Archive for the ‘News’ Category

Posted on 5th March, 2014 | No Comment

Watch out, FaceBrick users! I was checking my news feed and trying to type a suggestion on a friend’s page this morning when my keyboard was remapped and started typing gibberish.

At the same time I was trying to diagnose this nonsense, I noticed a download completed on my system. I immediately rebooted the computer. After it came back up, I killed all running apps and deleted the offending download (download.html).

Doing some history research in all my browsers, this little infection came from FACEBOOK via Google Chrome (the browser I use for this).

This happened on an Apple Mac Pro running OS X 10.6.8, lest you think your Mac is completely immune to nasty infections. To quote from Inspector Clouseau:  ”Not anymore!”

Posted on 4th November, 2013 | No Comment

Listed below are my notes from a recent virus infection on a Windows 7 computer.

Reason for service:
1: Computer is extremely sluggish.
2: Multiple instances of “COM Surrogate has stopped working” dialog boxes.

Observations:

1: All applications unresponsive.

2: Over 36 instances of dllhost.exe running in Services and repeated popups of COM Surrogate message.

3: ntdll.dll is the Fault Module involved.

4: CPU is running at 100% usage.

Manually killed all dllhost.exe processes to free up CPU cycles.

Ran System File Checker to scan for possibly corrupt files.

Note, during all scans it was necessary to keep manually killing dllhost processes.  If not, CPU usage would quickly reach 100%.

Result = None found.

Ran msconfig to disable all non-MS processes.

<reboot>

Result = no change

Re-enable processes

<reboot>

Ran a full AVG virus scan.  One Win32/Heur was found mid-scan, but the file disappeared before AVG could quarantine it.  I continuously stopped  dllhost processes during scan to free up CPU cycles.

Note:  AVG, like any other antivirus, must be properly configured for thorough protection and acceptable performance.  Do NOT use this product “out of the box” or you are likely to suffer a nasty infection.

No further infection found.

Disabled thumbnail view in System performance, as many instances of this problem had that as a solution.

Result = No change.

Set System Performance to Fastest.

Result = No change.

Ran a full Malwarebytes scan.

Result = No infection found.

I ran Process Explorer and located the folder associated with dllhost.exe.  A folder comprised of random letters in the Temp directory is the culprit, indicating an infection.

Note: No legitimate application will ever run from a Temp or Temporary Internet Files directory.  Period.

I tried numerous mechanisms for taking ownership of this folder so that I could delete it, including:

1: Setting up a new Administrator account to access the folder from outside the user account.

Result = Unsuccessful.

2: Rebooting in Safe Mode + Command Prompt.

Result = Unable to make folder visible.

Additional information:

Once I determined it was definitely a virus and not a system error, I asked the client what she was doing on the computer at 3:42 pm the day before ( time stamp on the infected folder).  It seems she was browsing the MSN website and had clicked on Wonder Wall at the time.  Immediately after going to that site, the popup messages commenced.

Solution:

The only solution was to take the computer to the lab, remove the hard drive and connect it to my MacBook Pro.  Since the Apple OS is not help captive by the Windows “security” I was able kill the files and folders this way.  I could have accomplished the same thing on one of my Linux machines.

Unfortunately, the computer did not operate correctly when taken out of Safe Mode.  More than 50 services were either set to Disabled or Manual and un-started.  Resetting each one by hand and manually starting them solved the problem nicely.

If you have another solution to this nasty bug, post it here.

 

Posted on 8th August, 2013 | No Comment

A very sneaky phishing SCAM from an AT&T address

Today’s nasty little attempt to steal your account information and ruin your life comes packaged to look like AT&T wants you to update your account and opt-in to paperless billing.

Nothing could be further from the truth.

Your first clue should be that no legitimate company will ever ask for your login credentials via email.

Message Subject: Please update your bill settings (verbiage is not what we would expect to see in this country)

Sender: att@e.att-mail.com
(Your SECOND clue – If this was truly from AT&T it would have att.com as the LAST part of the email address – not prepended to a mail.com domain)

Partial body text:

*$25 Restaurant.com Gift Certificate issued after your third full month of Paperless Billing and delivered to qualifying customers via an e-mail FROM RESTAURANT.COM (allow three to four weeks for e-mail delivery). Paperless Billing must be maintained for three months or Gift Certificate will be forfeited. Offer available only online for AT&T residential accounts that are not already enrolled in Paperless Billing. Offer ends 8/31/13. Employee/retiree concession accounts and business accounts, along with any account not eligible for AT&T Paperless Billing, are excluded from the offer. Gift Certificate redeemable at http://Dine.Restaurant.com/. Unredeemed Gift Certificates not valid toward purchase at restaurants. Limit of one (1) Gift Certificate at given restaurant per party per month. Minimum spend requirements and other restrictions may apply. Visit http://Dine.Restaurant.com/ for complete terms and conditions and participating restaurants. You authorize AT&T to share your email address with Restaurant.com for Gift Certificate fulfillment ONLY.

You have received this Account Service email because you are a customer of AT&T. You will receive this type of notification to communicate important information about your account, payment and self-service options or updates to your AT&T account.

To ensure delivery of AT&T emails to your inbox, please add att@e.att-mail.com to your email address book or safe senders list. Here’s how. (bogus phishing link)

They are appealing to your desire to get something for nothing – a classic ruse.

It appears to be originating from a Level3 subnet in NYC.

Let’s be careful what we click on, OK?

Posted on 30th July, 2013 | No Comment

The hits just keep a-comin’ !!!

Two more pathetic infection / phishing emails for your edification today  come ostensibly from eBay.

