Weybridge Computer Services

WCS.Tony

Blog

WCS.Tony - Tue Sep 26, 2017 @ 06:53AM
Comments: 1

I keep an old XP machine as some of my customers are still on XP, and over the years I have amassed loads of little utilities and free programs.

A few weeks ago I started to notice very high Disk I/O Reads for Firefox in XP's Task Manager. At first I thought that it was "just" Firefox, but it began impacting on my PC usage and to be honest I was getting concerned about how long my old disk drive would last. After an hour or two of browsing I was seeing 16,000,000,000 I/O reads or more. Yes 16 GB or more!

  • So I uninstalled a few suspect add-ons - same problem.
  • Run Firefox in safe mode - same problem.
  • Defragged and used FIREMIN to compact the Firefox database - seems faster but same problem.
  • Scouring several sites (#1) on the Internet came back with some changes to about:config parameters - same problem.
  • Whatever I did, Firefox would read and read and read.

So I user Sysinternal's excellent Process Monitor to look at FIREFOX.
Then selected one of the disk / file items and then go to Tools > File Summary

Sorting into Read Bytes soon showed the file that was causing all the reads.

It was the file with certificates file / database.
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xxxxx.Default1\cert8.db

I closed Firefox and renamed the file cert8.db.old and opened Firefox again, a new cert8.db was created. AND my disk I/O was back to normal, after several hours browsing 413,889,378 (a bit better than before?). 

Obviously if you have any certificates that you want to keep export them before changing the cert8.db name. In Firefox - to see certificates (or export them) go to Options->Advanced->Encryption->View Certificates.



(#1

Other things I found on the Internet before finding the problem with cert8:

https://www.servethehome.com/firefox-is-eating-your-ssd-here-is-how-to-fix-it/  about:config   browser.sessionstore.interval set it to 30K (it was 15K), then 300K.
Similar findings in:
https://www.reddit.com/r/firefox/comments/46qvfd/how_to_minimize_disk_writes_made_by_firefox_on/
https://www.wilderssecurity.com/.....-before-firefox-wears-down-your-ssd-drive.391018/, 
https://www.mahal.org/change-firefox-session-store-interval-to-save-your-ssd
     suggests “1500000” = 25 min.

Also changed browser.sessionstore.resume_from_crash to FALSE (it was true)
https://www.servethehome.com/firefox-is-eating-your-ssd-here-is-how-to-fix-it/

All of these reduced disk usage A BIT, but did not cure the actual problem.


Comments: 1
WCS.Tony - Tue Sep 12, 2017 @ 06:35PM
Comments: 0

A few months ago I tried out ZEMANA ANTIMALWARE. When I had finished playing with it I uninstalled and forgot all about it. Today I was doing a defrag when I noticed a file called ZAM_Guard.krnl.trace and, when I looked in C:\Windows, ZAM.krnl.trace as well. I thought the ZAM bit looked familiar and when I looked online I realised that they belong to Zemana Antimalware.

I was a bit surprised as usually I uninstall using IOBit or Ashampoo uninstallers and they are ususally pretty good. Then I realise that both those files have TODAY's date, I quickly check my installed apps, and no Zemana. So I run good old AUTORUNS and search for Zemana, sure enough I find the files there and I un-tick them and reboot.

Once rebooted I went back and deleted both the files and much to my surprise they were immediately recreated. The files just contain log files so nothing dangerous there, but what is putting them back? Zemana must still be running on my PC, but nothing in Autoruns, services or Task Manager.

A quick search with the brilliant Search Everything finds two more file in C:\Windows\System32\drivers\zam64.sys and zamguard64.sys. When I try to delete them I get a warning to say they are in use - So RUNNING on my PC?

I searched the registry and found some entries there for Zemana, but please be VERY careful if you use REGEDIT.

Instead of that I used and old trick, go back to C:\Windows\System32\drivers and RENAME both zam files by adding .WCS to the end of each file name after the .SYS. I just use .WCS (notice the DOT . ) as it reminds me that I changed them on customer's PCs - Weybridge Computer Services. After renaming both files close down everything and reboot Windows 10.

