Most of computer users are keen to know the autorun features, or unknown viruses that enter to their systems without letting them know.
Most viruses are carried by the innocent users through their Pen Drives (Chips drive).
The drive when inserted calls its autorun.inf file, most of the times (hidden, system and readonly) file in its location.
Windows Vista has protected the feature, and let's user know whether they like to install the called up program (most likely virus) but XP doesn't.
Just after inserting your drive to USB or etc cables, you can know if it contains autorun.inf hiding.
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer"NoDriveTypeAutoRun" and set it's value to 0 or 91 etc.
See ref. http://autorun.moonvalley.com/enable.htm
The autorun files contains commands like
[autorun]
open=filename.exe /argument1
icon=\foldername\filename.dll,5
shell\install = &Install
shell\install\command = setup.exe
shell\uninstall = &UnInstall
shell\uninstall\command = Uninstall.exe
shell\readme = &Read Me
shell\readme\command = notepad readme.txt
shell\help = &Help
shell\help\command = helpfilename.hlp
here .exe are viruses (name changed) But not always, you can code your program so that novice users can get them installed on their system too.
Now most probably it could locate somecodes in Autorun spaces with scripts languages too,
like
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue","0","REG_DWORD"
code is placed in VBS scripting file sothat hidden files are not shown in explorer
(note the virus can stay unknown in hidden)
These are the entries in Registry for most Autorun placement
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Similarly some place their file feature in Userinit Entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
With value like
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\kill_antivirus.vbs
here kill_antivirus.vbs is a virus script that runs with wscript.exe (note wscript.exe is a windows scripting file)
Just left it
C:\WINDOWS\system32\userinit.exe by modifying data. (be careful, if you delete it too, your system couldnot login next time)
Note, you now know the script file, note it and open it with notepad, before deleting .
Now you can see all the script there, the files created by it, and changed etc...
Next note Shell in the same location.
It should refer to Explorer.exe only But check my next post, Explorer.exe can be a virus too.
Don't delete it, if it has windows signature, (:() else you need next Explorer.exe from original source.
See you again, if something new found.
Good luck
Sunday, July 27, 2008
Tuesday, December 25, 2007
know Your Startup
Different Users run several applications in their computers,
Specially Windows have large range of applications,
Some of these applications require to run at startup for users convenience.
As windows applications are automatically configured for users ease, it can sometimes becomes threat to users, as virus makers can easily detect the running up service in a computer and attack it.
Some applications are designed such that they remove the files in uninstall but their impact still remain in registry or other files.
Most of my clients computer have been found infected with viruses and worms that start at startup.
Just by caring a bit from user, you can easily maintain the problems you face in your comptuer.
If you feel you are running some disorders, most probably it is because of virus (malfunctioning application) running at startup.
How to control Malfunctioning applications ?
One great idea is to check the process list, with respect to workload, you can also choose additional options to see what application is it originated from,
see www.neuber.com and load Security Task manager, you can get a better version of trial version software.
Once you know the running processes, you can easily know which application is abnormally running in your computer.
Some viruses and torjans are found running from several locations.
First you need to know that you are running application with authority of creating files in %System% or %windows% location.
IF you are doing it, you might have these applications created files in these locations, Mark out these files are most frequently hidden.
These appplication target their killer applications as antiviruses and taskmanager, command and some important tools.
They can run from autorun.inf file that they create in the secure locations.
%windows%, %System% and %root%
read the autorun.inf file in these location and delete these applications, if you are not sure and feel they are usable files delete autorun.inf file.
The next Location is registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
There should just be --> explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
Be sure, The most required application like antivirus is enough in one of these space.
Or analyze if something else is running that is malfunctioning
Most abnormal applications found just look like windows essential files but just a spelling or more changed check these out
Good luck,
If you have more
write to meromarqu@gmail.com
Specially Windows have large range of applications,
Some of these applications require to run at startup for users convenience.
As windows applications are automatically configured for users ease, it can sometimes becomes threat to users, as virus makers can easily detect the running up service in a computer and attack it.
Some applications are designed such that they remove the files in uninstall but their impact still remain in registry or other files.
Most of my clients computer have been found infected with viruses and worms that start at startup.
Just by caring a bit from user, you can easily maintain the problems you face in your comptuer.
If you feel you are running some disorders, most probably it is because of virus (malfunctioning application) running at startup.
How to control Malfunctioning applications ?
One great idea is to check the process list, with respect to workload, you can also choose additional options to see what application is it originated from,
see www.neuber.com and load Security Task manager, you can get a better version of trial version software.
Once you know the running processes, you can easily know which application is abnormally running in your computer.
Some viruses and torjans are found running from several locations.
First you need to know that you are running application with authority of creating files in %System% or %windows% location.
IF you are doing it, you might have these applications created files in these locations, Mark out these files are most frequently hidden.
These appplication target their killer applications as antiviruses and taskmanager, command and some important tools.
They can run from autorun.inf file that they create in the secure locations.
%windows%, %System% and %root%
read the autorun.inf file in these location and delete these applications, if you are not sure and feel they are usable files delete autorun.inf file.
The next Location is registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
There should just be --> explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
Be sure, The most required application like antivirus is enough in one of these space.
Or analyze if something else is running that is malfunctioning
Most abnormal applications found just look like windows essential files but just a spelling or more changed check these out
Good luck,
If you have more
write to meromarqu@gmail.com
Subscribe to:
Posts (Atom)