towardsWisdom – Page 5

winupd01.exe Virus Complete Removal

April 14, 2010 mentallymental Comments 0 Comment

I had mentioned in my last post that I had removed the winupd01 virus but not completely. And yesterday, it returned as feared. However I realized it was a silly mistake of mine to miss 2 more of its files that were starting up even after removing the winupd01.exe

So here is the removal process:

(I should mention, this is for Windows XP as I have XP and have never used vista or windows 7. I don’t know if this is applicable for Vista and win7 as the paths may be different.)

First, get this tool: “Autoruns” http://technet.microsoft.com/hi-in/sysinternals/bb963902(en-us).aspx
It shows all the programs that run automatically when you start your computer. Extract the zip file to some folder. Now again, the virus auto-closes this software so just rename the Autoruns.exe to any other name like Autorunsss.exe and run it. There will be several startup entries of the viruses which are as follows:

1) In “Image Hijacking” tab: winupd01.exe
2) In “Winlogon” tab: 1 or 2 entries for szywo.exe and/or knauct.exe and/or ahrg.exe
(All these files are in C:Documents and Settings[username]Application Data
OR C:Documents and Settings[username])
3) In “Logon” tab: (Somewhat same as those in Winlogon tab but more entries.
4) In “Drivers” tab, there might be 1 or 2 .sys files of the virus. The name is random. So you will need to find any suspicious .sys file. In the list, check for those entries for which the ‘Publisher’ and ‘Description’ column has no value. For such an entry if the filename is totally weird like ijlocpvb.sys or lbrtfdc.sys, note it down.

Do not delete these startup entries for now as its no use deleting them now; the virus will simply rewrite them. Now to delete these files, start your computer in another OS like linux. You can use a linux live DVD like Ubuntu live so that you dont have to install it. Just put the dvd/cd in and boot up your computer. (Make sure the first boot device is CDROM in your BIOS setting to boot from the cd. Google it if you don’t know how to do it.)

Then delete the following:
1) Delete C:WindowsSystem32winupd01.exe
2) Delete all .exe files in C:Documents and Settings[username]
3) Delete all .exe files in C:Documents and Settings[username]Application Data
(This is probably where you’ll find the szywo.exe)
4) Delete all .exe files in C:Documents and Settings[username]Local SettingsTemp
5) Delete all .exe files in C:Documents and Settings[username]Local SettingsTemporary Internet Files
6) If you had noted down any suspicious .sys file from the Drivers list, then remove it also. It will be in: C:WindowsSystem32drivers
Just to be on the safe side, take a backup copy of that file before deleting it so that after restarting into windows if u find something not working properly, you realize that .sys file was actually a Windows needed file and you can restore it back.

Thats it, now restart in Windows again.
The virus wont be running now. Now delete all its startup entries using the Autoruns tool.

*The virus may have made changes to the hosts file (C:WindowsSystem32driversetchosts) which affects internet browsing.
Check the size of the hosts file. If it is about 4.7mb then open it with notepad and delete all its contents and add this line which is the default content:
127.0.0.1 localhost

If you have multiple users on your XP, then you should check for and delete the exe files in all the users’ Documents and Settings folder as given above. Also, delete the startup entries for each user. To delete the startup entries for another user, in the Autoruns program, click on the ‘User’ menu and then click the another user’s name. And then delete the startup entries of the virus as mentioned above.

Thats it! You’ve gotten rid of the stubborn email spamming virus.

Leave a comment if you have any problems.

Virus attack – winupd01.exe

April 9, 2010 mentallymental Comments 2 comments

My Friday evening was spoiled thanks to this stubborn virus. I was just browsing (just ebay and no suspicious sites) and suddenly my avira antivir detected a file called 205.exe in the Temperory Internet Files folder; i chose to deny access to it. But still my cursor changed to ‘processing’ indicating something running in background. After looking at the ‘Temperory Internet Files’ folder I found out there were in all, 5 exe files with weird names one of which was 205.exe
After some investigation of these files in my virtual machine i concluded that 205.exe was not run but another of those 5 was causing the damage…. And that was fol.exe which installed itself as winupd01.exe
I still have no idea how these files entered and executed on my system.

