NotMyFault – The fault maker!

NotMyFault is a tool developed by Mark Russinovich of Sysinternals. NotMyFault can generate faults like High IRQL fault, Code Overwrite, Buffer Overflow, Deadlock etc. which can crash Windows. This tool can be helpful in crash dump analyzing. Whenever Windows crashes due to some serious error, it creates a memory dump file (%windir%\memory.dmp, for example) and this dump file can be analyzed later using debugging tools such as LiveKD, to find out more about the crash.

Since NotMyFault is a user mode program, it can not directly cause such crashes. Hence it uses a driver (aptly named MyFault.sys) to generate faults by performing illegal operations in Kernel mode, also known as Privileged mode.

Here’s the screenshot showing NotMyFault, just select the type of the fault you want and click "Do bug"!


NotMyFault is a freeware and can be downloaded from here (direct link).

Read More

Unlock 'em!

When you are deleting a file in Windows, sometimes you can get errors like "Cannot delete file: Access is denied", "The source or destination file may be in use", "The file is in use by another program or user. Make sure the disk is not full or write-protected and that the file is not currently in use".

This happens if the file that is being deleted is still loaded in memory. So before deleting it, it has to be unloaded from memory. Unlocker is a small freeware which just does that. Once its installed, it adds itself in right-click context menu. One has to just right-click on the "locked" file and click "Unlock". This opens the Unlocker through which the file can be unlocked. Afterwards, the file can be deleted easily.

Get it here.

Read More

"Windows could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM"

This error arises when the System registry hive is either deleted or corrupt. System registry hive contains configuration information necessary for the system to boot.

Option 1: The first thing to try is to run chkdsk command from the Recovery Console and then reboot the system.

Note: If you don't have Windows installation disk to access Recovery Console, then this ISO image can be used to create a Windows Recovery Console CD. Download the ISO image and burn it to a CD/DVD (ImgBurn can be used to burn ISO images to CD/DVD). Boot the PC using this disk to access Recovery Console.

If chkdsk does not solve the problem, then the System file should be restored from backups. There are two places to look for the backups, one is the System Restore folder and the other is \Windows\Repair folder.

Option 2 (Using backups from System Restore feature): From the Recovery Console, navigate to the folder \System Volume Information\ folder of the root drive, using the command:
cd "C:\System Volume Information"

Here, locate and navigate to the folder whose name begins with _restore using the command:
cd _resto~1

This folder contains many subfolders which have names of the form RPxxx, where xxx is a number indicating the restore point. Locate an RPxxx folder which has the highest number as its suffix (highest xxx) using the command dir command. Then navigate into that folder using the command:
cd RPxxx (don't forget to replace xxx with the corresponding number!)

Now, there will be a folder named snapshot. Navigate to this folder using the command:
cd snapshot

There should be a file named _REGISTRY_MACHINE_SYSTEM, copy this file to the \Windows\System32\Config folder with the name System using the command:
copy _REGISTRY_MACHINE_SYSTEM C:\Windows\System32\Config\System

Reboot the system and check whether Windows loads properly.

Note: Option 2 works only if System Restore feature of Windows XP is enabled. If System Restore was disabled or if option 2 did not work for some reason, then try the next option.

Option 3: While installing Windows, the setup backs up the System registry hive in Repair folder. If the System Restore feature is turned off, then this backup can be used to restore the System hive. From the Recovery Console, navigate to folder \Windows\Repair, using the command:
cd C:\Windows\Repair

Copy the System file to its original location using the command:
copy System C:\Windows\System32\Config\System

Reboot the system and check whether Windows loads properly.

Note: There is a disadvantage in this method! Since this backup is created during the installation of Windows; system configuration and driver installations (made after fresh installation) will be lost after restoring this backup Registry hive file.

More resources can be found here and here.

Read More

Deleted files don’t go to Recycle Bin

Due to some changes in the Windows settings or Registry changes, it can happen that the deleted files or folders do not go to Recycle Bin but they are permanently deleted. These are some of the steps which can be tried to rectify the problem.

Empty Recycle Bin: This may sound simple, but it solves the problem sometimes, so there’s no harm in trying it. Right click on the Recycle Bin icon and click “Empty Recycle Bin” even if it is empty.

Recycle Bin Properties: Right click on the Recycle Bin icon and click "Properties" option. Here, under "Global" tab make sure that option "Use one setting for all drives" is selected and the option "Do not move files to Recycle Bin" is unchecked.

Registry fix: Download this Registry file and save it with the default filename (which has a .REG extension). Double click on it and click "Yes" to agree to merge it to Registry. Restart the PC to make the changes take effect.

Delete the "Recycled" folder: Go to Start > Run and type the command cmd and press Enter key to go to Command Prompt. Here, at the command prompt, type rd /s /q C:\recycled and press Enter key. Repeat this command for all the drives by changing the drive letter in the above command. Reboot the system and check whether the Recycle Bin works correctly or not. For NTFS systems, replace recycled by recycler.

Read More

ASAP!

ASAP stands for the Alliance of Security Analysis Professionals. It is a not-for-profit volunteer network aimed at providing high standard and quality of security support no matter where you seek help. In a nutshell, it helps the end user to fight against "malware".

Recently i got the membership for ASAP, and i am very much delighted.

You can get the complete information about ASAP here.

