Konrad Walsh-(admin) | Tech N Life

Posts by konradwalsh-admin:

Remove Malware With Sys Internals Autoruns

March 18th, 2010

There are many anti-malware programs out there that will clean your system of nasties, but what happens if you’re not able to use such a program? Autoruns, from SysInternals (recently acquired by Microsoft), is indispensable when removing malware manually.

There are a few reasons why you may need to remove viruses and spyware manually:

Perhaps you can’t abide running resource-hungry and invasive anti-malware programs on your PC
You might need to clean your mom’s computer (or someone else who doesn’t understand that a big flashing sign on a website that says “Your computer is infected with a virus – click HERE to remove it” is not a message that can necessarily be trusted)
The malware is so aggressive that it resists all attempts to automatically remove it, or won’t even allow you to install anti-malware software
Part of your geek credo is the belief that anti-spyware utilities are for wimps

Autoruns is an invaluable addition to any geek’s software toolkit. It allows you to track and control all programs (and program components) that start automatically with Windows (or with Internet Explorer). Virtually all malware is designed to start automatically, so there’s a very strong chance that it can be detected and removed with the help of Autoruns.

We have covered how to use Autoruns in an earlier article, which you should read if you need to first familiarize yourself with the program.

Autoruns is a standalone utility that does not need to be installed on your computer. It can be simply downloaded, unzipped and run (link below). This makes is ideally suited for adding to your portable utility collection on your flash drive.

When you start Autoruns for the first time on a computer, you are presented with the license agreement:

Sysinternal License Terms

After agreeing to the terms, the main Autoruns window opens, showing you the complete list of all software that will run when your computer starts, when you log in, or when you open Internet Explorer:

Autoruns window

To temporarily disable a program from launching, uncheck the box next to it’s entry. Note: This does not terminate the program if it is running at the time – it merely prevents it from starting next time. To permanently prevent a program from launching, delete the entry altogether (use the Delete key, or right-click and choose Delete from the context-menu)). Note: This does not remove the program from your computer – to remove it completely you need to uninstall the program (or otherwise delete it from your hard disk).

Suspicious Software

It can take a fair bit of experience (read “trial and error”) to become adept at identifying what is malware and what is not. Most of the entries presented in Autoruns are legitimate programs, even if their names are unfamiliar to you. Here are some tips to help you differentiate the malware from the legitimate software:

If an entry is digitally signed by a software publisher (i.e. there’s an entry in the Publisher column) or has a “Description”, then there’s a good chance that it’s legitimate
If you recognize the software’s name, then it’s usually okay. Note that occasionally malware will “impersonate” legitimate software, but adopting a name that’s identical or similar to software you’re familiar with (e.g. “AcrobatLauncher” or “PhotoshopBrowser”). Also, be aware that many malware programs adopt generic or innocuous-sounding names, such as “Diskfix” or “SearchHelper” (both mentioned below).
Malware entries usually appear on the Logon tab of Autoruns (but not always!)
If you open up the folder that contains the EXE or DLL file (more on this below), an examine the “last modified” date, the dates are often from the last few days (assuming that your infection is fairly recent)
Malware is often located in the C:\Windows folder or the C:\Windows\System32 folder
Malware often only has a generic icon (to the left of the name of the entry)

If in doubt, right-click the entry and select Search Online…

The list below shows two suspicious looking entries: Diskfix and SearchHelper

ar entries Remove Malware With Sys Internals Autoruns

These entries, highlighted above, are fairly typical of malware infections:

They have neither descriptions nor publishers
They have generic names
The files are located in C:\Windows\System32
They have generic icons
The filenames are random strings of characters
If you look in the C:\Windows\System32 folder and locate the files, you’ll see that they are some of the most recently modified files in the folder (see below)

Suspicious entries in System32 folder

Double-clicking on the items will take you to their corresponding registry keys:

Suspicious entries in Registry

Removing the Malware

Once you’ve identified the entries you believe to be suspicious, you now need to decide what you want to do with them. Your choices include:

Temporarily disable the Autorun entry
Permanently delete the Autorun entry
Locate the running process (using Task Manager or similar) and terminating it
Delete the EXE or DLL file from your disk (or at least move it to a folder where it won’t be automatically started)

or all of the above, depending upon how certain you are that the program is malware.

To see if your changes succeeded, you will need to reboot your machine, and check any or all of the following:

Autoruns – to see if the entry has returned
Task Manager (or similar) – to see if the program was started again after the reboot
Check the behavior that led you to believe that your PC was infected in the first place. If it’s no longer happening, chances are that your PC is now clean

Conclusion

This solution isn’t for everyone and is most likely geared to advanced users. Usually using a quality Antivirus application does the trick, but if not Autoruns is a valuable tool in your Anti-Malware kit.

