Thursday, December 11, 2008

W32.Downadup

W32.Downadup is a worm exploit using server service RPC in Windows OS. It is exploiting the update MS008-067.
SYMPTOMS
*. Internet Explorer Displays "Page cannot be displayed message" after 3-4 minutes of loading page and further the message remains until next restart. same is repeated.
*. Mozilla Firefox gives you a blank page.
*. Network PCs ping normally, but share drives are not available sometimes.
*. There will be a 'WWW' exception in windows firewall with a unique port number.
*. No suspicious processes running on task manager.
*. No relevent startup entries in 'msconfig'.
*. On command prompt when giving "netstat -aon" command, lot of activity is detected on port no.445 and 139 with unknown IP addresses(SYN_SENT).

SOLUTION
Run Symantec Antivirus with latest update (20081210-009-x86.exe). Run a complete scan of the system. This should detect W32.Downadup as espceao[1].jpg. There may be more entries in System32 folder named 'tsozzqlj.dll' & 'kmqohj[2].dll.




(Click the picture to view complete image)
The virus/worm will be quarantined. Let the scan complete.
Now Go to control panel, open Firewall, click on exceptions tab, look for an entry called 'WWW'. If it is there delete it.
Restart your system. That should kill the problem.
If the above worms are not detected, you may boot into safe mode and run virus scan. Otherwise you may remove the files manually also.

cool hit counters
download an html hit counter

Add to Technorati Favorites

Friday, March 21, 2008

WINDOWS RESTARTING AGAIN & AGAIN

Fed up with endless POSTing while trying to boot on to Windows. You are being presented with the Boot option menu, where it is asking you to select starting in-
and after selecting any of these without even a warning restarting. Here is a small solution, you may try.
Again we will have to use Recovery Console. Select CD-drive as your first boot device in BIOS. Insert the Windows XP CD in your Drive and restart the machine. you will be prompted to 'Press any key to boot from CD'. After pressing any of the keys, the Setup drivers will load and finlly you will be greeted with a screen as follows:-
Press R and proceed further. You will be prompted to select your OS Drive. Normally you enter '1' provided your OS is loaded in the C Drive. Now you will be prompted to enter your PC's local Administrator Password and after entering it you will reach to a Command Prompt C:\WINDOWS>

Here you will have to type the command FIXBOOT and enter. (This command writes a new boot sector onto your PC's system partition). Accept the warnings or confirmations. You will be prompted to restart your PC or simply type EXIT to restart. The next time your PC must boot normally. Try this and let me know.

If still the problem persists, follow the same route and Try FIXMBR instead of FIXBOOT to get your Master Boot Record repaired. This is a bit risky one as Microsoft says there is a chance of getting your Hard Drive Unusable. But I have tried this and worked well with me in more than 50 cases.

Add to Technorati Favorites
cool hit counters
download an html hit counter

Thursday, March 20, 2008

CONTROL PANEL SHORTCUTS

You may reach to all of the Control Panel applets through commands. Go to Start Menu >> Run , enter the following command and see what you achieve. By heart the following and once in your life time you will thank me.

CONTROL - Control Panel
ACCESS.CPL - Accessibility options
APPWIZ.CPL - Add Remove Programs/ Window components
DESK.CPL - Display Properties
FIREWALL.CPL - Windows Firewall
HDWWIZ.CPL - Add a Hardware
INETCPL.CPL - Internet Properties
INTL.CPL - Regional & Language Options (Includes Date & Time format)
JOY.CPL - Game Controllers
MAIN.CPL - Mouse Properties
MMSYS.CPL - Sounds and Audio Device Properties
NCPA.CPL - Network Connections
NETSETUP.CPL - Network Setup Wizard
NUSRMGR.CPL - User Accounts
POWERCFG.CPL - Power Configuration Properties
SYSDM.CPL - System Properties
TELEPHON.CPL - Phone and Modem Options
TIMEDATE.CPL - Time & Date Properties
WSCUI.CPL - Windows security Centre
WUAUCPL.CPL - Automatic Updates

WISHING U THE BEST.
Add to Technorati Favorites
cool hit counters
download an html hit counter

Monday, March 17, 2008

A DIFFERENT WAY OF BOOTING ONTO WINDOWS.

Are you tired of watching the same Load Progress Screen of Microsoft Windows while booting on? Are you bored of waiting for the progress bar to stop rolling in slow PCs? Let’s go a bit in Linux way, the Open Booting. Let’s watch what all are the drivers being loaded in the background to get your windows opened. Here is that small magic.

