Friday, May 30, 2008

Google Has A New Favicon

Google now sports a brand-new favicon (http://www.google.com/favicon.ico).

Just in case you never noticed or were so used to it that you don't remember, this is what the old one looked like:

Can't say I'm a fan of the new one though; seems too generic somehow.

Tuesday, May 27, 2008

Cleaning Out ADVIRS.exe, A Relatively Unknown Virus

At work today, a friend of mine told me that he was unable to start Command Prompt or Task Manager. Any seasoned PC user will immediately recognize these as the symptoms of a possible virus infection. He then admitted that he'd let his brother use his pen drive to copy some stuff off his laptop over the weekend. Bingo!

But now what? We had no idea what virus it was and his updated enterprise edition of McAfee Anti-Virus didn't detect anything ( so much for all that money we pay them! ) and we couldn't run Task Manager to see which suspicious process were running.


Just yesterday, I'd read this article on Slashdot about gaining system privileges in Vista. The comments noted that this was also possible in Windows 2000/XP et al.

I had been planning to try it out and here was a great chance to see if it would work.

Here's the idea: The accessibility utilities, like Magnifier ( C:\WINDOWS\system32\magnify.exe ) and Sticky Keys ( C:\WINDOWS\system32\sethc.exe ) are applications that can be run from the login screen before logging into the computer ( Use Win + U and/or press the Shift key 5 times ). They are started with privileges higher than that of any user, including administrator.


 Starting them after you login will start them with your user account and they'll get those privileges. You must start them from the login screen.
 


So if you can replace the EXEs with some other application EXE, it would get invoked with those privileges. And what would be the best candidate for such a replacement? Good old Command Prompt ( C:\WINDOWS\system32\cmd.exe ). Once you do this and invoke Magnifier ( or Sticky Keys ), you'd end up starting Command Prompt with system level access. You can now do stuff that even the administrator accounts would not be able to ( I'm yet to discover what these are but the comments on the aforementioned Slashdot article have me convinced that this is indeed the case )

So, to do this, you should :

1. Make a copy of cmd.exe
2. Rename magnify.exe to magnify.exe.bak ( Always backup! )
3. Rename the copy of cmd.exe to magnify.exe

You'll have to do steps 3 pretty quickly because in about 5 odd seconds, Windows realizes that magnify.exe is missing and replaces it! So you could copy the filename and keep it ready and then quickly paste it. It's up to you. The idea is that rename the copy before the original magically reappears.

Back to the anecdote. Once I did this, I then started Magnifier and lo behold! Command Prompt opened up! We could now run tasklist to get a list of running processes and their PIDs. We were luck, my friend immediately spotted two instances of advirs.exe and when we Google'd it, we knew it was the culprit. We used taskkill to end the two processes and then tried running Task Manager and it worked!


Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
ADVIRS.exe                  3276 Console                 0      5,992 K
YahooMessenger.exe          4056 Console                 0     15,416 K
JabberMessenger.exe         3560 Console                 0     42,748 K
GoogleToolbarNotifier.exe   4028 Console                 0      1,060 K
ADVIRS.exe                  3652 Console                 0      5,980 K


 We'd redirected the output of tasklist into a text file but when we opened it to see the PID of ADVIRS.EXE, the dumb virus wouldn't let us search for the string 'advirs'! So we searched for 'advi'. Clever, huh?
 


I then got my friend to install WinPatrol to protect against future autorun programs. We also used it to remove the registry key for running advirs.exe on startup - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Advirs

RemoteIT was the only antivirus that turned up in the search results for this virus and specifically claimed to clean it. We didn't try it because we'd already got rid of the problem by then but you could give it a shot, in case you're unlucky enough to get infected!

It does seem a pretty simple thing to get rid of though so maybe this wasn't really required. I think if we'd simply renamed a copy of cmd.exe to something else, it would have bypassed the virus' blocks, so you might want to try that first :D


  EXE name : advirs.exe
Location: c:\windows\system32\advirs.exe
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Advirs

Saturday, May 17, 2008

Gmail Has A New Loading Page And Now Loads Faster

When I logged into Gmail today, I noticed a different 'loading' page. Instead of the usual blank, there is now a progress bar visible.

Click To See The Complete Image of Gmail's New Loading Page
Click To See The Complete Image of Gmail's New Loading Page

There also seem to be improvements behind the scene, as this post on the Gmail blog explains.

Thursday, May 1, 2008

Free Stuff For Your Domain

Or What To Do With Your Domain Name, For Free



So you've finally got that really cool domain name you've always wanted; now what? How do you let everyone know how uber-cool you and domain name are? You could give some of these free services that allow you to use custom domains a shot.

I bought my domain almost a year ago. I didn't really have anything specific in mind that I wanted to use the domain for, except perhaps my blog. I didn't want to shell out for hosting or other services that I wasn't really going to use but I also didn't want the domain name to lie idle. So I looked about for free services that I could use. I found only a few and they're listed below (mostly from Google!). The ones that I've not used are starred.



One more advantage of putting your stuff on a custom domain name is that if you should ever choose to switch providers ( be it email, blogging platform, feed publisher, whatever ), all you need to do is update your domain settings to point that URL to the new host. Your friends and readers need not update anything!

If you know of any other services that can be added to this list, post a comment! I'll add them to the list ( and credit you, of course :D ).

* I've not used these services but the sites seemed to indicate that they were free and had domain customization features.