Tuesday, October 21, 2008

Attack the Virus!!

My system got infected a few days back.. I did not have any anti-virus software running .. (I know I know...I should have one!!!)

The virus blocked me from editing registry. Gave me the following pop up.


Initially, it did not trouble me much, because if I wanted to edit the registry I could just do some steps and I will be back to normal. But then yesterday, when I had some time to spare, I thought why not find the root-cause and remove it..Why should I allow it to run without my acknowledgment. Yes, the easier way was to install the anti-virus..So being lazy as usual, I installed AVG1.75 but , my bad luck, this virus remained undetected..So I thought, after all it is developed by another software engineer..If that person can spend time to write a virus...I could spend time to remove it too...

So I sat down found out the steps to remove it...and here you go.....

Symptoms:
Whenever we plug in a USB stick, it creates an executable "NewFolder.exe"
If we have a folder named "Phoenix", it will create an exe named "Phoenix.exe" within it.

Analysis:
In the taskmanager, you could find two instances regsvr.exe
If we kill these two instances from the taskmanager, as long as we dont log out, its fine.
On a reboot or a log-off + login, these instances are again there.

Searched for regsvr.exe. Found out that regsvr.exe was placed in two folders
1. c:\windows
2. c:\windows\system32

If it starts on login, it means it has hijacked the registry for WinLogon. And for sure, it has done something on registry..why else will it stop you from editing the registry :)

So first things first.....

1. Get your registry editing power back.

Do the following:
Go to Run -> Type gpedit.msc
In that Local ComputerPolicy ->User Configuration ->Administartive Templates->System

Within System, we have an entry stating "prevent access to registry editing tools". Double click it.
If it is "Not Configured" or "Disabled", set it as "Enabled" first and save. Then again change it to "Disabled".

Your powers are back...Congrats!!!

2. Delete the instances from taskmanager.

3. Remove the files from the directories:
a) c:\windows
b) c:\windows\system32

4. Lets edit the registry..If you are scared..forget it...Your virus is removed anyways...

Go to Run. Type regedit

Go to the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
In that the value for Shell will contain "Explorer.exe regsvr.exe". Replace it as "explorer.exe"

There you are...Your virus is removed !!

I am still searching for the virus name......

Sunday, October 5, 2008

Missing my college days




Yesterday I visited my college with Reema..Our old college..which has presented us with so many memorable moments of our lives..

We were like in a dream world..When we saw the place once more, we were filled with the old memories ...When we saw the steps, where we used to gather together to make our final preparations before the lab exams..The corridor, where we used to play pranks and our strikes too..The class, which had been our home..Our small class, which had its own share of joy and sorrow... We sat inside the class, for sometime, recollecting those old days.. Our friends.. All of us in our own world now...

The staffroom, where we used to go for seeking atendence or a passmark for sessionals.. Even to plea to postpone the assignment submission dates..The canteen and the bookstore, the regular hangout places..

We decided to return and while walking back, I see the photostat shop, where we used to queue up, the day before the exam, to get the notes and textbook portions copied. The treat corners..the internet cafes...At last, we reach the bus stop. At this point, Reema and I separated to our homes... With a heavy heart and with the hope to live those days once more..