.com.
In the beginning, both msnpass.info and msn-blocked.com were hosted in the same server, but now each of these Web site is hosted in 3 – 4 separated servers.

There are 2 other things to concern:
1. This Web site (msn-blocked.com) may also collect that passwords of each user that uses this service, and that’s really bad, especially when we already know that the owner is a thief that sell the software of others.

2. With the MSN user name/password, the Web site owner can collect the email addresses of all the contacts of the user – for spamming purposes.

But the most concerning thing in this scam is the large amount of traffic the scam owner managed to receive.
I have already seen many scam Web sites in my life, but scale of this scam is really unusual.
Both Alexa and radarurl.com (a widget added by scam owner to watch the number of online users) displayed exterme amount of traffic in the last
few days.
radarurl.com already removed msnpass.info and msn-blocked.com sites (Maybe because the owner of radarurl.com found out about this scam), but before they were removed, it was displaying around 100-200 online users for each server (around 1000 online users for all servers together) in the peak hours.

In Alexa, the traffic rank of msn-blocked.com is around 8000 in the last few days, which is very high for a Web site that established only 3 weeks ago.

Moreover, it seems that the scam owner have at least 8 dedicated servers (4 for msnpass.info and 4 for msn-blocked.com) which implies that it’s really a major scam. The scam owner wouldn’t pay for 8 dedicated servers unless there is something huge behind that.

As I already reported, I tried to contact both ovh.com hosting and the payment company (allopass.com) by email and from their Web site contact forms, but with no success.
They simply don’t answer – I don’t know if they simply don’t understand English or they don’t really care that their services are used for fraud activities.
Unfortunately, I don’t live in france and I don’t speak french, so I cannot do anything else to shut down this scam.

If you live in france and/or you can talk in french, you may try to call this ovh.com company, get to the right department, and tell them about scam of msn-blocked.com and msnpass.info.

If no one will do something about this scam, these criminals will continue to collect more and more msn emails/passwords and to make money from selling my software.
In the end, they’ll have a nice amount of money in the bank, and a large user/password database that will allow them to do many other terrible things.

Finally, here’s a small explanation about how these Web sites get all the traffic:
Each time that a use put his user name and password into msn-blocked.com, this Web site send a live message in french to all the contacts of the user:

The message is sent in the name of the user that gave his user name/password, and invite all contacts to check the Web sites of MsnPass.Info or msn-blocked.com
The users that receive this message think that it as came from their messenger friend, and thus many of them browse into this Web site, login with their user/password, and cause this viral spreading to continue.

Since my last post about the MsnPass.Info Scam, the owner of this scam extended the Web site, and now there are 3 new dedicated servers – 2.msnpass.info, 3.msnpass.info, and 4.msnpass.info
These new servers are hosted in same hosting company – http://www.ovh.com, although I already reported them about the scam. I seems that they don’t really care that their services are used for fraud activities.

The main server (www.msnpass.info) is used for randomly redirecting the user to one of the other 3 servers, probably to avoid server overload.
In the last few days, this Web site has extreme amount of traffic, as you can see from this Alexa report:

In fact, for some of these days, this Web site received more traffic than the entire NirSoft Web site, despite the fact that it contains only a single page in french. This amount of traffic for one-page Web site cannot be “natural”. The scam owner probably uses spam messages and other bad techniques in order to get this volume of traffic.

msnpass.info displays a download counter inside the landing page, saying that more than 800,000 already downloaded it. I don’t believe that this download counter is really the truth.
It’s more likely that this number represents the number of page views.
Assuming that this number represents the number of page views, and even if only low percentage of the users actually payed and downloaded my software, it possible that the scam owner and allopass.com (the payment company) already generated an income of more than 100,000 Euro from this scam.

One of my software users reported me about a scam Web site in french that sells my MessenPass utility in another faked name.
This Web site displays a faked screenshot of MessenPass utility. In this screenshot, the name of the utility is MsnPass.Info and my Web site address in the status bar was removed.
This Web site offers the users to “purchase” this utility for 2.00 EUR, which looks like a good and attractive price for a password-recovery utility , but without specifying that it’s a freeware tool that was taken from NirSoft.

This Web site uses the services of allopass.com to get the payments from users. I already send them a message about this scam, but I don’t know if they are going to do something about that.

The Web site address is http://www.msnpass.info

In my previous post, I said that the largest available flash drive is 64 GB.
So I discovered that I was wrong, Because just a week ago, Kingston announced about the first 128 GB flash drive in the market.

