My plea to Google and Bing

Problem:  Over past few months, I have had to clean up a quite a bit of malware on client PC’s and Macs.   Items like:  Search Protect, PC Optimizer, MacKeeper, zip cloud, System Optimizer Pro, driver support, Boost, Groovorio, Browser Safeguard, snipsmart, RocketTab, toolbars and numerous coupon/savings programs… Just to name a few and there are so much more.

How does this get installed?   

  A user does a search for “Flash Player” or “Java Download” and on the top of the search results are ads that give the illusion of it being the number one result.   So the user clicks on the link and downloads what they think is a legitimate copy of Java, Flash, etc…   This installation file is packed with many versions of the programs mentioned above so the end result is that instead of one program, the user gets 4, 5 or 6 programs that are all taking system resources.  Some make your browsing and ability to do work completely impossible.  Many of my clients ask if this is legal and I’m not a lawyer but since there or poorly placed opt outs, I’m willing to bet it’s legal but it’s definitely not ethical.

Solution:  My plea to Bing and Google is to not allow this deception within their web results and not have an ad so close to the top result.  I know it’s a paid ad and that it’s technically not a search result but the placement of these ads creates the deception and these search engines could do more to protect their clients.    I guess it’s not even the placement of the ad but what the ad links to.  Ads are supposed to guide you to a program or service that could benefit you and these links do not serve anyone except the unethical groups who buy these ad spots.  Google’s famous motto of “Don’t be Evil” doesn’t resonate with me anymore because these ads facilitate said evil.

I’m sure Google and Bing rationalizes these deceptive practices by saying that the user should be more careful or the ad is properly marked but we all know that is a cop out.  They could do more!

 

No audio or video when Lifesize Icon 600 connects to Polycom unit

Problem:  When trying to connect to a Polycom distance learning unit with my Lifesize Icon 600, I was able to connect but I wasn’t getting any video or audio.  The person on the other side of the connection was receiving my video and audio but nothing for me.   I read up on connecting Polycom and Lifesize units and they don’t like to play together so I’m thinking it’s an incompatiblity between the two brands.   I upgrade my Icon 600 to 2.01 (the latest is 2.08 but that wasn’t available for me because the service contract expired).  After that upgrade, I couldn’t even get the Polycom to answer my calls.  A big step back on this one.

Solution:  Working with Polycom support, we realized that I needed to create a one to one NAT rule for my DL unit on my firewall.  Basically, assign it an external IP address and make sure the traffic it being mapped to my DL unit.  Make sure that you also enable NAT within the Icon 600 network preferences and assign the external IP as well (if you don’t, it will not work).  But we were still facing the problem of the Polycom not answering my calls which was most likely caused by the upgrade of the firmware.   

The Icon 600 has a revert feature which lets you boot with an alternate firmware so I set it up to boot up on the old firmware but for some reason, it kept booting with the upgraded firmware.  No matter what I tried, it stayed on version 2.08.  Last idea: downloaded and installed an earlier version of the firmware from Lifesize (2.03) and finally had success.   Polycom answered and I was now receiving audio and video.

Have you had troubles trying to connect DL units that are different brands?  What have you done to fix it?  You would think there would be some sort of common standard to ensure interoperability between these brands…

 

Can’t access files on computer now see a file called decrypt_Instruction in my directories

Problem:  I got a call from a client stating that all of their files were inaccessible on the network drives.  At first I thought it was a problem with the server being down or connectivity issues.  After further investigation, the network was fine and we could access the files but we couldn’t read them and in every directory on our network shares/drives we had three files:  Decrypt_Instruction.html, Decrypt_Instruction.txt and Install_Tor.html.  After reading one of the files that were left, it turns out our files were encrypted and being held for ransom; to a tune of $500 and increased to $1000 if not paid within a certain amount of time.  If we pay, we get the key to unencrypt the files and if we don’t, we lose them all.   About 30GB worth of data we had so just a bit more than a my docs folder.  The culprit was the CryptoWall virus.

Solution:  Thankfully we had shadow copy turned on our Windows 2008 servers so I was able to recover our files from our last snapshot which was about 4 hours prior.  That was the easy fix but finding the source of the encryption was a bit more of an issue.  How can we know if this won’t happen again and again??

What I did:

  1. I did a search for the Decrypt_Instruction.html on the server.  It was on all the shares but not on the staff home directories… Except one.  I had one staff home directory that was encrypted.   With that i was able to determine the workstation of origin and immediately had it disconnected from the network.
  2. Ran a virus scan on the whole computer but didn’t find anything.  After further research, this isn’t uncommon with the CryptoWall virus because from what I gather, they creators took great pains into making this look like a legit program to the OS and AV programs.
  3. After a little bit of research, I found out that that CryptoWall likes to be installed in the %APPDATA% directory.   *Note:  The files within the workstation weren’t encrypted like I thought they would be but once I got into the %APPDATA% directory, I found the Decrypt_Instruction files in some subdirectories.  I was getting closer.
  4. After failing to find any offending file by browsing, I did an inventory of all files within the %APPDATA% directory by searching for *.*.  All of the decrypt_instruction files had a time stamp of about 3:00pm so I organized my search by time and looked within that time frame.
  5. I found it… The filename was obupdate.exe and after a few searches, learned it needed to be deleted right away.  The exact location of the file was in the %APPDATA%\local\temp directory. I deleted the file and all of the decryption_instruction files on the workstation and we were clean.  No recurrences and now I have happy clients.

Lesson is to make sure that you have a good backup because shadow copy may not work on your workstation because CryptoWall is programmed to delete all Previous Versions while it’s encrypting your hard drive so you can’t completely rely on it.  As Leo Laporte recommends, you should have 3 backups of your data (Online, shadow copy, external HD for example).

How to prevent this from happening?  Don’t click on any links from any emails you don’t know the sender.  That is how this virus is propagated the most.  Usually by a fake baking “wire transfer” document or a fax, etc… My user claims to have not received any emails as such so the next possible place of origin is a comprised website that had a link or add that initiated the download of the file.  Bleeping computer also has some great suggestions using Active Directory or 3rd party programs to block the execution of these ransom-ware programs.  Link below:

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Have you had an experience with CryptoWall or similar ransom-ware programs?  What did you have to do to fix it?

 

Unable to Read SMTP Greeting error when sending to Comcast address

Problem:  When my users are trying to send an email to Comcast, aol, q.com, etc.. they would get an error that said:

Unable to deliver message to: <Person@comcast.net> Delivery failed for the following reason:

Unable to read SMTP greeting from mx2.comcast.net[68.87.20.5]

This has been a permanent failure. No further delivery attempts will be made.”

I checked RBL’s and we weren’t on any and Comcast didn’t have us on their black list.  This wasn’t happening with all email domains but with enough to get complaints.

Solution:  Found out that my ISP changed the way it handled DNS so revers lookup wasn’t working.  Many institutions won’t accept email if the sender doesn’t have an entry for reverse DNS.  I contacted my ISP and they fixed the problem.

 

Exchange 2010 email missing after iPhone 6 upgrade

Problem:  Recently upgraded to the new iPhone 6 after having a 5 for a couple of years.  After a week, my iPhone was dropped and I had to get a replacement. When I got the replacement, I restored from iCloud and all seemed well.  Put my password in for gmail and it synced but when I put in my password for my Exchange email, it wouldn’t sync.  The server, username, domain and password all were verified but no mail would download.  I tried deleting the account and reconfiguring but no luck.

Solution:  Last resort… I powered my iPhone 6 off and back on again and that did the trick.  Email began to download from my account.  Not sure why this happened but glad it was a simple fix.  Has this happened to you?