Welcome to 

    mickyj.com

   


















     

   
 

    

    


Welcome to Mickyj.com SBS RSS feed

Follow me through the highs and lows of IT in general

You can also check out my tweets on


If nothing changes on my blog for a while, I might be busy on another project.

Keep an eye on my Twitter, Flickr PhotostreamPhoto Blog or latest Mickyj news.

New blog (Added August 2011). Mickyj Mindspill at msmvps.com


 

New Mickyj blog location !

Mickyj Blog and RSS have a new home
Keywords: RSS, Blog, WordPress

Mickyj.com blogs will now be archived. All new blog posts will be available at the new location. The RSS will also be updated.

RSS Feed
http://blogs.msmvps.com/mickyj/feed/

New Blog
http://blogs.msmvps.com/mickyj

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

7 August 2011 - Mickyj.com






End of Mickyj blog for: 7 Aug 2011 16:03:35 GMT  Check my tweets on Twitter.  



Trojan.Boot.Sinowal.knf

Hijacked Google and Redirections
Keywords: Virus, Malware, hacker, mbr, rootkit, Trojan.Boot.Sinowal.knf

On Jan 2 2011 a new trojan was detected. Many people are asking for a solution to their malware issue and some of the symptoms match this trojan. It is called Trojan.Boot.Sinowal.knf and goes by other names such as TROJ_MBR.XX (Trend Micro) Backdoor.Win32.Sinowal.knf (Kaspersky) and Troj/Mbroot -G (Sophos).

This Trojan/Rootkit can bundle or hide other malware on your PC.

There are various symptoms. For me and many others, it all started in the web browser. Something tried to download from a webpage to my machine, something I did not ask for. It got through Trend Micro and my Unified Threat Management on my Sonicwall.

After this occurs, Internet Explorer runs noticably slower. Little weird Tmp files start appearing in the Windows Temp folder and cannot be deleted (or terminated with process explorer). Next you notice that Google search results look normal when you hover over the links but as you click them, they change to adsense.previewmediastation.com/r.php?

This link, then, redirects to advertisement pages or to to other search pages.

Another symptom I expearianced, was Remote Desktop in Windows XP SP3, which suddenly supports about 5 RDP sessions (It's not a Terminal Server !!). When I try to use mstsc to connect to the console, I always get a new session. The old sessions still run and the machine just gets slower and slower. Sometimes I get lucky and reconnect to the session I want.

Officially there are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms. I am noticing an increasing amount of people searching for adsense.previewmediastation.com/r.php. I believe that this is either a common symptom or it is just the most current type of expeariance.

From here I ran Kaspersky's tdsskiller and it found and removed the main BOOT sector Rootkit/Malware.

\HardDisk1 - detected Backdoor.Win32.Sinowal.knf (0)
============================================
Scan finished
============================================
Detected object count: 1
\HardDisk1 - will be cured after reboot
Backdoor.Win32.Sinowal.knf(\HardDisk1) - User select action: Cure
Deinitialize success

If you have these symptoms you can download it from here.

From what I can tell this is a boot sector virus.
In my case this masked TROJ_GEN.USC5L14 which was first detected 14 feb 2011 Details can be found here.
This virus Enumerates many system files and directories. Attempts to send data or commands via HTTP, Adds or modifies Internet Explorer cookies.

Here are notes from various websites about the Sinowal.

Basic Win32/Sinowal Family Summary (Backdoor.Win32.Sinowal.knf is a member) Win32/Sinowal is a family of password-stealing and backdoor Trojans. The Trojan may try to find a cryptographic certificate on the infected computer and install a certificate on the computer to mislead users in Secure Sockets Layer (SSL) Web transactions. The Trojan may also capture user data such as banking credentials from various user accounts and send the data to Web sites specified by the attacker. Some Win32/Sinowal components may also open a backdoor on a TCP port.
Win32/Sinowal may try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.

Full Technical Information for the generic Win32/Sinowal (Analysis)
When the Win32/Sinowal Trojan is installed, it may search the infected computer for a cryptographic certificate with a corresponding private key. If it finds such a certificate, the Trojan may install a certificate on the computer without user authorization by intercepting certain Windows API function calls. The installation and use of this certificate is intended to mislead users in Secure Sockets Layer (SSL) Web transactions.

Win32/Sinowal may also steal user names and passwords for e-mail accounts. It may steal FTP and HTTP client account credentials as well, in particular for online banking Web sites. The Trojan can then upload captured account credentials to Web sites specified by the attacker. Variants of some Win32/Sinowal components may also open a backdoor on a randomly-selected TCP port.