Obviously the registry entries that are loading these programs try and load zam64,sys which is no longer there as it is now call zam64.sys.WCS (and the same for zamguard64). So they cannot be loaded and running. Sure enough I was now able to delete the trace files and the programs - Zemana Antimalware is FINALLY dead on my PC.

THANK YOU ZEMANA!


Comments: 0
WCS.Tony - Sat May 13, 2017 @ 10:56AM
Comments: 0

Whatever you do - DO NOT PAY THE CROOKS

1. Turn off the PC
2. Report it to the police
3. Call a reputable PC support company.

I've had some experience with these attacks and they usually encrypt all your data, then pop up a message saying PAY ME TO GET YOUR DATA BACK.
Now if you have kept your PC updates as Microsoft suggest and have a current reputable antivirus running you should be OK.
Obviously you still have to be careful when you click on email links or run / open attached files (save should not do any harm).
The best defence is not to load the virus in the first place!

Your second line of defence is to take regular backups of your data, I can always reinstall Windows (even if we have to buy a copy) but YOUR data is unique to YOU. All your photos of the kids, friend’s addresses, typed letters to the solicitor etc. For the sake of £50 buy an external USB drive and use it to backup at regular intervals - once a week, a month, whatever. I would also recommend that you backup to different files or folder – not just overwrite the only copy each time. For example what would happen if you backed up your encrypted files to you only backup copy? You could have Backup-Jan, Backup-Feb etc., or Monday, Tuesday.... you get the idea.If you are really concerned or careful – each back up could be on a different USB drive. Work out what you want / need for your data and DO IT.

Obviously you will need to unplug the drive from the PC afterwards; otherwise the ransom ware will also encrypt your backup.
Personally I back up to an external USB drive and make regular secondary backups to DVDs that I store away from the PC.

Now back to "help I've lost all my data and they want £300".

Killing the nasty virus is not usually a problem to an experienced PC support technician.

This must be done before anything else as otherwise any files you attach (like trying to restore from your backups) will also get encrypted before you get a chance to copy them back. Once the virus has been stopped you can recover your old files from the backup just by copying them back.

If backups are not available, or very old, I have usually managed to crack the encryption key(s) but and here is the big BUT I need an encrypted file and the same file before it was encrypted. Usually one key un-encrypts all the user files, but quite often I had to get the key on several different files and keep un-encrypting until they are all back. Usually this is just restricted to user files but I've had instances where several system / software files that had also been encrypted.

A few customers who did not have ANY backups on USB drives, sticks or DVDs. Not even any files in OneDrive, Google Docs (both FREE) or Dropbox / Carbonite / Crash Plan etc. Luckily for them they were old customers and I always put a document detailing what I have done on their PC and any log files I created. This is stored as a DOC(x) or RTF file on their PC and I keep a copy for reference. I was able to use those files to hack the encryption keys, and restore all their data.

So basically:

  • Keep your system and antivirus software up to date.
  • Take regular backups and keep the copies (more than one) safe and away from your PC.
  • Google how to spot SPAM and what to do with email links and attachments, or how to avoid ransomware. No matter how good your system is at protecting itself it’s far better if you don’t do anything silly and let the attack in. Knowledge is power!
  • Finally there are many free (and paid) dedicated anti ransomware programs out there, you may wish to try one.

I should add that currently (13/05/2017) there is no decryptor available for the Wannacry attack that hit the NHS. Unless you have backed up your data you are in trouble. It may be possible to recover the original / deleted files using specialist recovery software but apparently the virus tries to stop that as well. Even if the old deleted files were on the disk after the infection every time you boot, every time you use your PC it will write data to the disk and there is a greater and greater chance that your old files will be completelly overwritten by new files.

If you have not been infected BACK UP NOW!

Comments: 0
WCS.Tony - Tue Mar 29, 2016 @ 12:54PM
Comments: 0

Has anyone manage to use one of these on Windows 10 64 bit?

