Wednesday, May 29, 2013


Not quite as catchy as "Ruby in the sky with diamonds" but I only spent about 10 seconds coming up with it. "Ruby on Rails" is popular for setting up web applications and used quite a bit. A critical hole was found, and they sent a patch out in January but apparently an unknown percentage of  server administrators failed to apply it. These un-patched servers have been attacked and are now part of a larger botnet system which could distribute malware to your computer at home. The full article about it is HERE.


If you watch the nightly world news then you've probably already heard about this. If you haven't, you can read about it HERE.


I've received more than a few emails related to this and while it worked for me it may not work for you due to the number of variations out "In the Wild". Briefly, you have to be prepared BEFORE you get infected. Use one of your USB sticks or go buy one and put some popular utilities on it, occasionally updating them (once a week, download updated versions).

Scenario: You wake up, turn on the computer, or if it's always "ON" you go to your usual website or two when BAM!!! up comes the FBI warning screen and you can't do much after that.

In my scenario Safe Mode, Safe Mode w/Networking, Last Known Good Configuration did not work. the PC would go through it's processes and come up to the logon screen. I'd type the password and as soon as it looked like I was going to get into it, the screen reverted back to the logon screen and shutdown the computer. Some variations will let you it if you don't have the network cable plugged into the computer so I tried that and found out I didn't have one of those variations.

Last SAFE MODE chance was "Safe Mode Command Prompt". This, once you log in, brings you to an all black DOS looking screen and usually puts you in c:\windows\system32 [ed. - yes Matilda, brush up on your MS-Dos commands].

*NOTE - Before doing any of these I had already inserted my utility USB stick

Not knowing this persons computer I had no idea what drive letter it would assign it. With HP computers it's even worse because all of those convenient media reader slots are assigned drive letters, so I began at "E". It wasn't to long until I found my USB stick on "J" and made sure I could read it. Briefly here are the steps:
  • At c:\windows\system32 type cd\j
  • J:\ is now on the screen
  • I typed DIR (to view directory) and saw that all my files were still there. I have a folder called DOS with some of the utilities on the USB stick, so they are in one easy place to get to them.
  • At J:\ I typed "cd dos" and now it was J:\DOS
  • Another DIR to verify what I had in there and chose MBAR (a beta utility from the makers of Malwarebytes), so I typed "mbar" and the program opened up, I was able to update it via the Internet and started a scan.
  • Next, I typed "cleantempfiles" and the temporary file remover went into action (many types of malware hide in temp files). The computer I was working on was fairly new, fast and had a lot of memory so I knew I could run another program.
  • At the DOS-like prompt I typed "Hitmanpro64" and Hitman opened and I updated it and started a scan.
  • Next I typed "autoruns". This program/utility is pretty good for letting you have access to some of the registry in a GUI format. If you see something suspicious, I'd advise to just un-check the box - don't delete it.
  • MBAR and Hitmanpro64 both found a variety of things including a rootkit, MBAR found what I believe to be the FBI virus because the file was called trojan.ransomware.
  • In autoruns I saw a file that was set to load each time the computer booted. It had no description or publisher and the name of the file was something like 88872854444777299.exe [I un-checked this one].
  • With the others finished and ready to reboot in order to finalize the removal I clicked reboot on one of them and let them do their thing.
  • On reboot, I still went into safe mode only not command prompt but safe-mode w/networking. I was able to log in, didn't get the FBI screen and was able to get to the Internet via Internet Explorer.
  • Next: Shutdown/Restart (into normal mode)
  • Everything was like it should be, but I ran MBAR one more time (it came up clean), then ran Malwarebytes (Full scan) which also came up clean.
  • Last, but never least I deleted all of the previous restore points because they were infected as well, and created a new one labeled "After FBI virus removal 052513".
So, now you know what I did. Will it work the next time I come across it? dunno. There are so many variants of this I stand a good chance of it not working - but, it's worth a shot.

Thanks for your emails -

E-mail: ME

Monday, May 27, 2013


Do you use Skype, or, are you planning on installing it in the near future? If so, I have two words for you: "Be Careful". If you're downloading the software please make sure you are doing it from the correct website and haven't been re-directed to a website that looks like Skype. This may be pure coincidence but last week I ran across two customers who were infected by something related to Skype.

In incident No.1 the user was downloading Skype and as soon as it finished and the install began - they became infected with numerous virus/trojans.

In incident No.2, from what little was passed on to me, Skype was in use previous to infection. Their PC arrived with a variation of the "FBI VIRUS". Working my way through my logical troubleshooting steps I found that it was the Skype.dat file that started the whole thing, so be careful on installations, updates, and Skype messages.

I.E. 10 is still crap and a large percentage of calls regarding Internet access or full access into a secure website end up with a technician un-installing the I.E.10 update which reverts it back to I.E. 9 (the lesser of two evils).

Also, as in many service calls, some infections could have been prevented by applying patches to Adobe Flash, Reader, and Oracle's JAVA.

'Nuff Said,

Tuesday, May 21, 2013


While sitting in the waiting room of a Doctors office I was perusing some of my tech-sites when I ran across an article regarding Microsoft, Skype, and Skype users. Apparently Microsoft has been "checking in" on Skype messages just to verify that there isn't any fraud going on, but the article [ed. - which, as usual, I'll have the link to at the end of this Blog Post] went further, and brought up some interesting questions.

The title of the article is:

"Microsoft may be scanning your Skype messages"

Here are some excerpts:

"If you have any expectations about the privacy of your Skype communications, you may want to reassess them. Microsoft appears to be peeking into Skype messages for security reasons..."

