Scott Hanselman

Router redirecting to unwanted Adobe Flash update malware site - Moon Virus?

May 29, '15 Comments [35] Posted in Tools
Sponsored By

1000wmainBear with me, for now this will be a tiny post, a placeholder, but I am looking for feedback, ideas, comments and I will keep this post updated.

The scenario: My local sandwich shop where I often hang out and work remotely has a wireless router that started to redirect me to a fake "update your flash" and download a "Install flashplayer_10924_i13445851_il345.exe" malware file. There are no viruses, rootkits, or malware on my PC. This affects their PoS (Point of Sale) system, tablets, iPhones. Also, it's not a DNS hijack, as the URL from the HTTP doesn't change. It's a MitM attack (Man in the Middle) where x number of HTTP GETs work fine and then every few hundred the router returns it's own HTML. The requestor doesn't know the difference.

The router he has is a V1000W Wireless N VDSL Modem Router. I'm suspecting the "Moon" virus but I'm not sure, as this isn't a Linksys. The firmware is ancient from 2009 and that's the latest one I can find.

Before you reply:

  • I'm technical, but the public is often not. Comments like "run openwrt" are certainly valid for a techie, but I'd like to know something more populist:
    • Can this router (and others like it) be fixed? Or is this bricked? Can I flash it with the original firmware to restore?
    • Remote management isn't enabled. What port did the attack happen on?
    • How can I confirm it has it (all signs point to it) with some curl command?
  • What routers have this? What is the source?
  • What can a regular Jane/Joe do about this if they have Frontier/FIOs/CenturyLink, etc?

Thoughts?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

Syncing Windows Live Writer Drafts to the Cloud (Dropbox) and other bug fixes

May 21, '15 Comments [28] Posted in Tools
Sponsored By

I still use Windows Live Writer (http://www.windowslivewriter.com) to post to this blog. It remains the best little blogging app out there. It has a nice plugin ecosystem, great WYSIWYG editor (using IE) even though it hasn't been updated since 2012. A bunch of us are working to get it open sourced, and I'll let you know the second I know something.

But for now, let me fix two things about Windows Live Writer that have been bugging me.

Clearing Cached Blog Themes

First, a small bug. My HTML Styles look like this, and have for a while. See how the background is black? Annoying. I always assumed it was a GDI or graphics bug. In exploring the Windows Live Writer code I learned a few things.

Windows Live Writer with black styles

It turns out that Windows Live Writer is trying to render your styles by using your download blog theme's CSS inside those little boxes! My blog (and others, I've heard) doesn't render nicely.

The downloaded them is stored in %AppData%\Windows Live Writer\blogtemplates and you can easily fix this annoyance by simply deleting the folders below blogtemplates.

Using the Default Windows Live Writer Theme

Ah, much nicer.

Syncing your Windows Live Writer Drafts with OneDrive or Dropbox

I've seen some blog posts with folks suggesting junction or reparse points (symbolic links) to hack together a way to "roam your draft blog posts" with Windows Live Writer. It's much easier than that, in fact. You can just set a registry key with your preferred Drafts folder. I put mine in my Dropbox, but you could also use OneDrive or Box. This means your local draft blog posts will "roam" to all your machines. If you're someone who works on a blog post for a few days you'll appreciate this new ability. You can start a post at work and finish it at home. Even the images will roam.

Head over to HKCU\SOFTWARE\Microsoft\Windows Live\Writer in your registry (via Regedit.exe) and make a new String Value called "Posts Directory."

image

Windows Live Writer will make new Drafts and Recent Posts folders in the location you specify. I set this registry key on all my machines that I have Dropbox installed and now all my blog post drafts are there too!

I hope this helps you out! And I'll be sure to let you know about our plans with Windows Live Writer as soon as I know more. ;)


Sponsor: Big thanks to Atalasoft for sponsoring the blog and feed this week! If your company works with documents, definitely check out Atalasoft's developer tools for web & mobile viewing, capture, and transformation. They've got free trials and a remarkable support team, too.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

The Mysterious Case of the Rogue Roaming Browser History - Removing OneView Internet Login

May 16, '15 Comments [11] Posted in Tools
Sponsored By

I like a good mystery and I hope you do, too. I'll give you two versions. First, the TL;DR version so you can just fix it, and later second, the maddening technical details.

