Archive for category How To’s (W)

Preventing The Spread of Portable Viruses

Last week I posted about svchost.exe, an amateur, but nasty virus that spreads by copying itself to flash drives and making other computers hosts, if not fully infecting them. Luckily for you guys, I’ve kept my copy in a sandbox and poked and prodded it a little. I’ve found a few ways to protect your computer and your flash-drive.

First off, here’s a simply way to protect your computer: disable autorun. This has been the bane of security experts for a long, long time. If you run Windows 7, you’ll notice it has been disabled by default, but on Vista or XP you will need to do it manually. It should be in the control panel, under “autoplay.” This will stop the virus from being written to your computer.

Now to your drive. To stop certain files from being written to your flash drive, we will be creating a few dummy-files, with the same names. First of all, we will be revealing hidden and protected files. Go to tools -> Folder Options -> View. Check “Show Hidden Files and Folders,”  then uncheck “Hide Protected Operating System Files” (in Vista, you may need to press “alt” to get to the menu bar). Here is what we will be  typing into the cmd window at you will be seeing (assuming the default directory of cmd is C:\WINDOWS\System32>, the drive letter is G:\ and we are removing and replacing only svchost.exe):

C:\WINDOWS\System31\>cd..

C:\WINDOWS\>cd..

C:\>cd /d G:

G:\>del svchost.exe

G:\>mkdir svchost.exe

G:\>attrib svchost.exe +h +s +r

G:\>exit

Repeat for each file you want to block. What we are doing here is changing directories, deleting   and replacing it with a folder with the same name. You can do this with any other files. Here’s a list of suspicious files that should be blocked:

  • New Folder.exe*
  • Heap41a.exe
  • ravmon.exe
  • svchost.exe
  • autorun.inf

As previously mentioned, portable viruses can spread at work or at school. The best way to prevent it from spreading is to disable autorun on all the work/school computers. Contact your computer technician about that.

I’m working on batch scripts that will do this for you if you want. I’ll get them posted as soon as possible.

*Because of the space in this name, you will need to type mkdir “New Folder.exe”.

, , , ,

2 Comments

svchost.exe: The Portable Virus

I know experimenting with malware is like playing with fire, but I just couldn’t resist this time (maybe I’ve been influenced by xkcd). Svchost.exe is a cute little amateur virus, most commonly found nestled in a flash-drive’s autorun.inf file. A PC is infected when the autorun window appears and “Open folder to view files” is clicked. It will (likely) run and take 100% of your computer’s resources. This post will help you know if your drive is infected, and how to clean the infected drive, but not remove it from your infected computer.

First the first sign you will see is when you open-up “My Computer.” You will see that the icon on your infected drive is a folder icon (this indicates that the autorun has been changed, and the computer does not associate it with Windows Explorer). On some computers it will not open unless you right-click -> explore, but on others it will open the same way as usual.

The second sign is when you open the drive’s root. Go to tools -> Folder Options -> View. Check “Show Hidden Files and Folders” (in Vista, you may need to press “alt” to get to the menu bar).  Then uncheck “Hide Protected Operating System Files.” You reveal them, you should look for two files; svchost.exe and autorun.inf (these are the only two files I saw, but there are other cases where there are others. If you encounter any, look them up before deleting them).

To be sure, open up the autorun.inf file. Look at its contents. If anywhere in the file you see what is in the quotes, your flash-drive in infected.

[autorun]

shell=verb

open=svchost.exe

action=Open folder to view files

shell\open=open

icon=%systemroot%\system32\SHELL32.dll, 4

To remove the virus, simply go on a computer where you have administrator access and rights, and simply delete those two files (as I said before, look up any other files before deleting them).

This should work, it did for me. Leave a comment if it didn’t and I’ll be happy to help.

, , , ,

Leave a comment

Run Portable Ubuntu 7.10 in Windows

I know my posting frequency lately has been rather erratic, but I plan to work out a solid schedule later, assuming all my other assumptions hold through.