Win32/Sinowal may try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.

Trojan:DOS/Sinowal.K summary
Trojan:DOS/Sinowal.K is a component of Win32/Sinowal - a family of password-stealing and backdoor trojans. The trojan may try to find a cryptographic certificate on the infected computer and install a certificate on the computer to mislead users in Secure Sockets Layer (SSL) web transactions. The trojan may also capture user data such as banking credentials from various user accounts and send the data to websites specified by the attacker.

Trojan:DOS/Sinowal.K is a detection for a malformed MBR (Master Boot Record) generated by VirTool:WinNT/Sinowal. It loads the driver loader code of Sinowal when the affected computer boots.

Specifically the Trojan:DOS/Sinowal.K
Trojan:DOS/Sinowal.K is a component of Win32/Sinowal - a family of password-stealing and backdoor trojans. The trojan may try to find a cryptographic certificate on the infected computer and install a certificate on the computer to mislead users in Secure Sockets Layer (SSL) web transactions. The trojan may also capture user data such as banking credentials from various user accounts and send the data to websites specified by the attacker. Some Win32/Sinowal components may also open a backdoor on a TCP port. Win32/Sinowal may try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.

Trojan:DOS/Sinowal.K is a detection for a malformed MBR (Master Boot Record) generated by VirTool:WinNT/Sinowal. It loads the driver loader code of Sinowal when the affected computer boots.
Installation
VirTool:WinNT/Sinowal may overwrite the existing MBR with Trojan:DOS/Sinowal.K.
Payload
Trojan:DOS/Sinowal.K looks for and loads Sinowal's driver loader code from hard drive sectors. Once found, it transfers execution to the loader.

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

27 February 2011 - Mickyj.com






End of Mickyj blog for: 27 Feb 2011 16:03:35 GMT  Check my tweets on Twitter.  



Ransomware is back
Be on the lookout
Keywords: Virus, Ransom, Malware, hacker

Ransomware is back. This type of malware, as the name suggests, holds victims’ files and systems hostage in order to extort a ransom. First sighted on the threat landscape back in 2005, it failed to attract as much attention as the other Malware (rogue antivirus software and spyware) but its return is always considered serious and cause for alarm. To learn about this latest reappearance click here

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

2 February 2011 - Mickyj.com






End of Mickyj blog for: 2 Feb 2011 16:03:35 GMT  Check my tweets on Twitter.  



Microsoft Security Alert !
New Windows Flaw
Keywords: flaw, vulnerbility, fitit

MICROSOFT has issued a critical security alert that affects 900 million people using its Internet Explorer web browser. The computer giant warned of a newly-discovered flaw in Windows that could be exploited by hackers to steal personal details or take over computers.

This vulnerability could allow attackers to construct malicious links pointing to HTML documents that, when clicked, would render the targeted document and reflected script in the security context of the user and target location. The end result of this type of vulnerability is script encoded within the link executed in the context of the target document or target web site.

Read more on TechNet
Run the Fix it tool

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

1 February 2011 - Mickyj.com






End of Mickyj blog for: 31 Jan 2011 16:03:35 GMT  Check my tweets on Twitter.  



How do I get SBS 2011 Premium ?
I want Premium !!
Keywords: SBS, Premium, Aurora

The new generation of SBS 7 and SBS Aurora is here. Things are now simpler new version of SBS by not having both Standard and Premium versions of each product. Instead, Microsoft have released an SBS Premium Add-on pack that can be added on to either SBS 7 OR SBS Aurora. This add-on pack will include Windows Server 2008 R2 Standard and SQL Server 2008 R2 for Small Business. You’ll need to purchase SQL CALs for however many users you have that require SQL Server acces which is as per the normal process.

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

26 January 2011 - Mickyj.com






End of Mickyj blog for: 26 Jan 2011 16:03:35 GMT  Check my tweets on Twitter.  



Does my Xbox 360 S wireless have a Mac address ?
I can't find it
Keywords: Router, Wireless, Mac

I want to join my Xbox 360 S to my wireless network which is locked via Mac and WPA2. I can't find the address !!

go to
System Settings - Network Settings - Wired Network - Configure Network - Additional Settings - Advanced settings
Especially for us "slim" console owners, you can use the wired Mac Address for wireless connections.
Don't forget your router needs to have an mtu of 1368 or greater.