Basically I bought this years ago when FREEVIEW (Digital TV) was staring, to be honest it was more of a toy just to get TV on my old PC and I recorded a few programs and then forgot all about it. Well last week my friend's huge LCD TV packed up and I though he could borrow my USB dongle so that he could at least see TV on his PC.

It quickly became apparent that the drivers that came with this device would not install on Windows 10 and it comes in as UNKNOWN.
When I try to update the drivers using Windows 10 it fails
                  "Windows could not find driver software for your device"
I downloaded various drivers from the web (take care loads of odd downloads / viruses and driver checking software) and manually pointed the driver update to those folders and / or run the setup programs.
So far none of them have worked.

I can run the original BlazeVideo and SichboPVR software but, without the drivers, I cannot find a TV device.

USBDeView shows the dongle

DVBT AF9005 BDA Device Vendor Specific Yes Yes No No 16/05/2010 15:31:36 29/03/2016 13:50:00 15a4 9020 1.00 ff ff ff Hub 1, Port 3 Afatech Technologies, Inc. AF05BDA AF9005 BDA Device AF05BDA.sys MEDIA AfaTech 500 mA 1.10 AF9005 BDA Device 6.3.2.1 AF05BDA oem39.inf USB\Vid_15a4&Pid_9020\5&34a681e0&0&3 Removable, SurpriseRemovalOK

Device instance: USB\VID_15A4&PID_9020\6&30663d42&0&2
Hardware Id: USB\VID_15A4&PID_9020&REV_0100

Yes I know!
I have already set him up to look at catch up TV through the Internet.
But surely there must be a working driver for this dongle?
Or a means of getting the old driver to work in Windows 10?
Would Driver Signature Enforcement Overrider  be any use?

HELP?

Comments: 0
WCS.Tony - Thu Mar 24, 2016 @ 12:17PM
Comments: 0

It really is about time that our police and BT did something about these scams.

Hardly a month goes by when I don't get a call from someone AFTER they had a call from Microsoft.
My usual reply is "How do you know it was Microsoft?" - because they said so.
Just to be clear Microsoft do not call up users at random, hang up and report it to the police and BT.

The other similar issue is when people search for help online, quite often the entry at the top of the search page is "fake" and pretend to be from Apple or Microsoft of whoever. Once again "How do you know who they are?". I had people sign up for 3 years worth of "excellent" help from "Apple" or with free 24 hour support from a "Microsoft company". BE CAREFUL!

The standard "I'm from Microsoft and you have a problem with your computer" does not in itself cause you any problems. The problems come when you allow then access to your computer or give them your bank / credit card details. Usually they add some programs to your PC so that they have access to it, sends them your username and passwords or even lock it up unless you pay them. And rest assured they WILL want payment to "fix" the computer that was working fine before they call.

One young chap (it is usually the more elderly ones that get caught by these evil people) assured me that he had allowed them into his laptop, but had refused to pay them. I was rather surprised that he got off without paying but removed all the various malware and viruses that were now slowing down his laptop. There were also some proxy settings and remote monitoring programs that I removed and installed Avast FREE for him as his Norton has expired years ago and he had never renewed the contract. There are several good FREE antiviruses that you can use.

Anyhow after all that I returned his laptop and he asked me if I would taker a cheque from his wife. I was a bit surprised so I enquired and apparently his bank account seems to be empty - must be a mistake. I assured him it was probably NOT and to call his bank at once. They had got hold of his bank details even though he assured me that he had not given it out.

SO TAKE CARE.

If you get a phone call from someone claiming to be from Microsoft - HANG UP.
If you get a phone call from anyone claiming to be from company-x - how do you know they are who they say they are.
If you are not sure hang up and find out, call the company using a number from a letter you had from them or the phone book.
And even this is not 100% safe as they could have stayed on the line, when you hang up.
When you dial again, they are still there and can put another person on the phone to vouch that they were who they said.
To get over that call someone you know and you know the line is clear if THEY reply, or their answerphone replies.
Only then can you call the real company number and check if they are really calling you.