If you are really a millionaire that want to waste your money, you can purchase this flash drive in a special price of $1065 at Amazon.

If you are not a millionaire, wait 2 years, and then you’ll be able to purchase the same flash drive in less than 10% of the price that it’s sold today.
In that time, we’ll probably see the first 512 GB or even 1 TB flash drives in the market.

USBDeview has a new feature that allows you to test the read and write speed of your USB flash drive. But the more interesting feature is the ability the submit the speed test result to http://usbspeed.nirsoft.net, so you and other people will be able to easily compare the speed of many USB flash drives.

In the first 24 hours of this USBDeview release, I already received more than 50
speed test records, which is quite impressive.

However, in this growing speed tests list, there is a lacking of 32 GB and 64 GB flash drives, probably because these flash drives are still quite rare and expensive, and most people simply don’t purchase them.
(I must admit that I also have only 16GB flash drive, and I won’t purchase the larger flash drives until their price will decrease…)
Just for example: The price of ‘Kingston DataTraveler 64 GB’ at Amazon is $148, and there are some other 64 GB flash drives that are even more expensive.

If you already have one of these expensive 32GB/64GB flash drives, I’ll be glad if you test them with USBDeview and submit the test result to http://usbspeed.nirsoft.net

Also, be aware to the difference between USB Flash Drives and USB external hard disk drives.
Flash Drives are memory devices that stores the data in flash memory, while USB external hard disks are regular hard disks plugged to USB that stores the data in magnetic surfaces, like the hard disk inside your computer.
Currently, the largest available flash drives can store up to 64 GB of data, while external hard disk drives are avialble in much larger sizes, and some of them can store more than 1 TB (1000 GB) of data.

WhatInStartup utility now allows you to add new applications into the list of programs that are executed at Windows startup. You can add your new startup item into the Registry or into the startup folder of Windows.

In order to use this feature, simply select “New Startup Item” from the File menu, or press Ctrl+N, and then choose the desired item type, fill the ‘Item Name’ and ‘Process Path’ fields, and click the ‘Ok’ button.

In addition to this feature WhatInStartup now also has 3 new columns in the main window: ‘File Created Time’, ‘File Modified Time’, and ‘File Attributes’.

MACAddressView is a new utility that allows you to easily find the company details (company name, address, and country) according to the MAC address of a product.
It also allows you to find MAC address records according to the company name, company address, or country name.
MACAddressView doesn’t send any request to a remote server, it simply uses the internal MAC addresses database stored inside the .exe file.

You can read more about MACAddressView and download it from here.

The new version of WhoisThisDomain utility (v1.40) displays 3 new columns: ‘Expires On’, ‘Created On’, and ‘Last Updated On’. These columns are automatically filled for .com and .net domains registered with major Registrar, like GoDaddy and Network Solutions.
Unfortunately, there is no standard for displaying the expire/created dates in the WHOIS response, and each WHOIS server send these dates in different format, so I cannot insure that this feature will work for every WHOIS request.

Also, there are many WHOIS servers that don’t provide the expire/created datea at all, so in this case, WhoisThisDomain will never be able to display them.

I created a new Web site containing information about every DLL in the system32 directory of Windows 7 Release Candidate.

Each DLL page contains the following information:

• Version information – product name, company, file desctiption, and so on.
• DLL popularity – Shows you how many DLLs are statically linked to this file.
• List of files that are statically linked to the specified file. Displayed only when the number of files in the list is 10 or less.
• Sections information – Shows you the code and data sections in the DLL.
• Resources information – Displays a summary of resources stored in the DLL (icons, bitmaps, cursors, dialog-boxes, and so on)
• Icons Thumbnail – A Thumbnail with all icons stored in the DLL.
• Cursors Thumbnail – A Thumbnail with all cursors stored in the DLL.
• Strings information – Displays a list of strings stored in this DLL (Currently the list is limited to 100 strings)
• Diaogbox information – Displays a list of dialog-boxes captions in this DLL (Currently the list is limited to 100 dialog-boxes)
• Static Linking – Displays the list of DLL files that are statically linked to the DLL. When a DLL is loaded the DLL in this Static Linking list are also loaded with it.
• Exports/Imports List – A list of all imported and exported functions.

There are also some “Top DLL” statitics tables that shows the DLL files with largest number of icons, DLL files with largest number of cursors, and so on.

DLL File Information for Windows 7