Read More

Updated Vundo removal tool by Symantec

Vundo or VirtuaMonde is one of most irritating adware/trojan! Normally, users of Vundo infected PC will receive endless pop-ups about some dubious software called WinFixer! As of now no other Antivirus or Antispyware remove this and the only method was to manually remove it using HijackThis and VundoFix tool by Atribune.

Symantec has updated its removal tool for Vundo and it really works! There are actually two removal tools by Symantec, one is to remove the Vundo Trojan and other to remove the Adware associated with it. Removal method is a two step process; first remove the Trojan and then the Adware.

Download FixVundo.exe, the Trojan removal tool. Next, download FixVMonde.exe, the Adware removal tool. First run FixVundo and then FixVMonde to remove the Vundo! Running both the tools in Safe Mode would help too!

Read More

Spybot - Search & Destroy for Symbian based phones

Team SpyBot S&D has released their popular software for Symbian based mobile phones! Now, you can safeguard your mobile phones from Spyware!

Here's what their website say:
Spybot-S&D for Symbian UIQ cellphones is one of our newer projects. Started some time ago when the first virus for Symbian cellhpones appeared (A29.Cabir, also called SymbOS.Caribe), we've now decided to release this preview as a goodie to our users.
Supported cellphones: all Symbian UIQ based phones, for example Motorola A920, A925, A1000, A1010; Arima U300; BenQ P30; Sony Ericsson P800, P900, P910.

Get more inforamtion here.

Read More

Online virus and spyware scanners

It’s a good practice to perform an online scan for viruses or spyware once in a while. The advantage of online scanners is that they always have up to date virus database, hence they can detect even newer infections.

Some of the popular online virus scanners are Panda ActiveScan, TrendMicro HouseCall, BitDefender Online Scan. All of these are ActiveX based and hence require Internet Explorer to run. But TrendMicro HouseCall has a version of scanner which can be run on Opera, FireFox, NetScape based browsers. It is available here.

Ewido Online Scanner, TrendMicro Spyware Scan are some of the good spyware/adware scanners available. They have good detection and removal capability.

If a specific file is to be scanned to check whether it’s "good" or "bad", then Jotti’s Malware Scan can be used. This site uses multiple AntiVirus engines to scan the file so reliable results can be obtained about unknown files. Similar service is offered by Kaspersky File Scanner.

Read More

Advanced Process Terminator and PSKill

Advanced Process Terminator is a small (42 kb) free tool from DiamondCS (of TDS fame). It has a neat little user interface which displays running processes along with information like PID, file location etc.
But the real fun lies in the number of ways you can kill a process. It has 9 methods to kill a process. By this, it can also kill "toughest" running processes which normal Windows Task Manager can not kill! It can also suspend and resume processes.

Another process killer tool is PSKill from Sysinternals (of Process Explorer fame). This is a command line tool and is very easy to use. It can also kill processes like Winlogon.exe which Windows Task Manager is not able to kill.

Read More

Javacool EULAlyzer!

Have you ever read those ultra-long EULA (End User License Agreement) pages while you are installing any software? I think no one will read them;-) But it can provide information about the Software itself or the bundled components. Some software bundle Adware or Spyware along with it, but details about it are cleverly masqueraded in EULA!

A new tool has been released called EULAlyzer, this can scan License Agreements, and report some of the "interesting" words and phrases. It helps to discover if the software you're about to install displays pop-up ads, transmits personally identifiable information, uses unique identifiers to track you, and much more.

Get it here, and analyze those EULA's!

Read More

Chkdsk starts automatically while booting Windows.

Sometimes Check Disk utility (chkdsk) starts automatically on every boot-up even though Windows was shut down properly, because if the Dirty bit of a Disk drive is set, chkdsk scans the dirve for errors even though Disk has no errors.

To solve this problem, go to Start > Run and type cmd and press Enter key. Here at the Command Prompt, type chkntfs /d and press Enter key. This command resets the chkntfs settings to default values and schedules a scan for all Disk drives on next restart. Allow this Disk scan to complete.

Then reboot the system again and check whether chkdsk runs as it would do before. If it does run and scan again, then in Command Prompt type the command chkntfs /x DriveLetter: and press Enter key. Here DriveLetter is the letter of that Disk drive which gets scanned on every boot-up (for example, type chkntfs /x C: if C: drive is scanned every time). This command excludes the specified Disk drive from scanning.

Note that chkntfs also works with FAT32 file system!

Read More

Windows Search dialog box is blank!

This is one quirky problem where the Search window is blank and only the "little dog" is visible! It can be seen in the screenshot below (sorry for the low image quality).



This can happen due to various reasons. Some of the fixes that can be tried are:-
1 Microsoft KB – Several dialog boxes are blank: This Knowledge Base article gives some information about this problem and also the resolution. This is worth a try.

2 Installing Windows Script files: JScript, VBScript and other Script Runtime files are used by this Search window (and other windows), hence a missing/corrupted Script file could cause the problem. The Script files can be downloaded here.

3 Reinstall Search Assistant: Go to Start > Run and type %windir%\inf and press Enter key. This should open the Inf folder. Here look for a file named srchasst.inf. Right-click on this file and click Install, you may require Windows installation CD.

Read More

Windows XP default theme missing!

Sometimes the default theme of Windows XP will be missing from the Themes tab in Desktop Properties, and there will be only Classic them in the drop down list. This is one of the common problems I have seen ;-).

To recover the default XP theme (also called as Luna theme), the following solutions can be used:-
1 Start the Themes Service: Go to Start > Run and type services.msc and press Enter key to open the Services window. Here, navigate to Themes service, and right-click on it and select Properties, and make sure that the Start Up type is set to Automatic. And if the service is stopped, click the Start button to start it.

