Friday, September 26, 2014

Rundll Javascript, Dllhost, 100% CPU Usage

If you put the above keywords into a web search recently, you may be infected with poweliks.  To use a technical term it is a booger.  I had cleaned up a customer's laptop, but it was still behaving strangely.  When I opened task manger there were 20+ instances of dllhost.exe and the cpu was pegged at 100%.  I then opened process explorer to have a closer look.  I noticed that shortly after I killed the dllhost processes rundll would call powershell and then the dllhosts would start back up.  I searched in vain for several hours trying to figure out what was going on, some said iconcache.db, others said run CHKDSK.  I even went so far as uninstalling powershell and the infection was able to download the powershell standalone update and prompt me to install it again. Finally I ran FRST and removed a couple of things, one was flagged poweliks.  Usually FRST removes or fixes anything you tell it to but this time it gave an error on the registry key that was flagged.  I did some reading up on poweliks and found that it hides in a registry key with a non-ascii name.  This makes it difficult to remove as the built in registry editor is incapable of reading, deleting, or even viewing such keys.  Luckily there is a tool that removes this infection, roguekiller.  I have used this tool in the past but it had fallen out of my everyday use.  When I ran it, it found the recalcitrant registry key and flagged it as poweliks, unlike FRST it uses some other method the delete registry keys and I was rid of the infection.

If you're in Waco, Tx G&A Computers can help you with all of your computer repair needs. PC, Mac, all computers repaired.

Tuesday, May 6, 2014

Smart Phone Security

I have seen several stories like this in the past couple weeks.  Most all smart phones are fairly secure by default.  As long as you only use the built in store to install apps you can be 99% certain that the apps are safe.  If you have an iphone you can't install apps any other way; unless it's jailbroken, but if that is the case you know how to take care of yourself.  On android however there is an option that allows an app from any source to be installed if the user elects to do so.  On almost all android phones this box is unchecked by default.  To double check this for yourself go to settings and tap security.  If the box next to unknown sources is unchecked you are good.  Even with this safe guard though, there is no guarantee that some jerk won't find a way around it.  When using a smart phone or tablet if you are prompted to install an app and you are unsure hit back or home and get out of there.


If you're in Waco, Tx G&A Computers can help you with all of your computer repair needs. PC, Mac, all computers repaired.

Saturday, January 4, 2014

Freepbx database error after power outage

We have freepbx for our phone system and it works great.  The other day there was a power outage and when the freepbx system came back up the webui was complaining about not having a database.  When I sshed into the system and checked, mysql was not running. I tried to start sql and it complained that the socket was already in use.  After some googling it seemed the simplest fix and the first to try was to rename /var/lib/mysql/mysql.sock.  Just to be sure I stopped mysql and then renamed the file.  After starting mysql everything was working again.  Luckily this was an easy one, but if turned out bad I could have fallen back on the backups I created.

Example commands used for red hat based systems:
# service mysqld stop
# mv /var/lib/mysql/mysql.sock /var/lib/mysql/mysql.sock.old
# service mysqld start

If you're in Waco, Tx G&A Computers can help you with all of your computer repair needs. PC, Mac, all computers repaired.