Posted on 8th June, 2014 | Tags : , , , , , , | No Comment

Today’s PSA:

In case you live in a cave somewhere, #ransomware has become a very profitable enterprise for a group of criminals from the (predominantly) eastern bloc.

I am currently in the process of recovering the data from a laptop infected with Cryptowall – the latest very nasty iteration of this #extortionware. The “IT guy” at this woman’s office told her she would “lose everything” and they would have to reinstall her computer from scratch to fix the problem.

While the computer appears to have been encrypted to keep you from accessing any of your data until you pay the ransom ($500 in this case), your information files still exist and look like they always did.  However… The files have been encrypted  so that they can no longer be opened with the original application.  JPG files cannot be opened.  Documents cannot be opened.  PDF files cannot be opened.

There is the remote possibility you can clean the infection off the computer and activate the Shadow Copy function to restore your files that Windows automatically backed up.  It’s a long shot, as the sleazy individuals who wrote this malware also thought of this and these files are usually encrypted as well.  It’s a very long shot.

How did she get into this mess in the first place?

These infections are distributed in one of two ways.

1: emails with bogus links that direct you to infected web servers which in turn infect your computer.

2: “Malvertising” – Internet ads that redirect you to these same infected servers. Lately, the biggest risks have come from ads on Facebook, awkwardfamilyphotos.com, the guardian.co.uk and Disney. There are many others.

What can you do?

1: Never open a link in an email before verifying it’s destination. Contact the sender if necessary and ask if they intentionally sent it to you first.

2: Do NOT click on popup ads from any site. If you see an ad for something interesting, do a Google search for the company and look for the item that way.

You’re welcome!

Posted on 5th March, 2014 | Tags : , , , , , , , | No Comment

Watch out, FaceBrick users! I was checking my news feed and trying to type a suggestion on a friend’s page this morning when my keyboard was remapped and started typing gibberish.

At the same time I was trying to diagnose this nonsense, I noticed a download completed on my system. I immediately rebooted the computer. After it came back up, I killed all running apps and deleted the offending download (download.html).

Doing some history research in all my browsers, this little infection came from FACEBOOK via Google Chrome (the browser I use for this).

This happened on an Apple Mac Pro running OS X 10.6.8, lest you think your Mac is completely immune to nasty infections. To quote from Inspector Clouseau:  “Not anymore!”

Posted on 4th November, 2013 | Tags : , , , , , , , , , , | No Comment

Listed below are my notes from a recent virus infection on a Windows 7 computer.

Reason for service:
1: Computer is extremely sluggish.
2: Multiple instances of “COM Surrogate has stopped working” dialog boxes.

Observations:

1: All applications unresponsive.

2: Over 36 instances of dllhost.exe running in Services and repeated popups of COM Surrogate message.

3: ntdll.dll is the Fault Module involved.

4: CPU is running at 100% usage.

Manually killed all dllhost.exe processes to free up CPU cycles.

Ran System File Checker to scan for possibly corrupt files.

Note, during all scans it was necessary to keep manually killing dllhost processes.  If not, CPU usage would quickly reach 100%.

Result = None found.

Ran msconfig to disable all non-MS processes.

<reboot>

Result = no change

Re-enable processes

<reboot>

Ran a full AVG virus scan.  One Win32/Heur was found mid-scan, but the file disappeared before AVG could quarantine it.  I continuously stopped  dllhost processes during scan to free up CPU cycles.

Note:  AVG, like any other antivirus, must be properly configured for thorough protection and acceptable performance.  Do NOT use this product “out of the box” or you are likely to suffer a nasty infection.

No further infection found.

Disabled thumbnail view in System performance, as many instances of this problem had that as a solution.

Result = No change.

Set System Performance to Fastest.

Result = No change.

Ran a full Malwarebytes scan.

Result = No infection found.

I ran Process Explorer and located the folder associated with dllhost.exe.  A folder comprised of random letters in the Temp directory is the culprit, indicating an infection.