AGAIN - WHY CAN'T BT FIX THIS PROBLEM?

If you have allowed "Microsoft", a free "support company" or ANYONE access to your PC - my advice...
TURN IT OFF and CALL ME.

Comments: 0
WCS.Tony - Wed Sep 02, 2015 @ 03:30PM
Comments: 0

A huge thanks to Philby E McGee at http://www.bleepingcomputer.com/forums/t/581470/ba...

My Windows Updates began failing about 10 days ago and I've tried just about everything on the web including various Microsoft Fix Its, SFC, SCFix, register / unregister various services, batch files, registry files - nothing would allow me to start BITS or get new updates.

Never mind I will update my Windows 7 to the amazing new Windows 10
But I could not do that either!
Windows seemed to be using the update service to do the upgrade.
Or rather failing to, on my laptop.

I contacted the Microsoft online help (saying that Windows Update was the problem) and after over an hour of fiddling about on my computer he updated the BIOS (without asking me). Once again I mentioned that I thought it was my Windows Update problem.
NO - He then proclaimed that I had a "driver issue" - "Contact ACER".
Which driver I asked - no reply.
Could we not just update to Windows 10 from scratch and replace ALL drivers?
NO!

:deadhorse:

I gave up and after cooling down I tried several very complicated and time consuming repairs - or rather NOT repairs.
Then I saw this simple solution all I did was create a new registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
Straight away I was able to start BITS, the first time in nearly two weeks.
I started Windows Updates and applied 23 of them.

Now I am waiting for my Windows 10.
"We'll let you know when this upgrade is ready to be installed on this PC".
I can hardly wait.

Once again a great big THANK YOU :bananas::thumbsup::bananas:


By the ways BITS is Background Intelligent Transfer Service.

Update:
Windows 10 became available soon after and installed with no problem.

Comments: 0
WCS.Tony - Sun Mar 29, 2015 @ 10:37AM
Comments: 0

This seems like a nasty trick from Logitech.
I am talking about my Logitech Cordless Desktop LX 700 but it may also apply to other models.

A few weeks ago a customer gave me an old wireless keyboard and mouse.
"It does not work and I have bough a new one".

Soon afterwards my keyboard began sticking on certain keys. Pouring a large mug of tea over it and then cleaning it did not help and no amount of silicon spray seemed to stop the sticking. Then I remembered the Logitech mouse and keyboard.

The keyboard just needed new batteries and the ones on the mouse were dead. As they are rechargeable I removed them and charged them on my battery charger. After that the mouse worked fine as well.

But after a few days the mouse suddenly stopped, as I keep forgetting to put it back on the charging cradle when I finish I was not too surprised. After this happened a few times (and now I was putting the mouse back in the cradle) I decided to swap out the existing batteries (AA) for two rechargeable ones. The Logitech batteries seemed to be glued together with a piece of plastic in the middle. I put in the two new AA batteries and everything was fine. But a few days latter the mouse stopped again - had I put it back in the charger?

So I blamed myself and charged the batteries externally again, and again.
Today I checked the batteries - OK, the contacts in the cradle - OK, the joints inside of the mouse - OK, the power supply - OK. WHAT COULD IT BE?

Then I noticed the a little switch right between the batteries.


A switch that would be depressed by that strange plastic between the two original batteries. I cut a small piece of plastic to the right size and made sure it was held in by the batteries. Put the mouse back on the cradle and, for the first time, I noticed a little green LED on the mouse. IT CHARGES.

What a nasty trick!

Comments: 0
WCS.Tony - Wed Feb 11, 2015 @ 06:36PM
Comments: 0

I have been using my old XP laptop for many years, usually to look at the web of for the odd email - and it does a great job.

Last week, however, I started noticing that AvastSvc.exe seems to be running constantly at 16 to 19% CPU. I have installed Avast FREE on many computers over the years and have never seen this before. Well not without a virus or another antivirus running.