About winupd01.exe:
Size: 208,896 bytes
MD5 Hash: 5224bc60f8a486d895ff584d647897e7
Is a Malware!

Based on what I noticed when my system was infected and on the packets I sniffed here’s some details:

What it does:
1) Keeps searching for email addresses on the net
2) Continuously sends spam viagara emails to email addresses which it found probably in step 1.
As a result ur net slows down.
3) Kills your antivirus’s guard/protection. (I had avira antivir)
4) Hides itself from running processes. (That was the biggest hurdle in finding it.)
5) Auto-closes packet sniffers as soon as u open them. (I found a workaround to this by renaming the default filename of the sniffers)
6) Autocloses hijackthis, killbox.
7) Keeps ticking the ‘Do not show hidden files and folders’ option in folder options.
8) Writes some big crap to the hosts file making it 4.87mb

How it ensures it starts up with windows.
1) It copies itself to C:Windowssystem32winupd01.exe
2) Adds the following registry entry to HKLMSoftwareMicrosoftWindowsCurrentVersionRun:
Name: ctfmon.exe Data: ctfmon.exe
3) Adds the following registry entry to HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsctfmon.exe
Name: winupd01.exe Data: C:windowssystem32winupd01.exe
Thats how it starts with windows.
There are a few more entries in regedit if u search ‘winupd01.exe’ but i dont think they r significant.
It keeps adding these entries continuosly so u cant delete them

How to remove it:
1) Restart computer in another OS (I used a Ubuntu linux live dvd)
2) Delete the file C:windowssystem32winupd01.exe and C:windowssystem32ctfmon.exe
3) Delete all the crap added to your hosts file (C:windowssystem32driversetchosts). i.e. just delete all the contents and add this line:
127.0.0.1 localhost
4) Restart your comp in windows. Now the virus wont run. But you should clean the registry of its traces. So remove the above said entries. And also search the entire registry for ‘winupd01.exe’ and delete all you find.

However, it seems the virus hasnt been completely removed even after I have done this… coz my explorer.exe tries downloading fol.exe from 89.149.253.xxx on startup which is nothing but the winupd01.exe file. But fortunately, it gets a File Not Found error.

Also see the PrevX info on this file: http://www.prevx.com/filenames/X1212390081188608968-X1/WINUPD01.EXE.html
EDIT: See my new post on how to remove this virus completely here.

T-shirt designing @ www.inkfruit.com

February 21, 2010 mentallymental Comments 1 comment

Inkfruit [www.inkfruit.com] is an indian website based in mumbai which gives you the opportunity to submit T-shirt designs. People like you who form the inkfruit community vote for the designs and every month select 10 t-shirts as winners. The winners get Rs.5k, and their own tshirt 😀 The selected T-shirts are printed and sold online as well as in some shops.

Anyway, here’s my two new designs… and I’m sure the CS playing community will love the 1st one. So please vote n comment!

1) CS iPwn: http://www.inkfruit.com/voting_blowout.php?designid=12289

Just some description for not-so-geek ppl who don’t understand it:
pwn: means to own/dominate ur opponent.
See http://www.urbandictionary.com/define.php?term=pwn
A frequently used net gamers lingo The T-shirt combines iPod and pwn by the headphones. (Kinda lame to explain this, if u understand it urself, its funny)

2) i Pwn ur King: http://www.inkfruit.com/voting_blowout.php?designid=12290

PLEASE COMMENT N VOTE AT THE TSHIRT LINKS. It counts a lot.
To comment and vote u need to register on the site. Registration is quick. REGISTER THROUGH MY REFERRAL LINK: http://www.inkfruit.com/vregistration.php?userid=12482 because you will get 50% DISCOUNT COUPON if you register by this link. [PS: The upper form with the button ‘Proceed to invite friend’ button as the submit button is actually the registration form. Their site sucks at some points] The final price of the tshirt with discount will be Rs.174 only!

—

I hope you’ll just give a look at my previous designs, the voting for which is over now. But if u comment on the ShinChan tshirt, it may be reconsidered for selection depending on the comments.