2 Locate the Luna.theme file manually: Right click on the desktop and choose Properties. On the Themes tab, choose the Browse... option. Next browse and locate the file C:\Windows\Resources\Themes\Luna.theme and apply this as theme.

3 Luna.theme file not present: If Luna.theme file itself is not present, then it has to be restored back. Download this Zip file from Kelly’s Korner, and then extract the contents of this file to C:\Windows directory. Then, apply this theme as given in previous step.

4 Registry fix: If the above steps do not solve the problem, then there is a chance of changes in the default Registry values related to Themes. Download this Registry fix from Kelly’s Korner, and merge it with the Registry. Restart the computer to make the changes to take effect.

Read More

Black Viper is back!

Black Viper, the website which is popular for its Windows XP Services Guide is back! It was down for few months, and fortunately it's back. The site has some really good tips and tricks about different Operating Systems like Windows ME/2000/XP/2003 and RedHat Linux. Along with it, there are Motherboard tweaks, Software reviews etc. Worth visiting :)

Read More

Basics of Boot Process

Hard Disk and Partitions:
Partitioning is a process of dividing the Hard Disk (HD) into several chunks, and uses anyone of the partition to install Operating System (OS), or use two or more partitions to install multiple OSes. You can have one partition and use up the entire HD space to install a single OS; but this will become data management nightmare for large HD users. The advantage of partitioning lie here! Because of the structure of the Master Boot Record (MBR), you can have only four partitions, and are called Primary Partitions. Again, if we have even larger HD, to induce more partitions, Extended Partition is introduced. Extended Partition is not a usable partition by itself. But it’s like a container and is used to hold Logical Drives! , i.e., the Extended Partition can be subdivided into multiple logical partitions.
In order to boot into a partition, it must be designated as Active or Bootable Partition. Active Partition is one which is flagged as bootable or which contains OS, this is generally a Primary Partition.


Boot Records (Master, Partition, Extended, Logical-Extended):
Master Boot Record (MBR): MBR is a small, 512 bytes partition which is at the first physical-sector of the HD. MBR contains a small program known as bootstrap program, which is responsible for booting into any OS. Also MBR contains a table known as Partition Table which lists the available Primary Partitions in the hard disk (can hold only 4 entries).What if we have more than four partitions? This is solved by Extended Partition principle. Partition Table assumes entire Extended Partition as one Primary Partition and lists it in the table.
So a Partition Table can have two possible entries,
- Up to 4 Primary Partitions
- Up to 3 Primary Partitions & 1 Extended Partition (Total not exceeding 4).
Partition Boot Record (PBR): This is the logical first sector, i.e., sector at the start of a Primary Partition. This is a 512 byte area, which contains some programs to initialize or run OS files. All Primary Partitions have their own PBRs.
Extended Boot Record (EBR): This is the logical first sector, i.e., the sector at the start of the Extended Partition. EBR contains a Partition Table, which lists the available Logical Partitions inside Extended Partition, i.e., it contains the starting addresses of each Logical Partition.
Logical Extended Boot Record (LEBR): This is the logical first sector residing at the start of each Logical Partition, similar to PBR.


Single OS Boot Process:
Whenever PC is turned ON, BIOS (Basic Input Output System) takes control, and performs a set of operations. It checks Hardware, Ports, etc. and finally loads the MBR program into memory (RAM).Now, MBR takes control over booting process.
Functions of MBR with only one OS installed in the system-
- Boot process starts by executing code in the first sector of the disk, MBR.
- MBR scans the partition table to find the Active Partition.
- Control is passed to that partition's boot record (PBR) to continue booting.
- The PBR locates the system-specific boot files (such as Win98's io.sys or WinXP’s ntoskrnl).
- Then these boot files continue the process of loading and initializing the rest of the OS.


Multiple OS Boot Process:
Whenever there are multiple OSes, be it multiple Windows or Windows with Linux, system boots a bit differently. Actually, there can be 2 different types of Boot Process in multiple OS environment; Microsoft way and Non-Microsoft way (or Third Party Boot Loader way).
Microsoft way: MS Master Boot loaders don’t recognize other types of OSes like Linux by default; hence using MS MBR in the presence of Linux is ruled out.
Consider the usual case, where there is one Primary partition and some Logical Partitions inside Extended Partition. Now if Win98 is installed in the Primary Partition, and afterwards WinXP is installed in a Logical Partition, then theoretically both OS should have their own Boot Records, i.e., PBR for Win98 and LEBR for WinXP, which contain programs to boot the respective OS, so that each individual OS can be booted up by the MBR by passing control to respective PBR of the OS as described in previous section.
But this doesn’t happen in MS Boot loader! It does a peculiar thing; it always considers the current Active Partition, the default System/Boot Partition, i.e., Primary Partition in which Win98 is installed as the Active Partition. When WinXP is installed in another partition, instead of writing the code for booting in WinXP's partition, WinXP writes the code in current Active Partition (where Win98 is installed)!
Program responsible for loading the WinXP is ntldr (standing for NTLoader). Theoretically, this should be in its partition, but is copied to that of Win98.
Then files responsible for Win98 booting are combined into a single file called bootsect.dos and placed in Win98 partition. Then, WinXP creates another file called boot.ini which contains the names of MS OSes installed and path for System files of each OS.

