Sunday, October 30, 2016

 Ransomware Story -

The owner of a plumbing and heating company opened what he thought was a safe email about a Fedex tracking number. The email turned out a ransomware scam. Thus, within a nanosecond all of data files were encrypted. The attached external backup drive was also encrypted.
The thieves had a message that the owner had to pay a ransom in bitcoin to get access to an encryption key, So, after, I calmed the owner down, I did the following:

A) Removed the ransomware virus using the program, Malwarebytes.
B) Recovered hidden copies of the encrypted files using ShadowExplorer. 

This program, ShadowExplorer, allows you to browse and potentially restore the Shadow Copies created by the Windows Vista / 7 / 8 Volume Shadow Copy Service.
So, the files were restored and the owner didn't have to pay a ransom.

Wednesday, May 25, 2016

 Ransomware - What is it? (Updated)

Ransomware is a type of malware that prevents a computer user from using their computer or from accessing the data stored on their computer. To regain access to their data, the user is forced to pay a ransom for a decryption key. The ransom fee is typically demanded in electronic currency or bitcoins.The ransomware infection can usually be removed without paying up, by  using a decent anti-virus program or malware removal program. However, regaining access to your data is not so simple.

Locky is a ransomware program that was recently released. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a payment demand screen that prompts you to send a bitcoin payment to an untracable internet address. You will be given a time frame of a week to make the payment, else the payment amount will increase.

This infection is typically spread through emails which appear to be from people that you know. These emails will contain a zip attachment that when opened would infect the computer.  The attachments are sometimes disguised as a PDF file. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.

Please be aware that currently, there is no tool to that will successfully decrypt the encrypted files.

Bitdefender, an anti-malware and virus protection company, recently released a crypto-ransomware utility that will protect against the CBT-Locker, Locky and TeslaCrypt ransomware infections. Click on this link; to download the utility. After downloading, install the program on your Windows computer.

A good backup program, preferably via redundant methods, including a cloud backup is the preferred solution. After removal of the ransomware program, a restoration of your backup data files will result in a minimal amount of down time. This latest round of malware attacks shows how important having a good,reliable backup is.

Wednesday, October 23, 2013

CryptoLocker Ransomware & WhatsApp Scam - What Are They?


CryptoLocker Ransomware & WhatsApp Scam - What Are They?

Ransomware is the generic term for a malicious virus that will typically render your computer inoperable and ask you to pay a fee or ransom to regain control. These threats can usually be removed without paying up, by  using a decent anti-virus program or malware removal program.

CryptoLocker is different. Your computer and software keep on working, but your personal files, such as documents, spreadsheets and images, are encrypted.

CryptoLocker is a ransomware program that was released around the beginning of September 2013. This program will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 to 96 hours to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files.

This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.

Please be aware that currently, there is no tool to that will successfully decrypt the locked up files. The virus can be removed and the files may be recovered from an unaffected backup, if available, or by utilizing the Windows built-in utility of restoring a shadow copy of a file.

The WhatsApp Scam starts with an email looking like this -

It says that you have received a voicemail and suggests that you download a small application to listen to it. It tricks the user into thinking that this is related to the legitimate IM application, WhatsApp. After it installs, it disables your computer and demands a payment to return the computer's functionality. It can also attack a smartphone such as the Android phones. The virus can be removed from your computer but it will take several hours.

These two latest malware scams show the importance of maintaining a good computer security program and having an up-to-date backup of your critical information, preferably offsite.

Wednesday, August 7, 2013

FBI Virus

A client called and said that he has the FBI virus on his computer. He was just on the internet when his computer is locked with a blue screen supposedly from the FBI. The screen spoke of a legal violation and demand for immediate payment by a MoneyPak purchased from Walmart or CVS.  This is obviously a "ransomware" scam. The sender of this scam hopes that by scaring the computer user and locking the computer, they will be the recipient of a ransom payment.

I booted the computer up with Hiren's Boot CD This allowed the computer to bypass the hard drive and boot solely from the CD. Once booted in a graphical GUI environment. I was able to reach the  internet, download the latest version of Malwarebytes (one of the better malware and spyware removal tools) and remove the virus.

The computer was back to normal after a 2-3 hour scan and the client was a happy camper.

Monday, August 29, 2011


Have you ever thought how to download video and audio from flash players on internet sites like Youtube, Google Video, MySpace, DailyMotion, Metacafe, Break, Blog sites of your friends with embedded audio and video content and so on?
So, JCopia does it all. It captures flash video / audio / stream from any website to your computer as files. Just play your media online and watch as JCopia 4.7.10022 saves any clip / music / movie to your computer.
 Click on this link for your free trial -Capture flash video and audio from any website to your computer

Wednesday, May 21, 2008

Microsoft & Macs - Friends or Foe?

I recently had to fix a client's installation of Microsoft Office 2008 for the Mac which decided to act up. Why did it act up, you say. Aren't Macs supposed to be a superior platform to Windows. At least , that's what all the Mac vs. PC tv commercials claim. The actor representing the Mac is so cool-looking compared to the dumpty looking guy representing the PC.