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

19 January 2011 - Mickyj.com






End of Mickyj blog for: 19 Jan 2011 16:03:35 GMT  Check my tweets on Twitter.  



Telstra 3G Announcement
My HUAWEI E220 USB Modem is living on borrowed time.
Keywords: 3G, 2100, Mobile

From Telstra

"IMPORTANT INFORMATION FOR CUSTOMERS WITH EARLIER 3G (2100MHz) MOBILE DEVICES
Telstra currently operates two 3G networks our Next GTM network, Australia’s largest and fastest national mobile network, and an earlier, limited 3G service operating at 2100MHz in major metropolitan centres.
Telstra’s earlier 3G (2100MHz) network is currently shared with Vodafone Hutchison Australia (VHA). From a date no earlier than 1 January 2012, Telstra and VHA will end this partnership. We will notify you of the exact date closer to the time.
If you are using a mobile phone or wireless data device that only operates on this limited 3G (2100MHz) network and not on our Next G network, and: you’re located in a metropolitan area you have a 3G SIM card (not a 2G SIM card) and you use your mobile service to access 3G services - such as video calling or high speed data services - then you will be impacted by this change. 3G services on your phone, such as video calling and Mobile FOXTEL from Telstra, will no longer be available. If you use your mobile phone for internet browsing, you’ll also notice a reduction in your browsing speed from this date.

If you only use your mobile phone for voice calls and SMS you won’t be impacted. If your mobile phone or wireless data device has the Next G logo on it, then you will not be impacted. We estimate that only a very small number of customers will be affected."

Of cource .. my modem will not work anymore. Crap!. It was used on an ISA 2000 server for internet access in non ADSL areas.

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

6 January 2011 - Mickyj.com






End of Mickyj blog for: 6 Jan 2011 16:03:35 GMT  Check my tweets on Twitter.  



Canon - Contact Service center waste ink absorber pad full
Do I need to call Canon ?
Keywords: Ink, Absorner, service, canon, mp460

My dad's printer wants a service. It took ages to pull it apart, but we did it. We found the absorber pad, it was very full. We washed it out with clean water (needed to be soaked many times). Now we need to reset the printer as it's counter still tells us the printer needs a service.

We finally did this. The initial advice was to use the MPTool (but it did not work for us).
The MPTool is designed for service works with the printer Canon MP-Series when in Low-Level mode.
Currently supported for MP150, MP160, MP170, MP180, MP450, MP460. MP150, MP160, MP170, MP180, MP450, MP460.
BEFORE activating MPTool...you need to
To activate LOW LEVEL mode:
1. Unplug the power cord to the printer for a moment.
2. Then, hold down the on/off button while plugging in the power cord. Keep holding the on/off button down.
3. Right away the green power light (in the button) will turn on solid. Keep holding the on/off button down.
4. Press and release the Stop/Reset button. (the button w a red triangle in a red circle)
5. Now you can release the on/off putton.

The green power light will go off and the yellow Alarm light will stay on. Now you can run MPTOOL and resetting the ink counters will work.
MP150.
You can dowload MPTOOL at http://www.ipt.nm.ru/ At the top of the page is iPTool, further down the page is MPTOOL.
We also tried:

Reset Waste Ink Code
1) Enter SERVICE MODE by pressing sequentially Menu Copy Scan Copy Copy or Menu Copy Copy Copy Scan (on some models)
2) Select TEST MODE.
3) Press '+' 8 times till 'Select [8]' PRINTER TEST in TEST MODE.
4) Select 3. [EEPROM CLEAR].
5) Select 0. [INK COUNT].
6) Press the [OK] key.
7) Press the [Stop/Reset] key (returning to the state of 3)), and then press the [ON/OFF] key.
8) Done

Then we tried
Disconnect the power cable
Hold down power button
Reconnect the power cable
With the power button still down, press twice the Cancel/Stop red button
Release the power button
The printer is now in factory mode (wait about 30 seconds until it says idle)
Press the down arrow (next to the OK button) until it says Shipping Mode 1
Press the OK Button
Now with it displaying Without Cleaning press the power button
A test page should print
Now open cover
Disconnect the power again
Take both cartridges out like normal
Close cover
Reconnect power cable
Press power button
Replace cartridges

http://www.fixyourownprinter.com/forums/printer/5246

Finally we did the following:
Canon GENERIC "S" SERIES RESET CODE (Resume = stop/reset on some models) Waste Ink Counter Reset.
(1) Turn off the printer.
(2) Press and hold the RESUME button, then press and hold the POWER button.
(3) Release the RESUME button, Next press and release the RESUME button two(2) more times in succession. Note: you are still holding the POWER button). The printer's carriage will "reset" or move momentarily. If the above was properly performed the printer will enter the "Service Mode".
(4) Press the RESUME button 4 times, this will select the clear waste ink counter function. The lamp will alternate (change) color with each key press.