After all these preliminaries, Windows multi-boot can be represented as below-
- When BIOS hands over control to MS MBR, this program looks into Partition Table for Active Partition.
- Then it hands over the control to the PBR of Active Partition. In this case, the Active Partition is where Win98 was installed.
- But Win98 PBR has been altered by WinXP, and no longer contains Win98 boot program (like io.sys or msdos.sys). But it contains ntldr. The Peculiarity is that one OS’s Boot program is in another OS’s Partition!
- Ntldr looks into boot.ini file and finds out the MS OSes installed in the system and displays the option menu.
- When user selects Win98, the file bootsect.dos (present in same partition) is executed, and if WinXP is selected, ntoskrnl is executed (present in another partition).

The good thing about MS way is the ease to configure (you need not configure at all!). But the bad thing about MS MBR is that, the two OSes are not independent of each other. It is because, MS MBR always boots into the Active Partition, i.e., it always boots into Win98 Partition, but executes WinXP program! And further other OSes are loaded.
This does not provide flexibility of installing multiple MS OSes in a random order, because here older version of OS should be installed first and then newer versions of OSes should be installed (most common problem).

This boot process also has two limitations-
- There can be only one Real Mode DOS based OSes like Win95/Win98 along with NT based OSes. If you want both Win95, Win98 with any NT based OS, then it’s just not possible.
- MS MBR looks for Active Status in Primary Partitions only and not in Logical Partitions. This means, MS OSes should be installed in Primary Partitions only if it should be bootable. For this reason itself, WinXP boot file ntldr is placed in Primary Partition of Win98 instead of its own Logical Partition.
But this has led to the misconception that only OSes in Primary Partitions can be booted. But by replacing MS MBR by any other sophisticated MBR program which also looks for Active Status in Logical Drives, we can boot into OSes which are in Logical Drives directly. This is where third party Boot Loaders comes into picture!


Non-Microsoft way: Third-party Boot Loader load before the OS, hence they are independent of the OS. Therefore, they work fine with all versions of Windows and DOS.
In this system, installing multiple OSes is conceptually simple. First make as many Primary Partitions and Logical Partition as you want. Then set the status of one of the Partition as Active, and install an OS. After this set the status of that partition as Hidden (Inactive) and set another Partition as Active to install another OS and this can be repeated. By this older versions of Windows can be installed after the installation of new ones.
Then Third Party Boot Loader reads all Partitions (including Logical Partitions) from the Partition Table and prompts an option of OSes to boot.

The functions of a Third Party Boot Loader can be stated as below-
- Displays a list of all OSes present in both Primary and Logical Partitions.
- When the user selects an OS, Boot Loader makes the Partition of that OS as Active, and passes the control to it.
This step is the most important deviation from MS way, because in MS MBR, the Active Partition always remains same and after booting into it, OSes in other Logical Partitions are booted.
By this way, any OS can be booted directly, by toggling its Inactive/Active Status when the user selects it.
- Then, the Boot Sector of the corresponding OS takes control and loads the OS. This Boot Sector may be PBR of a Primary Partition or LEBR of a Logical Extended Partition.
By this way, each OS remains independent of each other. That is, boot programs ntldr of WinXP can remain in WinXP’s partition and Win98 boot programs can remain in its partition.
Since Third Party Boot Loaders are independent of OS, they support all type of OSes like Windows, Linux, UNIX, BeOS etc. XOSL is one free boot loader which is capable of handling 30 Operating Systems. To hide/unhide the partitions, Ranish Partition Manager, a freeware, can be used.

Read More

WinPFind – Search the malware by their pattern!

Sometimes, it becomes very difficult to remove some spyware infection. This is because, even after virus/spyware scans, these spywares will re-spawn. In these cases, we have to manually search the "bad" files and delete them! This is simply not feasible, because of the large number of files present in a system.

But, there is a tool called WinPFind, to help us in this situation! Most of the spyware/virus files follow a "pattern". A pattern may be in the form of "packing" (file type compression) like UPX or file location (most of these files are located Windows, System32 or System folders) etc or possible Registry locations.

WinPFind searches for the above mentioned and some more patterns and gives a list of files and Registry entries satisfying these patterns. From this list, we can identify "bad" files and Registry entries and remove them for good. It is to be noted that WinPFind searches for files with specific patterns and not the "bad" file itself. Hence, the result of WinPFind scan will also contain legitimate files too. So, be careful while analyzing the log of WinPFind!

Get it here.

Read More

How to reinstall GRUB?

If you have Windows and Linux with dual boot option, then you will most probably have GRUB boot loader. If Windows is repaired or reinstalled, it overwrites the Master Boot Record, which had GRUB, with its own loader. This makes booting into Linux impossible.

In this case, only GRUB can be installed instead or reinstalling entire Linux operating system. This can be done by following these steps:-
1] Change the first boot device in BIOS to CDROM drive.

2] Insert Linux CD into the drive, and choose Rescue mode option.

3] When the command prompt appears, type these commands, each followed by ENTER key:-
chroot /mnt/sysimage
grub-install /dev/hda

This would reinstall GRUB to Master Boot Record. Here, hda means hard disk is Primary master. If hard disk is Secondary master, then device name will be hdc. Similarly, hdb and hdd will be for Primary slave and Secondary slave respectively.

Read More

Brute Force Uninstaller!