I’ve already submitted two tshirt designs last month… voting over now. Take a look at them:
1) Atheism: http://www.inkfruit.com/voting_blowout.php?designid=11296
2) ShinChan Ala Carta: http://www.inkfruit.com/voting_blowout.php?designid=11614
(Didn’t expect the first one to get any votes, it was just a first-design-a-trial type of design.)

Lyrics for ‘Write in C’ [Beatles – Let it be]

September 15, 2009 mentallymental Comments 0 Comment

NEW LYRICS TO BEATLES SONGS – ‘Write in C’ (Let it be)

When I find my code in tons of trouble,
Friends and colleagues come to me,
Speaking words of wisdom,
“Write in C.”

As the deadline fast approaches,
and bugs are all that I can see
Somewhere, someone whispers:
“Write in C.”

Write in C, Write in C,
Write in C, oh, Write in C.
Logo’s dead and buried,
Write in C.

I used to write a lot of FORTRAN.
For science it worked flawlessly.
Try using it for graphics!
Write in C.

If you’ve just spent nearly 30 hours,
Debugging some assembly.
Soon you will be glad to
Write in C.

Write in C, Write in C.
Write in C, oh, Write in C.
BASIC’s not the answer.
Write in C.

Write in C, Write in C.
Write in C, oh, Write in C.
Pascal won’t quite cut it.
Write in C.

0.999 (9 recurring) = 1?

September 14, 2009 mentallymental Comments 0 Comment

From wikipedia (http://en.wikipedia.org/wiki/Proof_that_0.999…_equals_1):
{
In mathematics, the repeating decimal 0.999… denotes a real number equal to one. In other words, the notations 0.999… and 1 represent the same real number. This equality has long been accepted by professional mathematicians and taught in textbooks. Proofs have been formulated with varying degrees of mathematical rigour, taking into account preferred development of the real numbers, background assumptions, historical context, and target audience.
}

One of the proofs given is:
x = 0.999 (recurring)
=> 10x = 9.999
=> 10x – x = 9.999 – 0.999
=> 9x = 9
=> x = 1

But this wrong! Whats making it wrong is that you consider the no. of digits after the decimal point remains same; or in other words, that you consider (infinity – 1) = infinity.
When n is HUGE, (n – 1) is approximately= n.

The following is the correct method. First assume that x = 0.999…… (n 9s) with n = HUGE!
x = 0.9999999999999999999999999999999999999999 (40 9s total)
10x = 9.999999999999999999999999999999999999999 (Still 40 9s; 39 after decimal point)

10x = 9.9999999999999999999999999999999999999990
– x = 0.9999999999999999999999999999999999999999
————————————————-
9x = 8.9999999999999999999999999999999999999991
————————————————-

Now make n = infinity. So it makes
9x = 8.9999999999999999999999…(infinite 9s)…………99991

Now when you divide by 9, you get

x = 0.999999999999999999999999999999999999999… (infinite 9s i.e. recurring again!)

———– x ———–

Another proof goes as:

0.333 (recurring) = 1/3
=> 3 x 0.333 = 3 x 1/3
=> 0.999 = 1

But since the problem we are dealing with (i.e. Is 0.999… = 1?) is very critical like a man standing on a knife edge on a single toe, immeasureably small factors also matter!
So we cannot say 0.333 (recurring) is equal to 1/3.
1/3 is a perfect division of a cake into 3 parts.
0.333 (recurring) is NOT a perfect division into 3 parts!!

As a corollary of this discussion, you can say:
One who can divide perfectly may be called God.

This is Top Class Music!

August 9, 2009 mentallymental Comments 0 Comment

Listening to these new songs that I got recently, I couldn’t appreciate them enough so here’s a blog entry and their links.

1) Shaastra Night Theme – Chaitanya
Guess what? This is a composition of a student of IIT Chennai for their technical event Shaastra. I got to listen in during their Shaastra 09 publicity in my college, loved it and got the song.
Great fusion song – Violin, tabla, guitar, chorus
You wont get this anywhere except from IIT chennair students and me 🙂

2) Violin of death – SFA (from the game Granado Espada)
The music is just like its name.
Violin + Mute guitar + light percussion
I still have to listen to all 123 OSTs from this game. There r probably more like this.