Go to ‘RUN’ , type C:\boot.ini and press enter.
A text file opens with some line written on it (Please see the picture below). Go for a line which starts with ‘multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . After /fastdetect you have to add the following so as the line will look like this:-
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /sos /NOGUIBOOT
(Your kind attention is solicited towards the single space after fastdetect and /, also between sos and /. That means:-
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /sos /NOGUIBOOT )
Now, save and close the file. Restart your PC to view the change. You’ll really feel great. The booting will be similar to a booting in SAFE MODE. When you want a back in traditional state, run the same process and remove the Strings ‘/sos /NOGUIBOOT’. Restart, you will get your familiar old Progress Bar.
Add to Technorati Favorites
cool hit counters
download an html hit counter

Thursday, March 13, 2008

DRIVES ARE NOT OPENING ON DOUBLE CLICK / CAN NOT FIND COPY.EXE

Many of us might have experienced the DOUBLE CLICK trouble. Usually when you double click on any Drives, they open and show the file contents. But in some cases the machine hang up or give an error message like “Can not find Copy.exe” or “VB Script Error” or like wise messages. In most cases one would be able to Right Click on the drive and Explore the drive contents. But in some cases this also won’t work.

Don’t worry !!!!. This is the strong evidence of an infection in your PC or you were having an infection which was quarantined/ deleted by your Anti virus. In any case, have a complete scan of your PC with the latest Anti Virus Updates. Still the problem persists ?

Go to Run and type X:\autorun.inf and enter, where ‘X’ is the drive letter which is suffering from this problem. (If the problem is with D Drive- type D:\autorun.inf). A text file appears usually with two or three lines mentioning ‘Copy.exe’ or there might be an ocean of letters which gives no meaning to the human brain. Select the entire content of this file and delete it. Now close the empty file and it will ask for saving changes. Click YES and if your YES is accepted by the PC, your problem is solved. Simply restart your machine and double click with full confidence to find your drive opens without any tussle.

And if your YES is not accepted by the PC and it says that the file is read-only or hidden and doesn’t permit you to save the file or prompts for saving it into another location or on another file name, press CANCEL and close the file again and Click NO when prompted to save.
Now we have to take a complete turn around. First of all we must make a RECOVERY CONSOLE for Windows which is inbuilt in the Installation CD's i386 Folder..

To make the RECOVERY CONSOLE, insert the WINDOWS XP /WINDOWS 2003 CD into your CD Drive. Go to RUN and type X:\i386\winnt32 /cmdcons and press Enter. (Where ‘X’ is the Drive letter of your CD Drive.). Click next, next in the following windows and Cancel the Update Now message. Finally you reach a Completion screen and press OK (FINISH). The details are avilable at http://santhosh.themebin.com/blog/tutorials/using-recovery-console-in-xp/

Now restart your PC and you will get a BOOT MENU with two options (Provided you have only one OS loaded), One will be your Microsoft Windows XP and other will be Microsoft Windows Recovery Console. With the down arrow key select Recovery Console and press enter. You will enter into the Black Background of Recovery console. After loading the necessary services and drivers the console will ask you to select your Windows OS. (Normally you will have to enter ‘1’ provided your Windows is installed in C drive. Now the console will prompt for Administrator Password and after giving the password you will be provided with a prompt, C:\WINDOWS. Type CD \ and enter to go to the Root C.

On the C:\ type DIR and enter
You will get a list of all the files and folders of C Drive. Here the important thing to notice is that in front of some files it will be indicated S, R, H, SHR. These are the file attributes. ‘S’ indicate System file, ‘R’ indicates Read Only files and ‘H’ indicates hidden files. ‘SHR’ means a file with attributes System, Read-Only and Hidden. A file with these attributes can not be deleted or edited till the attributes are removed.

Look for a file named autorun.inf. This file will be prefixed with attributes SHR. Type attrib –SHR autorun.inf (note the space after attrib) and enter to remove the attributes. Now you can delete the autorun.inf by giving command del autorun.inf

Also look for a file with .exe extension in a range of 1400KB size (names may vary like mvo.exe, hffud.exe, vb.exe) with SHR attributes. Remove attributes and delete the file in the same manner as you removed autorun.inf. Repeat this procedure in all the infected drives and after finishing all, type EXIT and enter to restart your PC. See you have removed the DOUBLE CLICK TROUBLE successfully.
Add to Technorati Favorites
cool hit counters
download an html hit counter

C:\Recycled\SVCHost.exe

This error haunts Windows users during each log on. In fact SVCHOST is an essential service running in windows. The message is caused normally by the residue string left by a Trojan sort of Malware which was cured or quarantined by an Anti Virus. To remove this nuisance message, a bit of registry editing is required.

For beginners-Go to Run in start menu and type 'regedit' then enter. You will get the windows registry opened. Navigate to HKEY_CURRENT_USER and expand it. Now further expand it till you reach SOFTWARE > MICROSOFT > WINDOWS NT > CURRENT VERSION >EXPLORER > WINLOGON. Click on the WINLOGON key on the left pane and on the right pane you can see an entry named Shell. Double click on it and a box appears with the Value of the String. In the Value box you will see Explorer.exe C:\Recycled\Svchost.exe. Now carefully select the text starting from C:\Recycled\Svchost.exe and delete it. The value box should have only Explorer.exe. Press OK. Close the Registry Editor and restart your machine. That should solve the problem.
Add to Technorati Favorites
cool hit counters
download an html hit counter