Monday, December 29, 2008

Things I learnt from a virus

Today morning my colleague came upto me and told me that my system is pumping a hell lot of traffic in the office network. He suspected it to be a virus attack..so it became my responsibility to get it out of the system...

So started off with downloading Ethereal to analyze the packets going out from my system. Came to know that the virus was pumping ICMP packets at regular intervals. Now next was to identify which process was the culprit. Thats when Subbu helped me out. He told me about "Process Monitor" provided by "Sysinternal Suite". Using this tool I identified, the process named csrcs.exe was using the icmp.dll. This executable is found within system32 folder. [was found hidden]

Now deletion from registry:
1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
-Delete entry for csrcs.exe

2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
-Remove the value csrcs.exe. Do maintain Explorer.exe[ Dont mess it up ]

I googled about this virus. Learned the following things:
Name:
W32.Spybot.CF Virus

Details:
This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking :( and personal data. This process is a security risk and should be removed from your system.It is not a Windows system file. Program listens for or sends data on open ports to LAN or Internet. csrcs.exe is able to hide itself, monitor applications. Therefore the technical security rating is 100% dangerous.

Click for more info about icmp.dll

Dont know what all information I have lost till now...But atleast i can feel safe that I found it before its too late...

Tuesday, December 23, 2008

Visual Studio 2005 build issue

Issue:
While trying to build a project in Visual Studio 2005, got the follwing output:

Embedding manifest...
Project : error PRJ0003 : Error spawning 'cmd.exe'.


Fix:
Change the MSVS 2005 options (Tools menu > Options > Project and Solutions > VC++ Directories) to ensure that
$(SystemRoot)
$(SystemRoot)\System32
$(SystemRoot)\System32\wbem
are specified BEFORE $(PATH)

If these are not already added, we need to manually add them in order and before $(PATH)