See how it flashes OneView Internet Login in the title for a moment?

TL;DR - Why does my Internet Explorer say OneView Internet Login?

If you go googling for "OneView Internet Login" google will suggest things like "...remove." You'll find Yahoo Answers where folks are thinking they have a toolbar installed or a virus because when they launch Internet Explorer they see a flash of OneView Internet Login in the title bar.

To remove it, go to the Star in Internet Explorer's toolbar and click History, then By Site. Find "One View Internet Login," right click and delete that history record.

Note here in this screenshot that the site is http://google.com but the Title is OneView Internet Login. Delete that.

NOTE: If your home page is not google, then find your IE home page by Site, and delete the entry with the wrong title. Or, go nuclear and clear all history.

Delete it from your history

CSI: My Computer - Why does OneView Internet Login show up on all my computers? What is it and why won't it go away?

A year ago or so I stayed at a Hyatt Hotel. Hotels like the Hyatt often use "Captive Portals" when getting you on their internet. A captive portal "captures" your browser's traffic so no matter what site you asked for you'll get their login screen. So you get on their wi-fi, you type googlebing and they redirect you to GlobalSuite.net or whatever to sign up. Only then does your traffic go through.

If you visit a hotel like this and hit it with IE for the first time with a fresh cache (nothing in your history or you've recently cleared your history) the Title that gets saved in the browser database will be the URL of the site you asked for but the title of the Hotel's Captive Portal. Weird? Just wait.

I noticed that my laptop would flash OneView Internet in the title (see the animated gif above) when opening my home page for the first time. Every once in a while I'd go looking for it, search the registry, do a hard-drive-wide grep or findstr but then I'd give up.

Later, though, my desktop at home started showing OneView Internet Login in the title bar on startup. To be clear, that's my desktop computer that hasn't left my house.

Roaming, my friends. All browsers roam things now. They roam passwords, history, bunches of stuff. This record, this cache, this tab, this something was getting roamed to all 5 of my machines. Now every time I open a browser on any machine I own I get a little gentle reminder of how hotel wi-fi sucks and how the GlobalSuite OneView Internet Login Captive Portal is sending a 301 or lousy headers or something dumb. Next time I stay there I'll do a Fiddler trace and prove it. Until then I wanted to find out where this was being stored on my hard drive.

Where is IE History stored? It's stored in a database using a technique called Extensible Storage Engine or ESE. In fact, Windows has shipped this database tech for over 13 years. You can even use it in your apps as a free and fast local database, but no one knows it exists. Over at NirSoft there are a host of wonderful utilities (they are saints, truly, give them money) and one of them is the ESEDatabaseView.

Run ESEDatabaseView and go File | Open IE10 Locked Database (even though you may be using IE11) and you'll be into the depths.

NirSoft's ESEDatabaseView

In a tabled called Container one I found a bunch of history entries:

The offending Entry

There's my first tab, my home page, but I didn't find "OneView Internet Login" or even the word OneView. I searched the while database, every table.

I was stuck here for a while.

Then I noticed way off to the right (like I literally had to scroll off to the right) there was  column called ResponseHeaders with a bunch of HEX.