Note: No legitimate application will ever run from a Temp or Temporary Internet Files directory.  Period.

I tried numerous mechanisms for taking ownership of this folder so that I could delete it, including:

1: Setting up a new Administrator account to access the folder from outside the user account.

Result = Unsuccessful.

2: Rebooting in Safe Mode + Command Prompt.

Result = Unable to make folder visible.

Additional information:

Once I determined it was definitely a virus and not a system error, I asked the client what she was doing on the computer at 3:42 pm the day before ( time stamp on the infected folder).  It seems she was browsing the MSN website and had clicked on Wonder Wall at the time.  Immediately after going to that site, the popup messages commenced.

Solution:

The only solution was to take the computer to the lab, remove the hard drive and connect it to my MacBook Pro.  Since the Apple OS is not help captive by the Windows “security” I was able kill the files and folders this way.  I could have accomplished the same thing on one of my Linux machines.

Unfortunately, the computer did not operate correctly when taken out of Safe Mode.  More than 50 services were either set to Disabled or Manual and un-started.  Resetting each one by hand and manually starting them solved the problem nicely.

If you have another solution to this nasty bug, post it here.

 

Posted on 19th August, 2013 | Tags : , , , , , , , , , , , | 2 Comments

I am running a 12 core Mac Pro with 16 gigs of ram, 13TB of internal storage, 4 monitors and the newest updates to OS X Mountain Lion 10.8.4.

Recently I have been searching for cloud-based backup for my massive image library.  Bitcasa has been making news with their incredible offer of infinite storage for only $100 per year.  I had read the reviews and a lot of forum posts regarding problems with the app, but results seemed to have been improving over the last year, so I decided to give it a try.

In late July of 2013 I downloaded and installed the Bitcasa app (version 1207).  The installation went smoothly and it immediately identified the primary data folders on my boot drive and began backing them up.  This is a small portion of the data I need mirrored, as I have several Terabytes of data stored on my system.  I added a few more folders that I wanted mirrored and let it run.  I immediately noticed a massive degradation in performance.  I let the computer run around the clock for 3 days to get the queued material synced.

On August first, when I was finished with the computer for the night, I closed all running apps as I normally do before shut-down and tried to close Bitcasa.  It would not shut down on it’s own and I had to initiate a Force Quit command to unload it from memory.

The next day when I booted the computer, Bitcasa was crashing on load and generating error messages to accompany this activity.  This happened repeatedly.

Bitcasa Crash Dialog

I noticed the temperature monitor on my display showed my computer running at 61 degrees C.  Normally it ranges between 39 and 41.  I immediately loaded Activity Monitor and found Bitcasa’s CPU usage was at 1,420 % - over One Thousand Percent ?!?!?!?!?!  I immediately executed a Force Quit of Bitcasa, as it would not close on it’s own.

I then contacted Bitcasa support via online chat and began the laborious process of clearing the Bitcasa cache (this can take hours) and downloading the newest build with instructions for removing the current version and replacing it.  Chris was very helpful and my assessment of their support based on this single sampling is excellent.

Since replacing Bitcasa 1207 with build 1.3 1217, it no longer crashes on load.  However, it still does not handle threads or process priorities correctly.  Both Aperture and Photoshop, which I use constantly, become unresponsive on launch or import / File Open when Bitcasa is loaded.

I routinely have to pause the sync process, then Force Quit Bitcasa in order to free up other running applications.  It will NOT close on command either from it’s own menu or via Activity Monitor.

When it is actually syncing, it uses all the bandwidth of my fairly fast UVerse pipe and I have to pause Bitcasa Sync in order to stream video or watch something on YouTube on any computer or TV on the network.
 
To qualify what I am about to say:

I have spent most of my life in technology.  I was a Recording Engineer for Motown Records and worked in almost every studio on the West Coast.  I designed and built numerous Recording Studios in Northern California, including MC Hammer’s in the early 90s – and Metallica’s favorite rehearsal studio in the early 80s.