1. Service/Factory test printout, including ink sensor check.
2. EEPROM - Info printout.
3. EEPROM - Initialization.
4. Reset the Waste ink counter.
5. Printer model setting. (More selections beyond this point - However it is best leave them unaltered - You have been warned!)

After selecting the desired mode (eg 4), press the POWER button to "set" the change, and return to the top of the function selection menu. Press the POWER button again to restart the printer.1
All back to normal.

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

30 December 2010 - Mickyj.com






End of Mickyj blog for: 30 Dec 2010 16:03:35 GMT  Check my tweets on Twitter.  



Merry Christmas everyone !
Be safe everyone !
Keywords: Christmas



Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

25 December 2010 - Mickyj.com






End of Mickyj blog for: 25 Dec 2010 16:03:35 GMT  Check my tweets on Twitter.  



Malware !!!!!
Stay on top with Microsoft
Keywords: Malware, Microsoft

Check out this handy page at Technet
MMPC

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

15 December 2010 - Mickyj.com






End of Mickyj blog for: 15 Dec 2010 16:03:35 GMT  Check my tweets on Twitter.  



Server SBS 2008 looses default gateway
Everytime I reboot I need to rerun the connect to the internet wizard
Keywords: SBS, Gateway, reboot, Microsoft

We have a server that would loose the default gateway each time it reboots. I have to resetup the internet and run the Connect to the internet wizard.

Solution: When you take a look at the following registry key: HKLM/System/CurrentControlSet/Services/Tcpip/Parameters/Interfaces/ CLSID of the network card this is happening for, you'll probably notice it by viewing the ipaddress value. Then open the "DefaultGateway" value. In our case you see the default gateway but above it there is an empty line. After removing the empty line, restarting works fine and the problem didn't occur anymore.

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

1 November 2010 - Mickyj.com






End of Mickyj blog for: 1 Nov 2010 16:03:35 GMT  Check my tweets on Twitter.  



ODBC drivers in Server 2008
I can't find the tools I need
Keywords: ODBC, Windows, Server, 64 bit Microsoft

ODBC Driver from Control Panel -> Administrative Tools -> Data Source (ODBC), I could only find the following two drivers listed:

SQL Native Client
SQL Server

This is because the 64-bit version of ODBC Data Source Administrator only lists 64-bit version of drivers. To view 32-bit version of ODBC Driver, you can use the C:\Windows\SysWOW64\odbcad32.exe instead.
Other things to note:
Use the 32 bit ODBC Data Source Administrator to create a System DSN with the appropriate name, password and file,
Make sure the permissions on the database folder and file include Modify permissions for the IUSR and LOCAL SERVICE accounts.

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

26 October 2010 - Mickyj.com






End of Mickyj blog for: 26 Oct 2010 16:03:35 GMT  Check my tweets on Twitter.  



There was an error locating one of the items needed to complete this operation. It might have been deleted.
Outlook is mis behaving
Keywords: Outlook, MAPI, Microsoft

This error encountered and can be reproduced with the following:
Downgrade Microsoft Office / Outlook 2007 to Office / Outlook 2003.
Connecting to exchange server.
Operating system: Windows XP Professional.

When creating a new profile, an error message pops (as per the subject for this blog) up as soon as OK button is pressed.
The profile is created even with the error message appearing, and when trying to add a new account for exchange the same error pops up.

Solution:
Delete or rename file: Mapisvc.inf in \Windows\System32 folder
Delete or rename file: Mapisvc.inf in \Program Files\Common Files\System\MSMAPI\1033 folder (Thanks to Raven Maddox for the correction from my earlier article of \Program Files\Common Files\MSMAPI\1033)
Create a new profile again and setup will re-install that file. New profile can be created and Outlook can connect to exchange.


Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

15 October 2010 - Mickyj.com






End of Mickyj blog for: 15 Oct 2010 16:03:35 GMT  Check my tweets on Twitter.  



What's my SID ?
Can I be found ?
Keywords: SID, Registery, Microsoft

When I go to HKEY_USERS in WinXP registry, I don't get the real usernames, just the number e.g. S-1-5-18 etc. Is there a way to tell which ID goes with which user account?