20 01 00 00 1C 01 00 00 31 53 50 53 A1 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46
11 00 00 00 17 00 00 00 00 13 00 00 00 00 00 00 00 41 00 00 00 10 00 00 00 00 1F 00
00 00 17 00 00 00 4F 00 6E 00 65 00 56 00 69 00 65 00 77 00 20 00 49 00 6E 00 74 00
65 00 72 00 6E 00 65 00 74 00 20 00 4C 00 6F 00 67 00 69 00 6E 00 00 00 00 00 15 00
00 00 18 00 00 00 00 40 00 00 00 40 E8 3E C4 96 8E D0 01 11 00 00 00 0D 00 00 00 00
13 00 00 00 00 00 00 00 11 00 00 00 09 00 00 00 00 13 00 00 00 00 00 00 00 11 00 00
00 22 00 00 00 00 13 00 00 00 00 00 00 00 11 00 00 00 06 00 00 00 00 13 00 00 00 0A
00 00 00 55 00 00 00 15 00 00 00 00 1F 00 00 00 22 00 00 00 68 00 74 00 74 00 70 00
3A 00 2F 00 2F 00 77 00 77 00 77 00 2E 00 67 00 6F 00 6F 00 67 00 6C 00 65 00 2E 00
63 00 6F 00 6D 00 2F 00 66 00 61 00 76 00 69 00 63 00 6F 00 6E 00 2E 00 69 00 63 00
6F 00 00 00 00 00 00 00 00 00 00 00 DC 00 00 00 D8 00 00 00 31 53 50 53 A1 14 02 00
00 00 00 00 C0 00 00 00 00 00 00 46 11 00 00 00 20 00 00 00 00 03 00 00 00 00 00 00
00 11 00 00 00 14 00 00 00 00 03 00 00 00 01 00 00 00 15 00 00 00 28 00 00 00 00 40
00 00 00 70 0D 51 33 D8 6C D0 01 11 00 00 00 21 00 00 00 00 13 00 00 00 00 00 00 00
3D 00 00 00 1D 00 00 00 00 42 00 00 00 1E 00 00 00 70 00 72 00 6F 00 70 00 34 00 32
00 39 00 34 00 39 00 36 00 37 00 32 00 39 00 35 00 00 00 00 00 08 00 00 00 EB 03 00
00 00 00 00 00 15 00 00 00 1E 00 00 00 00 40 00 00 00 3C DC B8 DF 12 6D D0 01 11 00
00 00 1C 00 00 00 00 03 00 00 00 00 00 00 00 11 00 00 00 27 00 00 00 00 13 00 00 00
01 00 00 00 00 00 00 00 00 00 00 00           

First thing I noticed (I assume you do also) is all the zeros. They are mostly not used as if this is UTF16. But I really look for HEX that I know. That means CR, LF, and Space, so 0D, 0A, and 20.

See that there?

4F 00 6E 00 65 00 56 00 69 00 65 00 77 00 20 00 49 00 6E 00 74 00 65 00 72 00 6E 00
65 00 74 00 20 00 4C 00 6F 00 67 00 69 00 6E 00 00 00 00 00 15 00 00 00 18

That's One View Internet Login. I converted from Hex to ASCII/UTF16. There's lots of online Hex to String Convertors where you can just paste this into a text box. I can also put the string above into a PowerShell string and convert it like this:

$HEXDATA.Split(“ “) | FOREACH {WRITE-HOST –object ( [CHAR][BYTE]([CONVERT]::toint16($_,16))) –nonewline }

There it is, OneView Internet Login. The title of the portal was cached along with the original URL (google.com) and the location to the favicon. When IE hits the page it shows what it has and then corrects it as soon as it gets the current title.

image

What's not clear to me is why this never expired. This title sat around for a year, at least. Maybe an IE engineer will read this and answer in the comments. If they do I will update the post with their answer.

The Good News is that if you delete the history record manually as seen at the very top of this post, that delete will roam and automatically fix this issue on all your machines (to be clear, all those that are logged in with the same Microsoft Account and roaming your browser data.

Remember, Dear Reader, the Internet (and your computer and its operating system) is not a black box. Look inside.


Sponsor: Big thanks to the folks over at Grape City for sponsoring the feed this week. GrapeCity provides amazing development tools to enhance and extend application functionality. Whether it is .NET, HTML5/JavaScript, Reporting or Spreadsheets, they’ve got you covered. Download your free trial of ComponentOne Studio, ActiveReports, Spread and Wijmo.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

How to set a Network to a "Private Network" in Windows 8.1

May 15, '15 Comments [13] Posted in Tools | Win8
Sponsored By

A while back Windows introduced this concept of public networks and private networks. Basically it comes down to a question of "do I mostly trust this network?" However, it's never been totally obvious how to change this back and forth. There's lots of posts on the internet explaining how, but most are pretty complex with a lot of steps.