Just found out this new tool called Brute Force Uninstaller from Merijn (of HijackThis, CWShredder fame). This tool helps to forcibly remove unwanted software from system. Here's an extract from author's site:

The Brute Force Uninstaller (BFU) is a program to help forcibly remove unwanted software and the likes from a system. It's basically a scripting engine that can execute commands from a file, much like a batch file. The list of commands is very complete and powerful, and scripts are easy to write.

Find out more about it, here.

Read More

Messenger spam!

One of the newer types of spam is "Messenger Spam". This uses Windows Messenger Service to deliver pop ups. This Messenger Service is NOT in any way related to MSN Messenger or any other messenger software.

Messenger Service was introduced first in NT systems, and is present in all later Windows versions. Messenger Service provides a way to send messages to other users over a network, but this was never really used widely. But, spammers noticed this feature and developed an "innovative" way to deliver their Ads or to spoof user, and this is nothing but Messenger Spam!

A Messenger spam may look like this:


Here, a computer user might believe that his system registry is damaged, and he might also visit the website mentioned in that popup. These dubious looking websites may or may not exist, and even if they exist they are not trustable.


You can identify Messenger Spam by looking at the "Title bar" of the popup window; it will have "Messenger Service" written on it. One of the easiest ways to stop messenger spam is to disable the Messenger Service. You can do this, by following these steps, go to Start > Run and type services.msc and press Enter key. In the Services window, navigate to "Messenger Service" and right-click it, and select "Properties". In the Property window, click Stop in the "Service Status" option box. After this, in the "Startup" option box, select Disabled from the dropdown menu. Click "Apply" and then "OK".
There's also a small tool called Shoot The Messenger, using which Messenger Service can be easily disabled.

Read More

80 super security tips from PC Magazine

Found this interesting page in PCmag.com. They have compiled a list of 80 "super" security tips. There's something useful for everyone. Here's an extract:

Whether your PC is 3 years or 3 days old, it faces the same, sometimes scary security issues. Viruses want to attack your system the moment it goes online, spyware is piggybacking with your mail and trying to slide in along with online ads, Trojans lay in wait at every turn and Phish—perhaps the sneakiest attack of all—smile at you while trying to steal your identity.

There are ways out of this mess. These tips can show you what to do, help you better understand the threats and be ready with a plan of counter attack.

For a complete list of 80 tips and tools, click here.

Read More

What is a BHO?

BHO stands for Browser Helper Object. This is a small program, usually a DLL file, originally developed to enhance or customize the features of the Internet Explorer. Whenever a BHO is installed, this is registered in Windows Registry. When Internet Explorer is started, it checks the Registry for the entries of BHOs (which indicates the installation of BHO); these entries are known as CLSID's.
So, whenever the Internet Explorer is opened, the BHO is instantiated (created), and then this BHO has full access to the Page that is being viewed.
For example, if you have Google Toolbar, it installs a BHO, through which it can provide functions such as "Search within the Page", "Auto Fill", and “Page Info” etc. Another one, a BHO from Adobe Acrobat Reader, which enables to open .pdf directly in the IE windows itself or Downloading Software such as DAP, DEX will create one BHO to integrate with IE and to catch the clicks on the download link.
So, using BHOs IE can be tweaked so that, it will be one mean browser....

If BHO enhance the functionality of IE, then why is it avoided?
Time for some bad news! Windows does not provide any direct way to see the installed BHOs. This adds some amount of stealth capability to the BHOs. Due to this stealthy nature of the BHOs, it provides an easy way for Spywares, Adwares, Trojans or Viruses to attack. Let’s see the effects of these bad programs on IE and your Computer.

Some Spywares add a BHO without the knowledge of the user. So what happens is, whenever IE is opened that Spyware BHO will run and it keep an eye on what you do in that browsing session. It can monitor what pages you visit frequently, which services are used by you etc. Even worse case is that, they can hijack the Browser that is they can change the Default or Search page, and they can not be easily recovered.
Adwares go one step further and they can bring you Popup Ad's or bad tasted WebPages randomly or they even can bring you context sensitive Ad's, that is Ad's based on the content of the Web pages you were viewing.
Trojans/Viruses can contact their creator's website and download “latest” version of Trojans to your system.
If you see any HijackThis Log of Spyware/Trojan affected system, you will certainly see some BHOs, which will have links to suspicious Websites and also they will have links to download some files.
So, in all the cases, your privacy is at stake and your computer/data is at risk.

Since BHOs have virtually full access to the system, they can do anything. Some improperly coded or deliberately coded can cause Runtime Errors or Illegal Operation errors.
From Windows 98 onwards, MS has extended the support for BHOs to not only IE but also Windows Explorer. As you might know Windows Explorer (Explorer.exe) is THE application that should be running anytime to use Windows.
If any “bad” BHOs are installed, then they will get loaded whenever Explorer.exe starts. This is certainly not desirable.

What to do?
BHOs can be removed manually or by using any tools.
Manual removal can be done in two ways:-
1] By renaming the DLL file corresponding to the BHO which is to be disabled.
2] By deleting the DLL file and removing CLSID entry in the Registry.

We can make use of HijackThis to know the installed BHOs and delete thier Registry entries and then we can delete the DLL file associated with it.
A typical CLSID and DLL file of a BHO (Google Toolbar, in this case) is shown here,

CLSID = {AA58ED58-01DD-4d91-8333-CF10577473F7}
DLL File= c:\program files\google\googletoolbar1.dll

But, using some tools BHOs can be directly dealt with. There are many tools to view the BHOs installed in the system directly. Some of them are BHODemon, BHOInfo. These tools list all the BHOs present in the system, so that user can decide which one to keep or remove.
Popular one is BHODemon, which runs in System Tray, and scans for existing BHOSs and continuously monitor the system for any BHO installs. It provides the list of installed BHOs, and it also has some extra information about the most common good and not-so-good BHOs, so any new user can know about them.