Keep in mind that some malware is harder to remove than others. Sometimes you need several iterations of the steps above, with each iteration requiring you to look more carefully at each Autorun entry. Sometimes the instant that you remove the Autorun entry, the malware that is running replaces the entry. When this happens, we need to become more aggressive in our assassination of the malware, including terminating programs (even legitimate programs like Explorer.exe) that are infected with malware DLLs.

Shortly we will be publishing an article on how to identify, locate and terminate processes that represent legitimate programs but are running infected DLLs, in order that those DLLs can be deleted from the system.

Download Autoruns from SysInternals

No Comments "

yoU NeEd ThiS Tip – How To Force A Printer To Cancel A Print Job

March 18th, 2010

There are two big annoyances with Printers, one is when Windows cannot kill the print job and second is when the paper is stuck. In both situations hitting the Cancel button is useless, since Windows can in fact never kill the print job while the temp file is created and the job is still in use.

To fix this issue, you need to first open the task manager, stop spoolsv.exe service, and then delete everything inside the following directory,

C:\windows\system32\spool\printers\

Now open Run dialog box, enter spoolsv.exe and hit Enter. Doing this will run the spoolsv.exe service again.

If you face this problem frequently, why not create a simple batch file which can perform all these actions for you? To do so, copy the following text in the notepad and save it as “AddictiveTipsFixPrinter.bat”:

@echo off
echo Stopping print spooler.
echo.
net stop spooler
echo Erasing Temporary Junk Printer Documents
echo.
del /Q /F /S “%systemroot%\System32\Spool\Printers\*.*
echo Starting print spooler.
echo.
net start spooler

To make it easier, we have provided the batch file below. All you need to do is to double-click it and try printing again.

If you have Lexmark printer, you need to add the following code after the “net stop spooler” command:

sc config spooler depend= RPCSS

This is important because Lemark printer can seriously mess up the services and makes it impossible to start the print spooler. Thanks goes to Print Flush for the code.

VIA Addictive

No Comments "

Google To Bring Out Their Own TV Set Top Boxes

March 18th, 2010

We knew vaguely that Google was looking toward the living room, but the NYTimes has the details on Google TV, an ambitious platform to deliver web content to Android-based set-top boxes and TVs through partnerships with Sony, Intel, and Logitech.

Google hopes that the new platform will succeed where dozens of lesser efforts have failed—to truly and seamlessly integrate web content onto TVs, bringing services like Twitter and sites like YouTube, in addition to games, webapps, and, of course, Google’s search, to the big screen. The Google TV software reportedly includes a version of Google’s Chrome browser for doing some light surfing, as well.

The Times says Google TV will be delivered on set-top boxes that use Intel Atom chips and run an Android-based platform, though the technology will also reportedly be built directly into Blu-ray players and TVs from Sony. Additionally, Google is working with Logitech to built a keyboard-equipped remote control for the platform.

Though spokespeople from the companies wouldn’t comment on the project, the Times notes that Intel and Logitech have recently put out job listings for programmers with Android experience.

Television is a relatively unexplored frontier for Google. It’s one of the few spaces left in which the company it is yet to extend its services (as well as its advertising.) But Google TV is far from a sure thing. Many companies have struggled to figure out the right user interface to finally make web on TV make sense. Google’s interfaces tend toward the functional, rather than the beautiful, but on a big screen, the sexiness factor cannot be ignored.

Bringing web content to TVs is a role that’s still very much up for grabs. If Google TV, which has reportedly been in works for months, is the right solution for the problem—Gmail was for web mail, Buzz was not for social networking—then it could very well could be the platform that finally brings the power of the internet to the realm of the couch-potato. [NY Times]

via Gizmodo

No Comments "

And Tech N Life Has Moved To A New Home!

March 15th, 2010

OKAY, honestly, that wasn’t as bad as I thought it would be. In fact, a lot of websites made out that moving from one server type to another was very difficult.

I moved from an IIS Windows server to a Linux based server and did it in 4 steps.

I just have some last bits of tweaking to do and then its ready.

UPDATE

Thats all I can do for now. There a few bugs and missing images. Please let me know if you find any. I will fix them asap. Hopefully you find the site a little faster from here on in.

No Comments "

Tech N Life Closing Whilst Being Moved

March 14th, 2010

The time has finally come to move to a steady host. By the time you read this on your RSS readers and emails, the blog will be offline and hopefully moved to a new host.

