Monday, December 29, 2008

Things I learnt from a virus

Today morning my colleague came upto me and told me that my system is pumping a hell lot of traffic in the office network. He suspected it to be a virus attack..so it became my responsibility to get it out of the system...

So started off with downloading Ethereal to analyze the packets going out from my system. Came to know that the virus was pumping ICMP packets at regular intervals. Now next was to identify which process was the culprit. Thats when Subbu helped me out. He told me about "Process Monitor" provided by "Sysinternal Suite". Using this tool I identified, the process named csrcs.exe was using the icmp.dll. This executable is found within system32 folder. [was found hidden]

Now deletion from registry:
1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
-Delete entry for csrcs.exe

2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
-Remove the value csrcs.exe. Do maintain Explorer.exe[ Dont mess it up ]

I googled about this virus. Learned the following things:
Name:
W32.Spybot.CF Virus

Details:
This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking :( and personal data. This process is a security risk and should be removed from your system.It is not a Windows system file. Program listens for or sends data on open ports to LAN or Internet. csrcs.exe is able to hide itself, monitor applications. Therefore the technical security rating is 100% dangerous.

Click for more info about icmp.dll

Dont know what all information I have lost till now...But atleast i can feel safe that I found it before its too late...

Tuesday, December 23, 2008

Visual Studio 2005 build issue

Issue:
While trying to build a project in Visual Studio 2005, got the follwing output:

Embedding manifest...
Project : error PRJ0003 : Error spawning 'cmd.exe'.


Fix:
Change the MSVS 2005 options (Tools menu > Options > Project and Solutions > VC++ Directories) to ensure that
$(SystemRoot)
$(SystemRoot)\System32
$(SystemRoot)\System32\wbem
are specified BEFORE $(PATH)

If these are not already added, we need to manually add them in order and before $(PATH)

Sunday, November 30, 2008

Attack the virus!

My system got infected a few days back.. I did not have any anti-virus software running .. (I know I know...I should have one!!!)

The virus blocked me from editing registry. Gave me the following pop up.


Initially, it did not trouble me much, because if I wanted to edit the registry I could just do some steps and I will be back to normal. But then yesterday, when I had some time to spare, I thought why not find the root-cause and remove it..Why should I allow it to run without my acknowledgment. Yes, the easier way was to install the anti-virus..So being lazy as usual, I installed AVG1.75 but , my bad luck, this virus remained undetected..So I thought, after all it is developed by another software engineer..If that person can spend time to write a virus...I could spend time to remove it too...

So I sat down found out the steps to remove it...and here you go.....

Symptoms:
Whenever we plug in a USB stick, it creates an executable "NewFolder.exe"
If we have a folder named "Phoenix", it will create an exe named "Phoenix.exe" within it.

Analysis:
In the task manager, you could find two instances regsvr.exe
If we kill these two instances from the task manager, as long as we don't log out, its fine.
On a reboot or a log-off + login, these instances are again there.

Searched for regsvr.exe. Found out that regsvr.exe was placed in two folders
1. c:\windows
2. c:\windows\system32

If it starts on login, it means it has hijacked the registry for WinLogon. And for sure, it has done something on registry..why else will it stop you from editing the registry :)

So first things first.....

1. Get your registry editing power back.

Do the following:
Go to Run -> Type gpedit.msc
In that Local ComputerPolicy ->User Configuration ->Administartive Templates->System

Within System, we have an entry stating "prevent access to registry editing tools". Double click it.
If it is "Not Configured" or "Disabled", set it as "Enabled" first and save. Then again change it to "Disabled".

Your powers are back...Congrats!!!

2. Delete the instances from taskmanager.

3. Remove the files from the directories:
a) c:\windows
b) c:\windows\system32

4. Lets edit the registry..If you are scared..forget it...Your virus is removed anyways...

Go to Run. Type regedit

Go to the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
In that the value for Shell will contain "Explorer.exe regsvr.exe". Replace it as "explorer.exe"

There you are...Your virus is removed !!

I am still searching for the virus name......

Command lines in windows

I was not keen about working on command lines..but I was usually asked my colleagues about what is the particular command in windows for a corresponding command in Linux..Working on windows from command line..aah..I never knew the answer but i googled.. and there are actually commands but we rarely use them...

So some of the things I wish I could remember..so that next time some person well-versed in Linux asks me some doubts..I might be able to stand up to them. You can easily Google and find them...I am blogging for my ease..

All these have worked on Windows XP

1. To start a process
start
eg: start notepad

2.To kill a process
tskill
eg: tskill notepad

3. To list the processes that are running
tasklist

4. To start a service
sc start

5. To stop a service
sc stop

6. To query the status of a service
sc query

7. To get system information
systeminfo

8. To get time
time

9. To display disk information
vol

10. To configure IP
ipconfig

11. Manipulating the network routing tables
route

12. Execute a program under a different user account
runas

Maybe I will add more information in the future..