Conclusion
So, BHOs are powerful means through which anything can be done, be it good or bad.
So be careful, while browsing, while installing suspicious looking software etc. Update Antivirus regularly and run full system scans. Use Anti-Spywares and tools mentioned above to ward off Spywares, Adwares from your system.

Links to Tools
BHODemon
BHOInfo
HijackThis

Read More

AntiVir Personal Edition Classic with incremental updates

A new beta version of AntiVir Personal Edition Classic (AVPE), one of the best free AntiVirus you can get, has been released which supports incremental updates. Advantages of incremental updates are faster, smaller and easier updates!

Previously, while updating AVPE, whole virus database was replaced by an updated database. Because of this, update file size was in the order of 2 to 3 megabytes. But, with incremental updates, only lastest virus definitions are downloaded and "added" to the present virus database of AVPE. This greatly reduces the update file size to about some kilobytes.

Try out the beta version here.

Read More

What is EICAR test file and how to create it?

EICAR is a standard anti virus test file. This is a "dummy" virus which can be used to test a Virus scanner. This can be used to test whether the background (or real-time) scanner of an Antivirus is working properly or not.

EICAR stands for European Institute of Computer Antivirus Research. This file has .COM extension; all it does when executed is display the text "EICAR-STANDARD-ANTIVIRUS-TEST-FILE" and exit.

This file can be downloaded from Eicar website. But, you can create the EICAR file by yourself by using a text editor like NotePad. The file should be saved in standard MS-DOS ASCII format. Open NotePad, and copy the below mentioned text and paste it in NotePad:-

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Then go to File Menu and click Save As and save the file with any name, but it should have the extension COM. For example, you can save it as Eicar.com.

When you double-click on this file, your Antivirus should detect as “Eicar” and it should also inform you that it’s not a virus.

Read More

Repair Winsock in Windows XP SP2.

Some spywares like NewDotNet hijack the Winsock layer of Windows. When these spywares are incompletely or incorrectly removed, Winsock layers are not restored to their original state. Due to this, Internet connection is not possible. In Internet Explorer, you get "Page can not be displayed" error, if Winsock layers are corrupt.

To restore the Winsock layers, there are third party tools like WinSockXPFix and LSPFix. But in Service Pack 2, a new command has been introduced, using this command, Winsock layers can be very easily restored. All you have to do is, type netsh winsock reset in Command Prompt and press ENTER key. After this, restart the computer for the changes to take effect. (Command Prompt is present in Start > All Programs > Accessories)

For more information on netsh command and it's switches, check this page.

For non Service Pack 2 systems, WinsockXPFix or LSPFix can be used to restore the Winsock layer.

Read More

Secure your Internet Explorer.

Many spywares and adwares exploit the features in Internet Explorer to sneak into the computer. These can be in the form of BHOs, ActiveX components or Toolbars. Once they get installed, they can create havoc in your PC! These spywares or adwares collectively called as malwares can redirect the sites you wanted to visit to some other sites, or they can bring pop ups which are highly irritating.

Since prevention is better than cure, it’s easy to prevent the installation of these malwares if we follow some simple procedures. Most of the bad BHOs and ActiveX’s can be blocked by using a tool called SpywareBlaster. One of the main advantages of SpywareBlaster is, it’s a “run once” tool, it don’t need to running in the background. Once you enable the protection feature in SpywareBlaster, you have to enable it again only when you upgrade the database of SpywareBlaster.

Access to "bad" websites (which drop malwares into computer) can be blocked by using a HOSTS file. HOSTS file is located in "Windows\System32\Drivers\Etc\" folder. Whenever a website is accessed through Internet Explorer, it looks in the HOSTS file for it’s IP address, if it finds the IP address of the site in question, it uses that IP address. If it does not find address related to that site, it looks up in Domain Name Servers. We can use this property to redirect the "bad" URLs to our computer itself, so that the access to original site is blocked. This done by adding the URL that is to be blocked, in HOSTS file and provide its IP address as 127.0.0.1. There are many "readymade" HOSTS file available out there in World Wide Web, popular one is from MVPS. Just put this file in "Windows\System32\Drivers\Etc\" folder and Internet Explorer automatically look into it.

Another nifty tool is IE-SPYADS, this adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer, thus preventing the access to these sites.

If we use some of these tools and some common sense, we can avoid most of the spywares and adwares. Happy browsing!

Read More

Autostart locations in Windows.

Ever wondered how many Autostart locations are there in Windows? At least there are 38 of them! From simple “Startup” folder to complex looking “Winlogon” entries in Registry. These Autostart locations can be used by both legitimate and malwares. For a complete list of these locations, check this page.

Read More

Clean junk and erase usage tracks!

Windows and most of the software create temporary files. These files are no longer needed when the corresponding application is closed. But these files are not removed in all the cases and continue to accumulate. In most of the cases, “Temp” folder inside the “Windows” folder is used by the applications to store the temporary files.
While surfing Internet, browser like Internet Explorer stores the downloaded web pages, images and other files in the “Temporary Internet Files” folder inside “Windows” folder. Other browsers like Opera, FireFox and NetScape store these files in their own cache folders.