"What these recent findings mean is that Skype users can no longer reasonably expect their Skype chats and calls to be private"

“The expectation was what I type to you just goes to you,” he told PCWorld. However, this finding shows that Microsoft is able to monitor some of that.”

Want to read more? You'll find the complete article HERE.

'Nuff Said,

Wednesday, May 15, 2013


The critical patch for users of Internet Explorer 8 is officially out in the wild. My computer downloaded and installed it early this morning. If yours hasn't done it yet, you could check your update settings or just choose "Windows Update" and it should show up in the list of downloads on Microsoft's website.

The FBI virus is still infecting computers, and most of the ones we've seen lately were using a free anti-virus program for protection. After paying to get the darn thing off your computer perhaps you'll pony up and pay for better protection.

NSS Labs, a security testing company, ran several Internet browsers through the wringer to determine which one was best at blocking bad things. They tested:
  • Chrome
  • Apple Safari 5
  • Internet Explorer 10
  • Firefox 19
  • and Opera 12
Who came out the winner? Microsoft's Internet Explorer 10. I find this somewhat humorous because of all the issues we've had with customers having I.E.10 and not being able to access websites previously available, including bank websites.

You can read the whole testing process article HERE.

'Nuff Said,

Sunday, May 12, 2013


Just as the title reads, Microsoft is patching some zero-day exploits in Internet Explorer 8.

Read the article HERE.

'Nuff Said,

Friday, May 3, 2013


It's been awhile since I shared some emails received, so while I'm hacking out my allergies I thought it would make a good time to do it.

Q. - What is a "PUP"? These sometimes come up on a Malwarebytes scan.

A. - A "PUP" is what security people call nuisance or possibly a program you may not want on your computer. To my knowledge, PUP's do not grow up to become "DOG's".

Q. - My Internet Explorer browser used to say "Windows Internet Explorer". Now, when I open it I see at the top "Babylon Search - Windows Internet Explorer", what happened?

A. - Your browser has been Hijacked by a program called Babylon. It probably has made itself the default homepage (which you can't change) as well as default search engine. Sometimes, I've used Babylon (I think it used to be Yahoo's Babylon) to translate English into French and send an email to my wife in French. The last time I used it they kept trying to get me to add it as a toolbar to make languages conversions easier, but it sounded a little iffy.

So, if you do have this, I'm sure you've tried to un-install it, change search engines and homepages and still have it on your computer. Unless you're ready to spend a lot of time and steps to completely remove it I would:
  1. Try a system restore to a date before that happened. If that fails -
  2. Call a professional in to get rid of it for you. [ed. - shameless plug for SugarlandPC]
Q. - I paid a lot for my anti-virus software and I still got infected. Does Norton really suck?

A. - No, Norton/Symantec is in the TOP 5 of anti-virus suites. The fact is, no matter what you buy cannot stop every virus. We are constantly being bombarded by new viruses, trojans, and old ones that have been modified.

The best thing you can do is make sure the Anti-virus is up to date, run a quick Malwarebytes scan once or twice a month and keep your Adobe Flash updated (as well as JAVA). Don't do it via a pop-up, go directly to their respective websites and upgrade. The links are on the homepage of each.

And that end's the "MAIL CALL" post today -

'Nuff Said,

Wednesday, May 1, 2013


Not exactly security related - yet, however I feel I should alert you to a potential problem with regards to Microsoft's "Internet Explorer". If you have Windows 7 then it's possible they've already slipped an update on your PC when you weren't looking and upgraded I.E. 9 to I.E.10; I've run into a variety of people who had issues which led them to believe they had a virus, or something else was wrong.

If you have any of these symptoms, it would behoove you to check which version of Internet Explorer you have on your PC. The symptoms (to date) are:
  • You can open I.E. and it brings you to your home page but when you click on a link nothing happens.
  • Example - you're a Comcast customer and have them set as your homepage so you can click on MAIL and check your mail. You click - nothing happens.
  • You're in Outlook and get an email with several links (yes, a good email - not a bad one), and you click on the link. Either nothing happens, or it brings up another I.E. windows that remains blank.
  • You try to pull down your favorites - nothing happens
  • You can get to a website, but it won't let you go further than the first page
Of course, these could be symptoms of a virus as well, so proceed with that thought in mind. If you are running I.E. 10 -
  1. Go to control panel
  2. Select "Programs and Features" (this is where you would usually un-install a program)
  3. Click on "View installed updates". The screen will change and you may notice a light green bar slowly moving steadily towards the "X", or if you have a faster PC it may just zip across. In either case, wait until it's done.
  4. Scroll down slowly until you find Internet Explorer 10
  5. Left-click once, to highlight it.
  6. Right-click once and choose un-install. If it asks you "Do you want to un-install this update?" you're fine - continue.
The computer will do it's thing and then reboot, and when it comes back up you should see something akin to "applying updates 35% completed". Wait for it to finish.

Now, open your Internet Explorer and verify it is now I.E. 9, then see if those problems you had went away. Regardless of whether they did or didn't, I'd still open Malwarebytes, update it, and run a quick scan for viruses. BTW - I fixed customers issues on 3 computers today just by doing what I wrote above...

'Nuff Said,

Bankers beware! If your bank (or for that matter a hospital) uses an IP-based video camera made by D-Link there is a possibility that a flaw(s) within their system could allow others to tap into it. In a report on Computer World's security site I found this interesting/scary tidbit.

"Core Security's researchers found it was possible to access without authentication a live video stream via the RTSP (real time streaming protocol) as well as an ASCII output of a video stream in the affected models. RTSP is an application-level protocol for transferring real-time data, according to the Internet Engineering Task Force."

Read the whole thing HERE.

'Nuff Said,