Are you lazy?? Then this one is for you !!

Are you so lazy enough that you need a short cut for locking your system. The contemporary way is to press Ctrl+Alt+Del and choose "lock computer" or more simpler "Win key + L". Well now I am saying a more simpler one ;)
Double click an executable on your desktop and you are done.

I tried to upload an exe for you all but alas..blogger stopped me from uploading..So life is not so easy..But still..you can invest some time now and be lazy later, right? So, i can tell you the steps to get your exe done.. The whole magic is done by just a single Windows API "LockWorkStation() ". So if you know about this already, then you already know this stuff!!

For those who still think they want to know..Here we go!
1. Firstly create a Win32 application.
2. In the InitInstance, call LockWorkStation()
3. Call PostQuitMessage() to exit your application. That should do.

Double click your executable and your system is locked..


Code snippet:
BOOL InitInstance(HINSTANCE hInstance, int nCmdShow)
{
HWND hWnd;

hInst = hInstance; // Store instance handle in our global variable

hWnd = CreateWindow(szWindowClass, szTitle, WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, 0, CW_USEDEFAULT, 0, NULL, NULL, hInstance, NULL);

if (!hWnd)
{
return FALSE;
}

//I dont want any window to be seen by the user, so commenting it out
//ShowWindow(hWnd, nCmdShow);
//UpdateWindow(hWnd);

//Lock your workstation
LockWorkStation();

//Quit your application
PostQuitMessage(1);

return TRUE;
}

LockWorkStation() is defined in winuser.h and needs user32.lib library.
For details: http://msdn.microsoft.com/en-us/library/aa376875(VS.85).aspx

Saturday, November 29, 2008

Exclude a program from Start Menu

An entry from my friend, Shameer ...... I think registry editing is in the air... :)

A feature of the new XP Start Menu is a list of the most frequently

used programs on the left side of the menu. Personally, I find this

section rather useless, since a program I'd want to be instantly

available I'd place either in Quick Launch or pin it to the list of programs

above this frequently used programs section.

However, if you find the feature useful but would like to exclude a

specific program from appearing here permanently:

[Start] [Run] [Regedit]

Go to Registry Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren

tVersion\Explorer\FileAssociation\

In the right pane, double click AddRemoveApps. The [Value

Data] box contains a list of the default XP entries. To add a

program to the list, type a semicolon followed by the name of

the program executable

Example: To add Notepad, the entry would be ;notepad.exe

Add as many programs as you like and click [OK]

Exit Registry and Reboot

If you prefer not to edit the registry, you can right click on any

entry in the section and select [Remove From This List] and the

program will be removed. However, this is not a permanent solution

and the program will return eventually as it is accessed by

users.

Another option is to edit the Taskbar and Start Menu Properties

where you can set the number of entries allowed to populate this

section including a setting of zero to eliminate any programs from

being displayed.

How to enable autologin

Here is the way:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultDomainName"="DOMAIN"
"DefaultUserName"="USERNAME"
"DisableCAD"=dword:00000001
"AutoAdminLogon"="1"
"ForceAutoLogon"="1"
"DefaultPassword"="PASSWORD"

Explanations:

ForceAutoLogon:
In addition to logging on an account automatically, the ForceAutoLogon setting also logs you back on after you log off

Disable CAD:
Whether we need to disable CTRL+ALT+DEL on user login
0 - Users must press CTRL+ALT+DEL to log on to the system
1 - Users need not press CTRL+ALT+DEL to log on to the system

Learn to work with registries

What else could provide a better tutorial than the one and only msdn knowledgebase.

Click here to go to msdn

It gives you all information you need to work with registries.

Unblock Outlook attachments

Hacking is cool!! Don't you think so???

I am not going to say that I have discovered something new..but I did find this useful many at times..so I thought I would share it..

You all would have found that Microsoft Outlook blocks our attachments.(.exe,.bat,etc)..
It prompts us a message "Outlook blocked access to the following potentially unsafe attachments"

Since editing registries is my favorite subject..I have found the way to unblock this..Do it at your own risk..This will affect your security..but gives you a lot of freedom.. :-)

So here is the way..

1) Run regedit

2) Go to HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security
(The version is 12.0 for Microsoft Outlook 2007 . If it is 2003 the version is 11.0 and for 2000, the version is 9.0)

3) Add a new String Value called: Level1Remove

4) Edit it and save the value data to the extension you wish to allow like .bat or .exe separated by semicolon
Eg:.bat;.exe

5) Restart Outlook.

And you are done!!!!

Wait for more hacks to come!!!!

Hi...

Many friends of mine suggested me to maintain two different blogs..One, to pen down my personal perception and the other purely techie stuff...

I am thankful to them for their valuable comments and here I am with my second blog.."Discover Windows"...

So here, I am planning to fill up my technical learnings..

Enjoy!