Subject: (your name here) welcome to the eBay community!
From: eBay@reply1.ebay.com
Alleges to be from: no-reply@facebook.com
Really Sent From: onelinkpr.com in San Juan
or [61.19.125.99 - in Thailand]

This bogus welcome message from eBay is full of linked text and images, all of which hijack your computer and send it to:

[....turbotesttaking.com/inadequate/index.html]

or
[...72.167.163.145/tunelessly/index.html]

These are not places you want your computer to go.

Let’s not go clicking on any of this nonsense, OK?

Posted on 18th June, 2013 | No Comment

Another phishing scam today from Wells Fargo

Subject: IMPORTANT Documents- WellsFargo
Sender: Reuben_Spivey@wellsfargo.com / Kent_Foreman@wellsfargo.com

Content:

Please check attached documents.

Kent_Foreman
Wells Fargo Advisors
817-594-3403 office
817-987-8493 cell Kent_Foreman@wellsfargo.com

ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.

To unsubscribe from marketing e-mails from:
… Boilerplate text continues ad nauseum…

Attached is a zip file you should NOT open. In my case the file name is WellsFargo_06182013_myfirstname.zip

Never open any attachment before verifying the veracity of the message / contents with the sender.

As a result of continuing phishing scams purporting to come from Wells Fargo, we have blacklisted wellsfargo.com in our mail servers.

Posted on 18th June, 2013 | No Comment

Today’s email SCAM from UPS (NOT)

Subject: Your UPS Invoice is Ready
Sender: UPSBillingCenter@customercare.upsmail.com

Content:

This is an automatically generated email. Please do not reply to this email address.

Dear UPS Customer,
(your first clue right here – your NAME should be here, not a generic salutation)

Thank you for your business.

New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.

Please visit the UPS Billing Center to view your just paid invoice.

Questions about your charges? To get a better understanding of surcharges on your invoice, click here.

Discover more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online

————————————

Every live link is this bogus email points to xxx…exclusivepetservices.com/images/ups.html?WT.svl=eSubNav

Let’s not be getting ourselves into trouble clicking on bogus links, OK?

Posted on 26th May, 2013 | No Comment

This weekend we celebrate Memorial Day, a single day set aside each year to honor those many thousand of men and women in our Armed Forces who have given their lives for our freedom and way of life here in the United States of America.

So while you’re busy with family activities, travel and Bar-B-Qs, take a moment to reflect on those whose lives have made these activities and freedoms possible for you.

Thank a Vet.

Memorial Day Bikers
Celina, Texas
May, 2008

Find this on page 69 of Texas As I See It
Order your signed / personalized copy of Texas As I See It:  http://www.texasasiseeit.net/

Copyright 2008 Warren Paul Harris
All Rights Reserved

Memorial Day Bikers

Memorial Day Bikers

Posted on 13th March, 2013 | No Comment

AT&T Wireless Billing Phishing SCAM

A very disturbing new phishing scam looks exactly like your monthly AT&T Wireless billing notification.

If you’re like many iPhone users, you receive a monthly notification that your wireless bill is ready to be viewed online.

What you may not notice is your next “reminder” is not at the usual time in your billing cycle and you may click on the link to log in and… KAFLOOEY! (that’s the technical term) – your identity is promptly tossed into the garbage disposal.

Watch out for these SCAMs.

Before you click on any link in an email, hover your mouse (DO NOT CLICK) over the link and observe the destination in the gray bar across the bottom of your browser or email client window to determine the destination. If it is really ATT.com, you’re OK. If not, DELETE it immediately.

The current crop of SCAMs look like this:

Subject: Your AT&T wireless bill is ready to view
Sender: AT&T Customer Care
(this is the correct address – but not the REAL address this crap is coming from)
REAL source: account birchingy9@hemc.net
(plus a lot of other spoofed addresses)

These come in a lot of “flavors” so I won’t bother to include the websites you’ll be redirected to. Just check before clicking or you’ll spend six months un-wrecking your credit.

Let’s all be careful out there!

Posted on 27th February, 2013 | No Comment

But wait! There’s more…

How about a phishing scam from FDIC?

Your very first clue in this bad boy is the sender’s address. Anything in cyrillic is clearly bogus, right? (of course)

Subject: Special requirements for your account security
Sender: ????.??????@fdic.gov
(See what I mean? And once again, any domain ending in .de is likely not kosher…)

Return address:
(again – not the same as the Sender address – clue #2)

Message contents:

Attn: Accounting Dpt.

In order to diminish the number of wire fraud cases, we have introduced a new security system. In this connection all the ACH and WIRE transactions of our customers have been temporarily blocked until you update your security version in compliance with our new requirements.. In order to fully re-establish your account, it is required that you install a special security software. Please use the link below to read the instructions for the installation of the latest security version.

We apologize for causing you inconveniences by this measure.
If you need any assistance, please do not hesitate to contact us.

Faithfully yours,

Federal Deposit Insurance Corporation
Security Department

(In general, the grammar in this message is just enough left of center that you should be suspicious of it.)

Were you foolish enough to click on this link, you would be redirected to:
….jakmurowane.pl/templates/beez/i.php?fdic

Needless to say, you would not be happy with the outcome.

Let’s all be safe out there.
Like

Posted on 4th June, 2012 | No Comment

Until sometime in August or September of 2012, DFWCI will be on hiatus while the owner recovers from a massive spinal surgery.  Please refer to Google for alternate services until then, but send us an email and we will follow up as soon as possible.  Keep in mind this is a procedure that requires 6-12 months for complete recovery, so please be patient.

The Preston Road office is now closed and we will be doing on-site / pickup and delivery data recovery when we return.

Thanks

DFWCI

«« Older Entries

Data Recovery / Computer Tuning