It’s better to clean these files regularly to maintain the computer “squeaky” clean. Another reason to clean these files is that, it has become a favorite hideout for malicious programs like viruses, spyware and/or adware.

It’s cumbersome to manually search for these files and delete manually. But, to ease up the job there are numerous software to do the job. One of them worth mentioning is CCleaner. It searches and deletes not only temporary files created by Windows and other applications but also the cache of browsers. It deletes files with extensions like .tmp, .bak, .chk among others. It also deletes the cookies set by web sites when you visit them. As they say “best things in life are free”, CCleaner is a freeware.

Now let’s come to the task of removing of “usage tracks”. Usage Tracks are registry entries created by software to “remember” the recent operation made by user. For example, when you open Windows Media Player, in the File Menu, you can see the files that are opened recently. This is also called as “MRU” standing for “Most Recently Used”. To remove these entries, there is one small freeware tool called MRUBlaster. This tool scans for the MRUs of the applications supported by it, and deletes them. MRUBlaster supports cleaning of more than 30,000 MRU items covering different applications and Windows itself. There’s also an option to run MRUBlaster automatically at startup, so that it clears MRUs at every startup.

These are the tools which should not be missed by any computer user! It’s a good practice to run these tools before shutting down the computer or after disconnecting from Internet.

Read More

Microsoft Windows Installer Cleanup Utility

Many of you might have seen automatic start up of Windows Installer, which tries to install “something”. This can happen at any time, like when you click on that Word document, instead of opening the file, Windows Installer pops up trying to install some component which may require installation CDs (See the screenshot).



In most of the cases, this is not due to incomplete or incorrect installation of the software, but it’s due to incorrect configuration of Windows Installer itself. In order to overcome this, the configuration details of Windows Installer for that specific software should be reset.

There is one nifty tool from Microsoft aptly called as “Windows Installer Cleanup”. This program lists all the software which has been installed by Windows Installer. You can select the entry of which the Installer configuration details should be reset. This does not remove either the software in question or the Windows Installer, but it removes only the configuration details. So when you encounter the automatic startup of Windows Installer trying to install certain software, you can give a try to clean the configuration details, instead of reinstallation of the software itself.

Even after using the Cleanup utility, the corresponding software fails to work, and then you have to reinstall the software in question.

Get it here

PS: I got to know about this tool from TonyKlein, and i must thank him.

Read More

Windows Registry, An introduction.

What is Registry?
Registry is a collection of all the settings for Windows and installed Applications.
Registry behaves like a Central Database for all things like, Software, Device Drivers, and File Types etc. Registry can be compared to an Attendance Register of Schools/Colleges, as Attendance Register has names of all students; Registry has entries in it about all the software, devices, file types supported etc.

Why Registry is used by Windows?
Whenever an application is started by a user, Windows looks up to Registry to gather more information about the application, like what type of application is it, what type of Files or Documents it can create or is it a Multimedia application, which may require additional support in the form of Plug-ins, like that
These are referred to as Configuration Settings of the Application.

In older versions of Windows (like 3.1), Registry was not present, and each Application or Device had text based .ini file, known as Configuration file. This .ini file contained all information about the Application/Device. So, whenever a user starts an Application, Windows refers to corresponding .ini file and takes action accordingly.

For example, let's take the configuration file of Opera Web Browser (Opera.ini file). Below only a part of the full file is shown:-
------------------------------------------------------------
Download Directory=C:\My Documents
Direct History File=C:\PROGRAM FILES\OPERA\profile\opera.dir
Enable Wand=0
Home URL=
Special effects=1
-------------------------------------------------------------
From this, we can easily detect some of the Settings or Configurations to be applied when a user starts Opera.
Let's start from the beginning, Whenever Opera is started, main program looks up to this .ini file to know that, Default Download Directory is "My Documents", History File is "Opera.dir" in the specified path, and it also learns that "Wand" is Disabled ( Set to 0 ), Home Page is "Blank Page" and "Special Effects" are Enabled. So it starts Opera Browser with these Settings.

Although, this .ini file way of storing Configuration Settings looks easy, it does not provide a centralized place for storing information of ALL the software and devices, since each of the software and device had its own .ini file. This added further difficulty of missing/changed ini files resulting in errors.

That's why Registry was introduced, to act as a centralized configuration holder. Registry was introduced from Win95 onwards.
The .ini files are not completely eliminated, but they are highly reduced in number due to the presence of Registry.

Structure of Registry:-
Registry can be viewed/edited by running “regedit.exe” or “regedt32.exe” (for XP) in Run dialog box.
The Registry has a hierarchal (Tree structure) structure, like the directories in a Computer. Registry mainly contains Branches; these are the ones you will see on the Left Pane when you open Registry Editor.
Each Branch is called a Key; these are denoted by a Folder like icon.

Each Key can contain other Keys (often called as Sub Keys) within it or it can contain some other information called Values.

Values are the information represented on the Right Pane of the Registry Editor.
Values can be basically of three types (These can be called as Data Types ):-
1] String
2] Binary (8 bits)
3] DWORD (Double Word, Word means 16 bits, so DWORD is 32 bits)

String is analogous to the "Path of a Program" stored in .ini file as shown above. And String Data Type is used to store Textual information like Paths, Software Names, Device Names, and User Names etc.
Binary is analogous to the 1 or 0 used to specify Enable or Disable options stored in .ini file. Binary Data Type is generally used to specify/store "Enable/Disable" or "True/False" like information by making use of 0 and 1.This Data Type is also used to store Device Ids, Product Version, Passwords in Encrypted forms etc. Binary Data Types are displayed in Hexadecimal Format in Registry Editor.
DWORD is 32 bit binary data used to specify some Device driver parameters or Services. These are also displayed in Hexadecimal Format in Registry Editor.