Well, here's what happened. We successfully installed Office 2008 and it was working fine until the fatal event. The Mac, having a very polite operating system, OSX 10.5 Leopard, asked if it could install an update to Office 2008. Well, the client agreed to the upgrade of Service Pack 1 (SP1) and soon found herself well along that "path to upgrade hell". Immediately after the upgrade (remember the concept of upgrade is supposed to result in a better application. Hence, the terminology of upgrade, not downgrade is used) the Office Setup Assistant showed up every time you clicked on an application. Again, it was very polite. It asked if the user wanted to learn more via the Internet or register the software. After you click next, the Autoupdater shows up and asks if you wish to check for an update (didn't we just do that?). After closing that box, setup assistant starts up again (Oh, its deja vu' all over again). We were also treated to the SBOD (Spinning Beachball of Death). This is somewhat similar to the Windows BSOD but doesn't look as threatening and is much colorful. Good manners must be an integral part of the Leopard OS.

As this behavior was putting a severe crimp in using the Office Applications so I tried a few fixes.
Fix #1 - After performing a google search, and learning that this is a widespread problem, I deleted the plist files in the Microsoft folder. They were -

/Library/Preferences/Microsoft/Office 2008/Microsoft Office 2008 Settings.plist
/Applications/Microsoft Office 2008/Office/OfficePID.plist

After starting Word 2008 again, the Office application asked for the product ID and then the Setup Assisant started its repetitive nature again. Oh, well.

Fix #2 - I uninstalled Office 2008 via the Remove Office tool and dragged the remainder of the Microsoft folder to the Trash. After a restart and re-installation of Office, the applications began to behave normally, well...sort of. Word had a few error messages and when Entourage was launched, it stated that this version of Entourage was incompatible with the Entourage identity found. Apparently, the service pack 1 update changed the Entourage files just enough to make it incompatible with the original installation. On to the next fix.

Fix #3 - Use the Office Remove Tool again. Drag the Microsoft folder to the Trash. Search for any remaining Office 2008ft Plist entries and delete if found. Then delete the Entourage 2008 identity file at /Documents/Microsoft User Data/Office 2008 Identities/your identity. Restart the computer and do another installation of Office 2008. Keep fingers crossed. Complete installation and see if the applications work. Everything looks ok. Entourage starts and requests a new identity. An archive of the Entourage data is imported from a flash drive (Remember that mandate - Keep a Backup of your critical data handy and in muliple locations) and after a final check ---We do a happy dance.

So, it would appear the Office 2008 SP1 is not quite ready for primetime and updates should be set to manual control. Talk to you later.

Monday, February 18, 2008

Data, Data .... Where's my data ?

There are two types of computer users - Those who have lost data and those who will loose data. To change your membership from Group A to Group B is only a matter of planning (or the lack thereof), good (or bad) luck, and a matter of timing. What I mean by timing is .... did the backup drive fail with the only instance of the saved data because it was part a flawed shipment of drives (you get the picture).

Over the years, clients have frantically called with a similiar tale of woe - "I turned my computer on this __________ (morning, afternoon, evening, week, month,etc. - You choose the time interval) and I saw a blue screen. Oh, I say, you received a BSOD. A BSOD? What is that? I then said, " That's the Blue Screen of ..... DEATH! You would then hear a long pause, sometimes followed by a loud thud. In the background, a faint voice would cry out, "Get the smelling salts".

After calming down the client (author's note - the status of the client's unpaid invoices will have direct impact on the time interval prior to the client being put at ease and the success of the recovery) ; I then explained the details. Windows, unfortunately, has a tendency to self-destruct. The Windows registry file is the most critical file in a Windows installation. Specifically, the registry is the database in which the operating system stores most of its settings. The installed programs and hardware store their settings within this file. Importantly, the registry defines relationships between different parts of the operating system's user interface. For example, the registry defines what you see on the desktop; how the Start menu and taskbar work; and how the operating system starts. So, if the registry file becomes corrupted then Windows will not start and the computer bootup will result in the dreaded BSOD.

However, the critical personal data files are still recoverable. The use of a self-booting CD with Windows PE allows you to look at the file structure on the hard drive, find the data files and save the information to a removable flash drive. Whoa, cowboy. Try explaining this in english. Ok. I'll slow down and use non-geeky terminology.

Windows PE (or Pre-Installed Environment) is a bootable CD that allows the user to boot up an otherwise non-bootable computer and provides you with a complete complete Win32 graphical interface (point and click ) with network support, a graphical user interface (800x600) and file system support. It allows the user to save files to a removable flash drive or to a network shared drive. I personally prefer to use Bart PE ( ) which is a Windows PE environment with a number of useful utilities built-in.

OK, Genius, so you always retrieve the data? No, there are limits to to what this recovery method can do. In the case of physical damage, recovery methods based on software are hit or miss at best. I had the case of a computer that came out of restaurant fire which resembled a molten plastic slag rather than a computer. The recovery experts at Drivesavers ( were able to disassemble the drive and recover all the critical data.

There is also the case of "Whoops! I forgot to do that." I was upgrading a client's Mac G4. This also involved upgrading Microsoft Office 2004 to version 2008. Everything went well. The new version was installed without incident and the prior version was removed. However, when the client wanted to check her calendar in Entourage, I knew that I blew it. I forgot to backup the Entourage data because I was concentrating on Word, Excel, etc. My next thought was - "What do I tell the client ?" Various scenarios were contemplated; i.e., the calendar never existed, Entourage self-destructed, unknown government agents confiscated the data under order of a secret federal court. After a brief discussion with the client, we determined that the calendar data was gone and we dealt with it.

So, the bottom line is backup your data. After you back it up, well, back it up again. Then make sure that the backup works and back it up a 3rd time. Murphy's Law of Computing says "For every action, there is an equal and opposite malfunction" and "He who laughs last probably made a back-up."