I owned and operated several technology companies over nearly 40 years, including AudioCraft Engineering in Marin County, which serviced the Pro Audio gear for studios and musicians up and down the West Coast.  I was on the team that built the very first computerized house in Tiburon, California in 1983.  My tasks were to build the circuits we needed and interface the entire system.

In 2010 I sold a very profitable computer consulting company I started in 1994 upon leaving the employ of Symantec (where I was Beta Administrator for Time Line 6).  This little consulting company made me a lot of money solving other people’s PC, network and software issues until I decided I needed a change of pace. For many years I was a computer Forensic Analyst and Licensed Private Investigator.  I’ve recovered a lot of data in my career and continue to do so today.

In the early days of computers I learned to code first in Basic, then in Turbo Pascal and finally in C before I lost interest in writing and debugging code.  I’ve been coding my own websites since 1995, first in text on a Unix platform and now with Dreamweaver.

 

What I really think about Bitcasa:
 
In all my years in technology I cannot remember a less well-crafted application  being unleashed on an unsuspecting buying public.  It’s been causing nothing but trouble for their users since the day it was introduced and I knew this going into it, but figured I’d give it a try.

My assessment of Bitcasa so far is that it is one of the worst pieces of code I have seen in my entire career.  Whoever is compiling this app should be fired and they should hire someone from Silicon Valley that has half a clue.

Bitcasa is not even Release Candidate quality.  It is Beta – plain and simple.  Charging money for this app is somewhere between unconscionable and criminal fraud.

Posted on 16th August, 2013 | Tags : , , , , | No Comment

Proctor and Gamble has issued a fairly large voluntary recall of both their Eukanuba and Iams brand cat and dog food. Check the recall web page to see if you have any of the Salmonella tainted food in your home right away!:

http://m.news.pg.com/press-release/pg-corporate-announcements/pg-voluntarily-recalls-limited-quantity-dry-pet-food-due-po?cm_mmc=emailpals-_-20130815_PandGRecall-_-PALSCAMP_239439_239439_105_20130815-_-PressRelease&cm_em=23881010

Posted on 8th August, 2013 | Tags : , , , , , , , | No Comment

A very sneaky phishing SCAM from an AT&T address

Today’s nasty little attempt to steal your account information and ruin your life comes packaged to look like AT&T wants you to update your account and opt-in to paperless billing.

Nothing could be further from the truth.

Your first clue should be that no legitimate company will ever ask for your login credentials via email.

Message Subject: Please update your bill settings (verbiage is not what we would expect to see in this country)

Sender: att@e.att-mail.com
(Your SECOND clue – If this was truly from AT&T it would have att.com as the LAST part of the email address – not prepended to a mail.com domain)

Partial body text:

*$25 Restaurant.com Gift Certificate issued after your third full month of Paperless Billing and delivered to qualifying customers via an e-mail FROM RESTAURANT.COM (allow three to four weeks for e-mail delivery). Paperless Billing must be maintained for three months or Gift Certificate will be forfeited. Offer available only online for AT&T residential accounts that are not already enrolled in Paperless Billing. Offer ends 8/31/13. Employee/retiree concession accounts and business accounts, along with any account not eligible for AT&T Paperless Billing, are excluded from the offer. Gift Certificate redeemable at http://Dine.Restaurant.com/. Unredeemed Gift Certificates not valid toward purchase at restaurants. Limit of one (1) Gift Certificate at given restaurant per party per month. Minimum spend requirements and other restrictions may apply. Visit http://Dine.Restaurant.com/ for complete terms and conditions and participating restaurants. You authorize AT&T to share your email address with Restaurant.com for Gift Certificate fulfillment ONLY.

You have received this Account Service email because you are a customer of AT&T. You will receive this type of notification to communicate important information about your account, payment and self-service options or updates to your AT&T account.

To ensure delivery of AT&T emails to your inbox, please add att@e.att-mail.com to your email address book or safe senders list. Here’s how. (bogus phishing link)

They are appealing to your desire to get something for nothing – a classic ruse.

It appears to be originating from a Level3 subnet in NYC.