I quickly checked for malware and did a full boot scan - CLEAN. As this is my laptop I am sure that I removed the previous antivirus programs properly, but had a quick check as well - OK. I am fairly familiar with the running tasks on this laptop, and no new or unknown tasks were running. A quick check with the new AUTORUNS / VirusTotal confirmed that everything was as it should be and no virus.

I assumed that one of the many new Tools that Avast are so fond of including must have been let in when I manually installed Avast. But no everything seemed OK. I tried removing any unecessaty options but the CPU remained around 19%. Avast, like many other antivirus / malware programs I USED to use, keep adding more and more rubbish to the basic antivirus. BUT THAT WAS NOT THE PROBLEM.

By now the disk IO read had gone into the BILLIONS and my poor old HDD's LED was constantly flashing. Why had I not noticed that before? The only way to stop the CPU and constant reads was to stop the File System Shield for 10 minutes - CPU %. Turn it back on and the CPU was back at 19% and the disk reads started again. As looking at my File system is a fairly basic requirement for my antivirus I searched for another solution.

I was just downloading the Avast removal tool and the latest version of Avast to reinstall it. Then I had a final look at my running tasks. I decided to kill tasks one at a time to see if anything was causing Avast to react like this. I killed TeamWare which was running in the background, I had problems with the laptop graphics last year and used this to connect from my desktop and change the graphic settings. Anyhow as soon as I killed TeamViewer, AvastSvc.exe went down to 0% CPU (zero) and no reads.

HAD I SOLVED IT?

I rebooted and the AvastSvc CPU remained at ZERO.
Start TeamViewer - CPU back to 19% and the HDD LED flickering again.
Kill TeamViewer and we are back to "normal" with 0% CPU.

If only I knew WHY?

Comments: 0
WCS.Tony - Tue Apr 22, 2014 @ 11:02AM
Comments: 0

I've had a lot of calls from customers asking for help after reading about the Heart Bleed / Heartbleed issue.

Well there is really very little chance of YOUR password in a specific site having been compromised. BUT the recommendation from just about everywhere is to change your passwords.

There is no point changing your password before the site you are using secures their code, your new password would still be vulnerable. However there are plenty of sites that have information on the updates Mashable.com and many sites will email you when they have made the security changes.

Here is a link that explains how the bug works Howtogeek.com

Obviously you will have to make a note of all your new password and you may need to log into services, Apps and programs that use these passwords. For example if you use Outlook to read your email and you change the email password - you will also need to change it in Outlook.


If you have not already done so I would strongly advice you to use LASTPASS (or a similar system) to keep track of all your passwords. Lastpass now even has a security feature that will help you manage the password changes and what sites to change and WHEN. Don't forget to accept the password changes when it warns you. Lastpass even has a history button to show you the old passwords.

See Lifehacker.com for a tutorial.
And get your LastPass account here Lastpass.com/create_account


Comments: 0
WCS.Tony - Mon Dec 23, 2013 @ 07:51AM
Comments: 0

Hi, and a Merry Christmas to all my customers.

I have been receiving several panicking inquires about this new and highly destructive virus or rather RANSOMWARE. For those of you that have not heard, CRYPTOLOCKER has attacked over 250,000 machines ... so far.
Well - I can now protect your PC.

Once in your computer it quietly starts encrypting your files and when it has finished a message pops up asking you for $300 to get the key to recover your data files.
Yes I can stop and remove the infection .
But NO, neither I or anyone else can unencrypt your files.

You have to:

  • Recover them from a back up
    (that was NOT connected to your PC during the infection),
  • OR - pay the pirates and pray that they honour the agreement.

Having studied the current infection I can however make some changes to your PC that will prevent the encryption in the first place.
Should you want this peace of mind I can now do this for you and also give you some hints and tips on avoiding this type of infection.
I cannot guarantee that Cryptolocker, a variant or a similar infection will not evolve to get past this defense.
But I am sure that the current Cryptolocker infection will be stopped.
I GUARANTEE THAT WITH A MONEY BACK PLEDGE.
So if you want peace of mind call me - 01784 434 458 or 07883 062 986

Comments: 0
powered by Doodlekit™ Free Website Builder