The most common reason to want Windows to treat the current network as a Private Network is so you can have someone connect to your machine, either share files over SMB, or connect via Remote Desktop (RDP). I hit this issue probably once a month where I can't figure out why I can't see this machine over Remote Desktop, and it's because it thinks I'm on a Public Network.

One technique is to go to Network within Windows Explorer and try to get this yellow bar to show up.

Network Discovery and file Sharing are turned off. Network Computers and devices are not visible.

Clicking on it will give you a choice that isn't clear to Non-Technical Family Member.

Do you want to turn on Network discovery and file sharing for all public networks? NO

No is the right answer, always. But this is a bad dialog because it looks like a Sophie's Choice.

You WANT to treat THIS NETWORK - the one you are on - as a Private Network. Select No.

A better, clearer way to change a Network to Private Network

  • Press the Windows Key + W to search Settings.
  • Type "Network Connections" and Press Enter

Windows 8.1 Network Connections

  • Click on your Network
  • Turn "Find PCs and Content" to ON. This Network is now a Private Network.

Find Devices and Content

Don't believe me? Bring it up side by side with the Classic Network Center and watch it switch back and forth in real-time!

Switching a Network Private in Windows 8
Switching a Network Public in Windows 8

I hope this helps you out as much as it did me!


Sponsor: Big thanks to the folks over at Grape City for sponsoring the feed this week. GrapeCity provides amazing development tools to enhance and extend application functionality. Whether it is .NET, HTML5/JavaScript, Reporting or Spreadsheets, they’ve got you covered. Download your free trial of ComponentOne Studio, ActiveReports, Spread and Wijmo.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

Quake Mode Console for Visual Studio - Open a Command Prompt with a hotkey

January 21, '15 Comments [45] Posted in Tools | VS2012 | VS2013 | VS2015
Sponsored By

Back in March of 2013 when Phil Haack was deep into GitHub for Windows development we were going back and forth in email about how to quickly get into a shell from a specific project. I hate always having to paste in a "CD somedirectory" so I usually use some kind of "Command Prompt Here" right click menu.

TIP: A lot of people don't realize that you can Shift-Right-Click on a folder in Windows Explorer and you'll automatically get a "Command Prompt Here" menu item!

Anyway, Phil and I were emailing and he said (remember that GitHub for Windows (GHfW) was in development)...and I've always loved how the Quake console pops up when you press ~ in Quake.

I feel ashamed I didn't know this, but I just discovered that CTRL+ALT+D brings up the shell when in GHfW. We are considering ways to make our keyboard shortcuts more discoverable. Kind of like the `?` support we have on GitHub.com. We should totally make that a ~ shouldn't we? Like in Quake, Doom, etc.

And they did. When you're in GitHub for Windows just press ~ and you'll automatically get a new command prompt (or Bash Shell or PowerShell) and be dropped in to the current folder's directory. It's my most favorite feature about GitHub for Windows.

I mentioned this to Mads Kristensen yesterday and said we should build this feature into Visual Studio. Rather than waiting, he just created a little single purpose extension called Open Command Line. It works in Visual Studio 2012, 2013, and 2015.

Open Command Line

But it's the hotkeys that make it awesome. Now I'm not sure how I lived without it. Alt-Space and it opens up a prompt right where I need it. Go download the Open Command Line free Visual Studio extension now, and remember, it works in Visual Studio Community which is also free! You can set it to open CMD, PowerShell, or a custom prompt.

Oh, by the way, the overlay there that shows what hotkey I'm using, that's Carnac.

Related Links


Sponsor: Big thanks to the folks at Infragistics for sponsoring the feed this week! Responsive web design on any browser, any platform and any device with Infragistics jQuery/HTML5 Controls.  Get super-charged performance with the world’s fastest HTML5 Grid - Download for free now!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Page 1 of 104 in the Tools category Next Page

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.