Since Windows XP is the next evolution from Windows NT/2000 that is the way user information is stored, using a SID. You can find out which user is being referred to by looking at the "Logon User Name" at [HKEY_USERS\S-1-5...\Software\Microsoft\Windows\CurrentVersion\Exp lorer]

Now I can get back to writing my wscript host code that uses uer names :)

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

2 October 2010 - Mickyj.com






End of Mickyj blog for: 2 Oct 2010 16:03:35 GMT  Check my tweets on Twitter.  



iPhone followup
Following up again
Keywords: iPhone, PIM, exploit

The report from Telstra was very interesting.

A phone was found to be dialing phone numbers and included additional hash characters and numbers on the end of the dialled number. It seems that this phone was used to forward on the Flash SMS's with the sensitive information.

The solution from here, was to update the phones to OS 4.01 and hope that Apple have patched the hole.

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

1 September 2010 - Mickyj.com






End of Mickyj blog for: 1 Sep 2010 16:03:35 GMT  Check my tweets on Twitter.  



iPhone information
Following up
Keywords: iPhone, PIM, exploit

As per blog 9th August 2010. After checking servers with Microsoft, Trend Micro and Symantec, no hack or malicious software was found. Calling Apple led nowhere (They did not want to know about it). I found an increasing number of people on the internet would reply to my forum posts about this but noone had answers. A few contacts on Facebook had the same issue however noone wanted to have the Australian Federal Police look their phones over.

These attacks lasted 1 week.

The Australian Federal Police found no evidence on the phones that were attacked however requested further data from Telstra (The Telco).

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

29 August 2010 - Mickyj.com






End of Mickyj blog for: 29 Aug 2010 16:03:35 GMT  Check my tweets on Twitter.  



iPhone's getting hacked ?
Downloaded PIM data... 100% nice day you have
Keywords: iPhone, PIM, exploit

Today I have seen a large number of iPhones with variations of the below message

It would appear that they have been hacked. I have called Telstra and Apple and logged support calls.

It seems I was the first to report this so ... I have nothing to google to help solve it :)
The phones involved are not jailbroken nor have suspicious apps on them.

Basically the phone appears to get an SMS (The SMS tone sounds). The message pops up "Downloaded PIM data... 30%" this then jumps to "Downloaded PIM data... 100% nice day you have" The words *exxpploit* or *exxxploit* appear before the download text.

It would appear from talking to Apple, an SMS triggers a complete dump of the contacts, calendar and email to the 3G network.

Some of the phones I saw with this were on Exchange servers so client contacts from Outlook are now being sucked off the phones.

At the moment, I have no idea how to stop this happening.

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

9 August 2010 - Mickyj.com






End of Mickyj blog for: 9 Aug 2010 16:03:35 GMT  Check my tweets on Twitter.  



Dell = Malware ?
Dell are shipping hardware Malware ?
Keywords: Dell, Firmware, Malware, w32.spybot.worm

"The worm was discovered in flash storage on the motherboard during Dell testing. The malware does not reside in the firmware," Hmmm What's this all about ?

Dell made the world aware of a issue and has contacted affected customers. The issue affects a limited number of replacement motherboards in four servers - PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 - and only potentially manifests itself when a customer has a specific configuration and is not running current antivirus software. This issue does not affect systems as shipped from the Dell factory and is limited to replacement parts only. Dell has removed all impacted motherboards from its service supply chain and new shipping replacement stock does not contain the malware.

For more information and a link to the original Forum post check out this link.

Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

23 July 2010 - Mickyj.com






End of Mickyj blog for: 23 Jul 2010 16:03:35 GMT  Check my tweets on Twitter.  



SBS 7
Time marches on ... Welcome SBS 7
Keywords: SBS, Cloud, Aurora, BPOS, Vail

SBS 7 is not far away. Do you want to know more or join the Beta? Curious about the tags for this blog?
Take a look at this page


Send feedback about this particular blog
Read Feedback from others


Refer to the Mickyj Hardware blog or the Malware blog.
If you prefer to Twitter, look here

21 July 2010 - Mickyj.com






End of Mickyj blog for: 21 Jul 2010 16:03:35 GMT  Check my tweets on Twitter.  


 

 New additional blog (Added August 2011). Mickyj Mindspill at msmvps.com

 

     

 

     ( )

View Previous posts before July 15th 2010

 

 

 

 

                                                             This page was written and designed by Michael Jenkin 2011 © (Best viewed at 1024 x 768)