But these Data Types (Values) are not only limited to storing Path or Enable/Disable options, they are used to store much more info, like Status of Hardware, Product Versions, Product Ids, Serial Keys etc, Passwords ( in some cases only in encrypted form ) etc.

Now let's see main Branches of Registry one by one.
Branches:-
In Registry, Mainly 6 Branches (5 in Windows 2000 and above) are there in default. These are the branches you will see in the Left Pane when you open Registry Editor.
They are:-

HKEY_CLASSES_ROOT:- This branch contains all of the File types supported by Windows and by installed Applications. This section has info such as, "Which Application is used to open a file type" and "Where the Application is located" and "What type of Icon is to be used to represent the File with the corresponding File Type" etc.
For Example, It contains a Key named “txtfile”, when you expand this Key, it will have further Sub Keys namely “DefaultIcon” and “Shell” inside which another Key “Open” exists, within that “Command” Key exists.
When you click on “DefaultIcon Key”, it shows a “Value” on the Right Pane, This Value is of String Data Type, and this stores the path of Icon file to be used.
When you click on the “Command Key”, it shows a “Value” on the Right Pane, which is of String Data Type, and this stores the Path of the Application i.e. Notepad which is used to open the file.

So, Windows knows about the different File Types present in the System, Icons for different File Types to be used and also the Programs for different File Types. The information stored here makes sure that the correct program opens when you open a file by using Windows Explorer. This Branch is abbreviated as HKCR.

HKEY_CURRENT_USER:- This branch is like a subset of another Branch named HKEY_USERS. This branch points to the part of HKEY_USERS appropriate for the current user.
As the name says, it contains the Configuration Information of the User currently Logged on.
For example, it contains Folder Options used, Screen color settings, Control Panel Settings customized by the User.
This Branch is generally abbreviated as HKCU.

HKEY_LOCAL_MACHINE:- This branch contains information about all of the hardware and software installed on Computer. This Branch is abbreviated as HKLM.
This is one of the important parts of the Registry. This part contains important Sub Keys like “Config”, “Hardware”, “Software” etc.

Config Key contains further Sub Keys and Values which determines Display Settings (like Resolution, Color Mode etc), Fonts used etc.
Hardware Key contains further Sub Keys and Values which stores information about Processor, Adapters (like Network Adapter, ISA Adapter etc) used in the System and COM ports present in the System.
Software Key is one of the main branches of the HKLM. This contains entries of ALL Software, Device Drivers installed in the System. This “Software” branch has numerous Sub Keys and Values of different Software. Here you can find info about every Software installed in your System (this is similar to .ini file), like Default folder of the Software, Version Number, Serial Key (Yes! in some cases), Default Languages, Passwords and you name it, it's here. You have to see it to believe it!
This is the main part which replaces the .ini files.
So, you can find your Windows 98 Serial Key (in case, if you forget it), by navigating to this Key.
HKEY_LOCAL_MACHINE > Software > Microsoft > Windows > CurrentVersion.
Click on CurrentVersion key, and in Right Side Pane, look for a Value named “ProductKey”, that is your Serial Number. Here, you can change the default location of “Program Files” or “My Documents" too!

HKEY_USERS:- This Branch contains certain preferences (such as colors and Control Panel settings) for all of the users of the computer. This is like a Super Set of HKEY_CURRENT_USER, because it has Settings of all the users.
This Branch is generally abbreviated as HKU.

HKEY_CURRENT_CONFIG:- This branch is like a Sub set of HKEY_LOCAL_MACHINE > Config Key. Because it contains Hardware Information or Configuration of only Current User (the User who is currently logged on), whereas Config Key in HKLM contains Settings of All Users.

HKEY_DYN_DATA (Windows 95/98/ME only):- This branch points to a branch in HKEY_LOCAL_MACHINE, which contains information about Plug 'n' Play Hardware.
This is termed as Dynamic because, Hardware configurations can change since the Hardware is Plug 'n' Play type (that is, Hardware can be removed/changed/added).
This branch contains many Sub Keys, which in turn contain Values. Most of these Values are of Binary or DWORD Data Type, and these are shown in Hexadecimal System. Hence understanding what these Values mean, is difficult.

How the entries are added or removed to Registry?
Whenever any Software is installed or Device Drivers for hardware are installed, these software make entries to the Registry by themselves.
Also, theoretically whenever any Software is uninstalled, it should remove the Registry Entries made by it completely. But many software fail to do so, and leave some junk info in Registry. This is where Registry Cleaners come into picture.
These Registry Cleaners search the Registry for Obsolete/Junk entries which like Path Names which point to an Application which is already uninstalled, or to a File which is already deleted.
Popular Registry Cleaners are RegCleaner, RegSupreme, and System Mechanic etc.


Where is the Registry in my System?
Registry, in its hierarchal structure, is itself a File. This is stored as User.dat and System.dat in Win9X/ME Systems. In Win2000 and above, Registry is split and each main Branch has its own .DAT file (like ntuser.dat, system.dat) situated in different Folders.

Read More

Hi

Testing

Read More