Let’s be careful what we click on, OK?

Posted on 30th July, 2013 | Tags : , , , , , | No Comment

The hits just keep a-comin’ !!!

Two more pathetic infection / phishing emails for your edification today  come ostensibly from eBay.

Subject: (your name here) welcome to the eBay community!
From: eBay@reply1.ebay.com
Alleges to be from: no-reply@facebook.com
Really Sent From: onelinkpr.com in San Juan
or [61.19.125.99 - in Thailand]

This bogus welcome message from eBay is full of linked text and images, all of which hijack your computer and send it to:

[....turbotesttaking.com/inadequate/index.html]

or
[...72.167.163.145/tunelessly/index.html]

These are not places you want your computer to go.

Let’s not go clicking on any of this nonsense, OK?

Posted on 30th July, 2013 | Tags : , , , , , | No Comment

Today’s pathetic phishing scam – Facebook Package Delivery

If you receive an email from Facebook with the following information:

Subject: Your package has been delivered
From: no-reply@facebook.com

Be very suspicious of it.

In this particular case, what makes this attempt so incredibly insipid is the actual bogus content. Keep in mind today is July 30, 2013:

Content:

Our records indicate that the following shipment has been delivered:
Tracking number: 262072197840
Ship (P/U) date: May 27, 2013
Delivery date: May 31, 2013
Sign for by: Lelio JACQUEZ
Delivered to: Receptionist/Front Desk
Service type: FedEx Standard Overnight
Packaging type: FedEx Envelope
Number of pieces: 1
Weight: 0.50 lb.
Special handling/Services: Deliver Weekday

Notice the delivery date of May 31? TWO MONTHS AGO?

As a result of FaceBrick’s shameless marketing “push” functions where they entice you to send gifts to people on their birthdays (etc.) – some variety of pond scum have decided it’s an opportunity to scam you.

In the case of this particular attempt, clicking on any of the live links in the message will take you not to FedEx.com as they indicate, but rather to ….u.to/ue0ZBA

Doing this will ruin your day.

Let’s all be careful out there on the Internet, OK?

Posted on 24th June, 2013 | Tags : , , , , , , , , | No Comment

Don’t fall for this Facebook Notification hijack!

This is an example bogus email you should NOT click on:

Subject: Adrian Garcia tagged you in a photo on Facebook
Sender: notification+1325EYW2G@facebookmail.com
Actual alleged email address: calliopelz2261@facebook.org
(note the .org extension for this domain – that is NOT Facebook.COM – clearly bogus.)

There are two buttons you can click on:

See Photo
Go to Notifications

Either one will redirect you to: xxx…carman.org.ua/modules/mod_add/facebook.html?photo.php&fbid=9428026158057&set=np.08155031.4444906106&type=1&mid=437Z2FH0VMM7P5CN6V9M19K7N7&bcode=1.8252337887.8CV4OH6YEXQGL8AC&n_m=—youremailaddresshere—&lloc=1st_cta

When you receive anything like this, go to your Facebook page manually and check your notifications. If there are none – you know it’s bogus.

Posted on 18th June, 2013 | Tags : , , , , , , , , , | No Comment

Another phishing scam today from Wells Fargo

Subject: IMPORTANT Documents- WellsFargo
Sender: Reuben_Spivey@wellsfargo.com / Kent_Foreman@wellsfargo.com

Content:

Please check attached documents.

Kent_Foreman
Wells Fargo Advisors
817-594-3403 office
817-987-8493 cell Kent_Foreman@wellsfargo.com

ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.

To unsubscribe from marketing e-mails from:
… Boilerplate text continues ad nauseum…

Attached is a zip file you should NOT open. In my case the file name is WellsFargo_06182013_myfirstname.zip

Never open any attachment before verifying the veracity of the message / contents with the sender.

As a result of continuing phishing scams purporting to come from Wells Fargo, we have blacklisted wellsfargo.com in our mail servers.

«« Older Entries

Data Recovery / Computer Tuning