Awesome Counter Strike Stick Animations

July 25, 2009 mentallymental Comments 0 Comment

After playing CS for about a year addictively, I finally decided to curb its playtime by a rather cruel but the only working method – I shift-deleted it from my HDD, pendrive etc 😛 . I’ve backed it up on my gmail though, but I’ve got enough integrity to resist playing it if I have to wait for 3 hours to download it.

Anyway, I found some funny counter strike stick animation movies on youtube made by flash-deck.com .

Watch them in order.

My Mp3 Ringtones

July 16, 2009 mentallymental Comments 0 Comment

Another hobby of mine on my computer – making ringtones from songs. Software used is Audacity – simple and free. I believe these tunes will make proper ringtones unlike just 30 seconds cut-outs from any song on some ringtone sites.

To use these on your phone, firstly your phone should be able to support mp3 ringtones (most phones above 3k do nowadays). Download the mp3 file to your comp. To download it, right-click on the ringtone link and click ‘Save target as’. After downloading, copy it to your mobile using its data cable.

I’ll add more as I make them.

1. Bourne Identity – Extreme Ways RT.mp3
Taken from ending titles of Bourne Identity. The tone is a loop (means you wont know when it ends or starts if you keep repeat ON).

2. Mirror’s Edge Ringtone.mp3
From the soundtrack of the new popular game Mirror’s Edge.

3. Fur Elise Techno RT.mp3
Remixed version of Beethoven’s classic.

4. Ode to Joy Techno RT.mp3
Aka Beethoven’s 9th Symphony.

5. Popeye Techno RT.mp3
Name says it all. The tone is a loop.

6. Tetris Techno RT.mp3
From Nintendo tetris game – that old TV game tetris?

7. Nintendo – Duck Hunt Theme.mp3
Theme of the old TV game where you shoot ducks with gun.
Great to keep as a small volume ringtone.

3D Images from Ragnarok

July 9, 2009 mentallymental Comments 0 Comment

Since making a 3D image requires 2 images – one for left and one for the right eye – which are slightly from a different angle, I thought why not try making some from a game in which we can rotate the screen? And voila! it works as expected.

Ragnarok is a fantasy MMORPG (Massively Multiplayer Online Role Playing Game) having its own big world which is persistent. I used to play it a lot 2-3 years ago. I’ve played it a lot on the Indian server (inRO) which is no more now and also on a private server called qRO which is also down now. Recently I found a very good new private server DreamRO and thats where I am wandering now taking screenshots.

Till now I’ve made about 30 good 3D images from it and yet travelled just about 5% of the Ragnarok world.

Take a look at them (Slideshow). You should press F11 to switch your browser to full-screen mode to accomodate the photo on the screen.
While watching each photo, swap your glasses on and off to see the difference.

3D Vision with Anaglyph glasses

July 5, 2009 mentallymental Comments 0 Comment

I’ve finally got Red/Cyan anaglyph glasses and am able to see 3d movies, photos in 3D. Even play some games in 3D. 3D as in where you really see the depth or images pop out of the screen. Anaglyph images are basically superimposition of the images which the left eye and the right eye would see of the subject into one image. The red and cyan filters then separate the two images automatically giving our brain the impression that we are seeing the read 3D object.

The image above is an anaglyph 3D image for red-cyan glasses. There can be red-blue, red-green glasses also but red-cyan is always preferred because the colours in the original photo are preserved well enough in this format.

You can make these glasses at home using gelatin paper. Get red and blue gelatin papers. Cut out a frame from cardboard and put in 4-5 layers of gelatin paper in place of the eyes. I had made them and they worked somewhat well but not so good becoz u dont get the exact shade of cyan and red and plus the gelatin papers makes a fuss getting crumpled up.

You can order them from 3dindia.com aka hitesh.cybertec.co.in Thats where I got mine from and they are good.

Here are more 3D images I’ve made from the Final Fantasy VII movie till now.