It really ticks me off to get yet another letter from Expo Guide. Basically they say they are an exhibitors directory and that you can have a free listing in their guide, but in the small print you are actually signing up to a 3 year contract costing some 1181 Euros (£1000) a year.
I can not believe they are still going. They give you a reply envelope which goes to France, but the actual company appears to be based in Mexico. From what I have read on various websites, they threaten legal proceeding (debt collectors) and basically try to frighten you into paying up.
What I want to know is: what the hell is our government and the EU doing about these blant scammers? I have been getting these letters for years and alway rip them up. They are posted in the UK and the Royal Mail should refuse to deliver them.
Wednesday, 16 March 2011
Thursday, 3 March 2011
Nasty Rootkit Virus
I had a computer in with a very nasty rootkit virus recently. Identified by avg as trojan win32/zbot g and vbs generic, I tried my usual solution which involved using ComboFix, and that did not fix it. I found the program in the startup of the registry. Typically they tack themselves on after userint is called (which is where you log onto windows) so its always there, even in safe mode. Removed that entry, restarted and it came back. Found where the program was and tried to look at the folder in program files and windows said it was empty but I could still not remove the folder.
Drastic action required here so I took the drive out of the pc and piggy backed it onto another system. A full virus scan found some 6000 infected files. This was due to just about every dll and html file being infected, but the virus scan did not find the one I knew has there. Only by changing the owner and access rights to that folder could I find the file called yeclwdy.exe. Removed it and the folder, restarted and blow me down it came back! Took it out again, but this time cleaing out the folder and denying all access to it, restarted but that dis not fix it, it just created another in program files\common files. Eventually was able to find the same program in users startup menu which was why it always came back but again this was invisible to the system even with hidden and system files turned on. It must have a hook into explorer to hide itself from normal view.
Now happy that it had gone, I looked for other files like that yeclwdy.exe and found a load *mgr.exe e.g iexploremgr.exe, so I removed those aswell. I was able to reinstall those programs affected by dll infection and give it a clean bill of health.
How did the machine become infected you say? Well normally the infections come from the internet but this came on a memory stick. I put an old memory stick on the infected system and was later able to deduce that it created an autorun of itself on a memory stick (hidden of course), so my advise is to make sure autorun is turned off for external drives.
Drastic action required here so I took the drive out of the pc and piggy backed it onto another system. A full virus scan found some 6000 infected files. This was due to just about every dll and html file being infected, but the virus scan did not find the one I knew has there. Only by changing the owner and access rights to that folder could I find the file called yeclwdy.exe. Removed it and the folder, restarted and blow me down it came back! Took it out again, but this time cleaing out the folder and denying all access to it, restarted but that dis not fix it, it just created another in program files\common files. Eventually was able to find the same program in users startup menu which was why it always came back but again this was invisible to the system even with hidden and system files turned on. It must have a hook into explorer to hide itself from normal view.
Now happy that it had gone, I looked for other files like that yeclwdy.exe and found a load *mgr.exe e.g iexploremgr.exe, so I removed those aswell. I was able to reinstall those programs affected by dll infection and give it a clean bill of health.
How did the machine become infected you say? Well normally the infections come from the internet but this came on a memory stick. I put an old memory stick on the infected system and was later able to deduce that it created an autorun of itself on a memory stick (hidden of course), so my advise is to make sure autorun is turned off for external drives.
Subscribe to:
Posts (Atom)