With 500+ visitors per day, my little home server cant hack it. Well, it can if I stopped downloading torrents, but thats another story. It has gotten so bad that to write even this post, took about 10 attempts to load the page.

Victim of its own success I guess…

Anyway, talk soon…..

No Comments "

More Details And Pics Of The Dell Mini 5 Tablet – The Streak!

March 10th, 2010

Recently we looked a little at the pending release of the Dell mini 3. Here is its big brother the Mini 5 or possible release name of the Streak. Here is a little more detail from apparently “leaked” documents. Either way there are some pictures to get you motivated.

Current Specs We Know Of

5-inch WVGA (800 x 480) touchscreen,
5 megapixel camera with autofocus and flash,
capacitive touch front buttons,
front-facing VGA camera (for video chatting)
the 30-pin docking connector
Colours to choose from
launch with an Amazon content partnership

So if it does launch with all this loveliness and along with a built Amazon MP3 and eBook store then it is sure to fly. No price or date yet.

via Engadget

No Comments "

Sub $200 7″ Tablet From Freescale – Made For My Kitchen Wall

March 10th, 2010

I saw over on Engadget this new tablet made by Freescale. It is capable of running Android, Chromium OS and Linux. This screenshot isn’t really a great example cause the colour is UGGGLY!!!

Specs

7 inch Screen
Multi-OS compatibility
ARM Processor
$200

But the other colours are fine. I am so putting one of these on the kitchen wall. How cool is that? Anyway there is a geeky video for you to watch, to see it in action showing “not the most rehearsed” presentation, but still you’ll get the idea. The biggest concern is that in the video it demonstrates a resistive touch screen in stead of the normal Android friendly capacitive touch screen. This may mean the Android version may be more expensive.

No Comments "

Cook Your Own Roms For Android – RelentlessAppz ROM Roaster Review

March 9th, 2010

I recently told you about RelentlessAppz and their fantastic software called Relentless Command Centre. Well shortly after that was released, Sean Marsh contacted me about his newest “invention”. I have been playing with it for a couple of weeks. Its called RelentlessAppz ROM Roaster. Cool name, huh?

The idea is really simple. If like me, you are constantly on the look out for a decent ROM for your Android handset. You will find that every ROM you try is almost right. Just not exactly how you like. For example, being in Ireland, it always annoys me that I have to re-enter my APNs to get my data connection going whilst most others have them preset. Or when I reflash, the most essential app for me is Titanium Backup. Some chefs add them, some don’t.

Well, if you relate to all that and feel like having a little fun, then this is for you.

Relentless Appz ROM Roaster

This is a review of the software. Later I will write, not so much a how to as its pretty simple, but more of a tips and tricks of the software. Whilst Sean doesn’t get a gold star for his Photoshop skills , he does get bonus stars for making something that is usually out of the reach of the everyday user in to a simple click click affair.

Features

Add your own APN list
Add a custom boot screen and Launcher
Add your own fonts
Enable APPS2SD
Choose where apps get installed
Install specific keyboards
Add Social networks, Music apps and File sharing apps
Fine tune control over what apps get added at the beginning
Add superuser app
GREAT FUN!!!
32b Compatibility Mode -E.g Use a Hero ROM on a Dream/Magic

This is your control centre.

You need a base ROM to work with and load that into the interface. Then as you move along you add and remove features that not completely your liking. When you are done, you hit the turkey and flash your device.

If you need reminding on flashing devices just use the search button on this site.

PRICE: £4.99

No Comments "

Welcome To Our Latest Sponsor – Sunbelt Software

March 9th, 2010

This is a quick to shout out to say thanks to Sunbelt Software who are advertising their anti-virus software called Vipre. Its thanks to these guys that make this blog happen and I’d like you guys(readers) to hit their link on the side to see what they are doing.

Also, later this week I will have a review article on the anti-virus software package they have and comparing it to Microsofts Security Essentials.

Vipre Antivirus

No Comments "

New Feature – Ask A Tech Question, Get An Answer

March 9th, 2010

Ok, I am back on track today after a small set back between me and my dental surgeon. . I have not been writing much this past week but I have been finishing some features on the site.

I want to let you know about a new feature that is in development and will hopefully be finished today. Either way, it is now useable by you and I am just going to tidy up the page.

Ask A Techie

You’ll see on the top menu, there is an option for Ask A Techie. This is how it works. You add a comment on that page and we will respond with an answer either in the comments or in a full blown article or guide. Completely free and unlimited. So have some fun, ask those questions you were to embarrassed to ask your IT guy.