If you’re like me, you really want to switch to Linux, but for one reason or another, you can’t really leave Windows. You could dual-boot, but why Ubuntu 7.10not try it out first? You could make a boot-able flash-drive, but this is way cooler. With this handy bit of software, you can actually run Ubuntu 7.10 inside your current Windows operating system! Here’s how to do it:

1. Get your hand on a 1 GB+ flash-drive. The faster the better.
2. Download QPU710.exe here.
3.Download Ubuntu 7.10 ISO here (this will take a while, so grab some Pepsi and crank up the Billy Joel).

3. Extract QPU710.exe to your (empty) flash-drive.
4. Copy the Ubuntu 7.10 ISO to the newly created QPU710 folder.
5. Run QPU710.bat and install the QEMU Accelerator to your flash-drive’s root folder.
6. Once it’s done,  Ubuntu should start to boot. Do not close this window!

7. While it’s booting, hit “f6” to open the boot options and type in “persistent” (without the quotations).

8. Ubuntu will take a few minutes to boot, so in the meantime, learn these shortcuts:

  1. Ctrl-Alt to switch between Ubuntu and Windows.
  2. Ctrl-AlT-F to switch between full-screen and windowed modes (this didn’t work for me thanks too my wide-screen monitor).
  3. Ctrl-Alt-2 to switch to the QEMU Monitor
  4. Ctrl-Alt-1 to switch back to Ubuntu.

9. When it boots, have fun, you’re using Linux – inside Windows! Guaranteed to impress your friends!

10. When you want to close Ubuntu, click shutdown and wait to be prompted to hit “enter” Do not remove the flash-drive. When it tells you “System  Halted,” you can Ctrl-Alt back to Windows, close the windows and remove your flash-drive.

Have fun!

, , , ,

Leave a comment

TSSTcorp CDDVDW TS-L633M CD/DVD Reader Fix

Warning: This post contains very specific technical language that may be unsuitable for liberal-arts majors. Viewer discretion is advised.

My friend recently bought a new HP ProBook 4710s. The first thing he did when he first booted it up was install Norton 360 (shut up you open-source imperialists, Norton works). He put the CD in, it spun and… Nothing. He checked “My Computer” and the drive wasn’t even there. He brought it back to Staples and all they could think to do was re-format for $80.00. My friend decided to leave it there so they could see what they could do without charging him (for some strange reason, wherever a computer’s really screwed up, system restore stops working and it’s not covered by your warranty). The next day, Staples called him and said there was nothing they could do. He took it back and called me. Why I was his last resort, I will never know. I fixed it anyways.

If you have the same problem, here’s how to fix it:

1. Open “regedit” (Start -> Run -> regedit, or in Vista, Start -> type in “regedit”)

2. Go to HKEY_LOCAL_<MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}

3. Click UpperFilters in the right pane.

4. Back up the key by selecting it and clicking File -> Export.

5. Now, delete the key from the registry (but not UpperFilters.bak)

6. Under the same directory, click LowerFilters.

7. Back up that key.

8. Delete it.

9. Reboot and hope for the best.

Note: If you need to re-add those entries to the registry, double click them. If you go a week without problems, delete them to avoid accidentallyre-adding them (and re-creating the problem).

Funny story, a week later he got a call from Staples telling him that his computer has been re-formatted and was ready to be picked up. My friend told the man he already had his computer, and a quick check of ID numbers confirmed they had wiped the wrong computer…

It would suck to be the guy who asked for a battery replacement and got an empty hard-drive.

, , , ,

1 Comment

What Ever Happened to “Last Used?”

Everyone knows the “programs and features” panel in the control panel. It’s where we go to un-install programs, but it has changed quite a bit since Windows XP. For one, it looks more like and explorer window than ever before. But there are a few features that seem to be missing in the Vista version, things like the “last used” column of the “date installed” column. I always found these very useful in XP,so their disappearance in Vista upset me. After messing around with explorer for a bit, I found out how to get them back! Simply right click on the bar (in details mode), select “more” and choose the columns you want.

Last Used

, , , , ,

Leave a comment

%d bloggers like this: