Saturday, August 27, 2005

Black Viper is back!

Black Viper, the website which is popular for its Windows XP Services Guide is back! It was down for few months, and fortunately it's back. The site has some really good tips and tricks about different Operating Systems like Windows ME/2000/XP/2003 and RedHat Linux. Along with it, there are Motherboard tweaks, Software reviews etc. Worth visiting :)

Sunday, August 21, 2005

Basics of Boot Process

Hard Disk and Partitions:
Partitioning is a process of dividing the Hard Disk (HD) into several chunks, and uses anyone of the partition to install Operating System (OS), or use two or more partitions to install multiple OSes. You can have one partition and use up the entire HD space to install a single OS; but this will become data management nightmare for large HD users. The advantage of partitioning lie here! Because of the structure of the Master Boot Record (MBR), you can have only four partitions, and are called Primary Partitions. Again, if we have even larger HD, to induce more partitions, Extended Partition is introduced. Extended Partition is not a usable partition by itself. But it’s like a container and is used to hold Logical Drives! , i.e., the Extended Partition can be subdivided into multiple logical partitions.
In order to boot into a partition, it must be designated as Active or Bootable Partition. Active Partition is one which is flagged as bootable or which contains OS, this is generally a Primary Partition.

Boot Records (Master, Partition, Extended, Logical-Extended):
Master Boot Record (MBR): MBR is a small, 512 bytes partition which is at the first physical-sector of the HD. MBR contains a small program known as bootstrap program, which is responsible for booting into any OS. Also MBR contains a table known as Partition Table which lists the available Primary Partitions in the hard disk (can hold only 4 entries).What if we have more than four partitions? This is solved by Extended Partition principle. Partition Table assumes entire Extended Partition as one Primary Partition and lists it in the table.
So a Partition Table can have two possible entries,
- Up to 4 Primary Partitions
- Up to 3 Primary Partitions & 1 Extended Partition (Total not exceeding 4).
Partition Boot Record (PBR): This is the logical first sector, i.e., sector at the start of a Primary Partition. This is a 512 byte area, which contains some programs to initialize or run OS files. All Primary Partitions have their own PBRs.
Extended Boot Record (EBR): This is the logical first sector, i.e., the sector at the start of the Extended Partition. EBR contains a Partition Table, which lists the available Logical Partitions inside Extended Partition, i.e., it contains the starting addresses of each Logical Partition.
Logical Extended Boot Record (LEBR): This is the logical first sector residing at the start of each Logical Partition, similar to PBR.

Single OS Boot Process:
Whenever PC is turned ON, BIOS (Basic Input Output System) takes control, and performs a set of operations. It checks Hardware, Ports, etc. and finally loads the MBR program into memory (RAM).Now, MBR takes control over booting process.
Functions of MBR with only one OS installed in the system-
- Boot process starts by executing code in the first sector of the disk, MBR.
- MBR scans the partition table to find the Active Partition.
- Control is passed to that partition's boot record (PBR) to continue booting.
- The PBR locates the system-specific boot files (such as Win98's io.sys or WinXP’s ntoskrnl).
- Then these boot files continue the process of loading and initializing the rest of the OS.

Multiple OS Boot Process:
Whenever there are multiple OSes, be it multiple Windows or Windows with Linux, system boots a bit differently. Actually, there can be 2 different types of Boot Process in multiple OS environment; Microsoft way and Non-Microsoft way (or Third Party Boot Loader way).
Microsoft way: MS Master Boot loaders don’t recognize other types of OSes like Linux by default; hence using MS MBR in the presence of Linux is ruled out.
Consider the usual case, where there is one Primary partition and some Logical Partitions inside Extended Partition. Now if Win98 is installed in the Primary Partition, and afterwards WinXP is installed in a Logical Partition, then theoretically both OS should have their own Boot Records, i.e., PBR for Win98 and LEBR for WinXP, which contain programs to boot the respective OS, so that each individual OS can be booted up by the MBR by passing control to respective PBR of the OS as described in previous section.
But this doesn’t happen in MS Boot loader! It does a peculiar thing; it always considers the current Active Partition, the default System/Boot Partition, i.e., Primary Partition in which Win98 is installed as the Active Partition. When WinXP is installed in another partition, instead of writing the code for booting in WinXP's partition, WinXP writes the code in current Active Partition (where Win98 is installed)!
Program responsible for loading the WinXP is ntldr (standing for NTLoader). Theoretically, this should be in its partition, but is copied to that of Win98.
Then files responsible for Win98 booting are combined into a single file called bootsect.dos and placed in Win98 partition. Then, WinXP creates another file called boot.ini which contains the names of MS OSes installed and path for System files of each OS.

After all these preliminaries, Windows multi-boot can be represented as below-
- When BIOS hands over control to MS MBR, this program looks into Partition Table for Active Partition.
- Then it hands over the control to the PBR of Active Partition. In this case, the Active Partition is where Win98 was installed.
- But Win98 PBR has been altered by WinXP, and no longer contains Win98 boot program (like io.sys or msdos.sys). But it contains ntldr. The Peculiarity is that one OS’s Boot program is in another OS’s Partition!
- Ntldr looks into boot.ini file and finds out the MS OSes installed in the system and displays the option menu.
- When user selects Win98, the file bootsect.dos (present in same partition) is executed, and if WinXP is selected, ntoskrnl is executed (present in another partition).

The good thing about MS way is the ease to configure (you need not configure at all!). But the bad thing about MS MBR is that, the two OSes are not independent of each other. It is because, MS MBR always boots into the Active Partition, i.e., it always boots into Win98 Partition, but executes WinXP program! And further other OSes are loaded.
This does not provide flexibility of installing multiple MS OSes in a random order, because here older version of OS should be installed first and then newer versions of OSes should be installed (most common problem).

This boot process also has two limitations-
- There can be only one Real Mode DOS based OSes like Win95/Win98 along with NT based OSes. If you want both Win95, Win98 with any NT based OS, then it’s just not possible.
- MS MBR looks for Active Status in Primary Partitions only and not in Logical Partitions. This means, MS OSes should be installed in Primary Partitions only if it should be bootable. For this reason itself, WinXP boot file ntldr is placed in Primary Partition of Win98 instead of its own Logical Partition.
But this has led to the misconception that only OSes in Primary Partitions can be booted. But by replacing MS MBR by any other sophisticated MBR program which also looks for Active Status in Logical Drives, we can boot into OSes which are in Logical Drives directly. This is where third party Boot Loaders comes into picture!

Non-Microsoft way: Third-party Boot Loader load before the OS, hence they are independent of the OS. Therefore, they work fine with all versions of Windows and DOS.
In this system, installing multiple OSes is conceptually simple. First make as many Primary Partitions and Logical Partition as you want. Then set the status of one of the Partition as Active, and install an OS. After this set the status of that partition as Hidden (Inactive) and set another Partition as Active to install another OS and this can be repeated. By this older versions of Windows can be installed after the installation of new ones.
Then Third Party Boot Loader reads all Partitions (including Logical Partitions) from the Partition Table and prompts an option of OSes to boot.

The functions of a Third Party Boot Loader can be stated as below-
- Displays a list of all OSes present in both Primary and Logical Partitions.
- When the user selects an OS, Boot Loader makes the Partition of that OS as Active, and passes the control to it.
This step is the most important deviation from MS way, because in MS MBR, the Active Partition always remains same and after booting into it, OSes in other Logical Partitions are booted.
By this way, any OS can be booted directly, by toggling its Inactive/Active Status when the user selects it.
- Then, the Boot Sector of the corresponding OS takes control and loads the OS. This Boot Sector may be PBR of a Primary Partition or LEBR of a Logical Extended Partition.
By this way, each OS remains independent of each other. That is, boot programs ntldr of WinXP can remain in WinXP’s partition and Win98 boot programs can remain in its partition.
Since Third Party Boot Loaders are independent of OS, they support all type of OSes like Windows, Linux, UNIX, BeOS etc. XOSL is one free boot loader which is capable of handling 30 Operating Systems. To hide/unhide the partitions, Ranish Partition Manager, a freeware, can be used.

Tuesday, August 16, 2005

WinPFind – Search the malware by their pattern!

Sometimes, it becomes very difficult to remove some spyware infection. This is because, even after virus/spyware scans, these spywares will re-spawn. In these cases, we have to manually search the "bad" files and delete them! This is simply not feasible, because of the large number of files present in a system.

But, there is a tool called WinPFind, to help us in this situation! Most of the spyware/virus files follow a "pattern". A pattern may be in the form of "packing" (file type compression) like UPX or file location (most of these files are located Windows, System32 or System folders) etc or possible Registry locations.

WinPFind searches for the above mentioned and some more patterns and gives a list of files and Registry entries satisfying these patterns. From this list, we can identify "bad" files and Registry entries and remove them for good. It is to be noted that WinPFind searches for files with specific patterns and not the "bad" file itself. Hence, the result of WinPFind scan will also contain legitimate files too. So, be careful while analyzing the log of WinPFind!

Get it here.

Friday, August 12, 2005

How to reinstall GRUB?

If you have Windows and Linux with dual boot option, then you will most probably have GRUB boot loader. If Windows is repaired or reinstalled, it overwrites the Master Boot Record, which had GRUB, with its own loader. This makes booting into Linux impossible.

In this case, only GRUB can be installed instead or reinstalling entire Linux operating system. This can be done by following these steps:-
1] Change the first boot device in BIOS to CDROM drive.

2] Insert Linux CD into the drive, and choose Rescue mode option.

3] When the command prompt appears, type these commands, each followed by ENTER key:-
chroot /mnt/sysimage
grub-install /dev/hda

This would reinstall GRUB to Master Boot Record. Here, hda means hard disk is Primary master. If hard disk is Secondary master, then device name will be hdc. Similarly, hdb and hdd will be for Primary slave and Secondary slave respectively.

Thursday, August 11, 2005

Brute Force Uninstaller!

Just found out this new tool called Brute Force Uninstaller from Merijn (of HijackThis, CWShredder fame). This tool helps to forcibly remove unwanted software from system. Here's an extract from author's site:

The Brute Force Uninstaller (BFU) is a program to help forcibly remove unwanted software and the likes from a system. It's basically a scripting engine that can execute commands from a file, much like a batch file. The list of commands is very complete and powerful, and scripts are easy to write.

Find out more about it, here.

Wednesday, August 10, 2005

Messenger spam!

One of the newer types of spam is "Messenger Spam". This uses Windows Messenger Service to deliver pop ups. This Messenger Service is NOT in any way related to MSN Messenger or any other messenger software.

Messenger Service was introduced first in NT systems, and is present in all later Windows versions. Messenger Service provides a way to send messages to other users over a network, but this was never really used widely. But, spammers noticed this feature and developed an "innovative" way to deliver their Ads or to spoof user, and this is nothing but Messenger Spam!

A Messenger spam may look like this:
Image Hosted by

Here, a computer user might believe that his system registry is damaged, and he might also visit the website mentioned in that popup. These dubious looking websites may or may not exist, and even if they exist they are not trustable.

You can identify Messenger Spam by looking at the "Title bar" of the popup window; it will have "Messenger Service" written on it. One of the easiest ways to stop messenger spam is to disable the Messenger Service. You can do this, by following these steps, go to Start > Run and type services.msc and press Enter key. In the Services window, navigate to "Messenger Service" and right-click it, and select "Properties". In the Property window, click Stop in the "Service Status" option box. After this, in the "Startup" option box, select Disabled from the dropdown menu. Click "Apply" and then "OK".
There's also a small tool called Shoot The Messenger, using which Messenger Service can be easily disabled.

Sunday, August 07, 2005

80 super security tips from PC Magazine

Found this interesting page in They have compiled a list of 80 "super" security tips. There's something useful for everyone. Here's an extract:

Whether your PC is 3 years or 3 days old, it faces the same, sometimes scary security issues. Viruses want to attack your system the moment it goes online, spyware is piggybacking with your mail and trying to slide in along with online ads, Trojans lay in wait at every turn and Phish—perhaps the sneakiest attack of all—smile at you while trying to steal your identity.

There are ways out of this mess. These tips can show you what to do, help you better understand the threats and be ready with a plan of counter attack.

For a complete list of 80 tips and tools, click here.

Saturday, August 06, 2005

What is a BHO?

BHO stands for Browser Helper Object. This is a small program, usually a DLL file, originally developed to enhance or customize the features of the Internet Explorer. Whenever a BHO is installed, this is registered in Windows Registry. When Internet Explorer is started, it checks the Registry for the entries of BHOs (which indicates the installation of BHO); these entries are known as CLSID's.
So, whenever the Internet Explorer is opened, the BHO is instantiated (created), and then this BHO has full access to the Page that is being viewed.
For example, if you have Google Toolbar, it installs a BHO, through which it can provide functions such as "Search within the Page", "Auto Fill", and “Page Info” etc. Another one, a BHO from Adobe Acrobat Reader, which enables to open .pdf directly in the IE windows itself or Downloading Software such as DAP, DEX will create one BHO to integrate with IE and to catch the clicks on the download link.
So, using BHOs IE can be tweaked so that, it will be one mean browser....

If BHO enhance the functionality of IE, then why is it avoided?
Time for some bad news! Windows does not provide any direct way to see the installed BHOs. This adds some amount of stealth capability to the BHOs. Due to this stealthy nature of the BHOs, it provides an easy way for Spywares, Adwares, Trojans or Viruses to attack. Let’s see the effects of these bad programs on IE and your Computer.

Some Spywares add a BHO without the knowledge of the user. So what happens is, whenever IE is opened that Spyware BHO will run and it keep an eye on what you do in that browsing session. It can monitor what pages you visit frequently, which services are used by you etc. Even worse case is that, they can hijack the Browser that is they can change the Default or Search page, and they can not be easily recovered.
Adwares go one step further and they can bring you Popup Ad's or bad tasted WebPages randomly or they even can bring you context sensitive Ad's, that is Ad's based on the content of the Web pages you were viewing.
Trojans/Viruses can contact their creator's website and download “latest” version of Trojans to your system.
If you see any HijackThis Log of Spyware/Trojan affected system, you will certainly see some BHOs, which will have links to suspicious Websites and also they will have links to download some files.
So, in all the cases, your privacy is at stake and your computer/data is at risk.

Since BHOs have virtually full access to the system, they can do anything. Some improperly coded or deliberately coded can cause Runtime Errors or Illegal Operation errors.
From Windows 98 onwards, MS has extended the support for BHOs to not only IE but also Windows Explorer. As you might know Windows Explorer (Explorer.exe) is THE application that should be running anytime to use Windows.
If any “bad” BHOs are installed, then they will get loaded whenever Explorer.exe starts. This is certainly not desirable.

What to do?
BHOs can be removed manually or by using any tools.
Manual removal can be done in two ways:-
1] By renaming the DLL file corresponding to the BHO which is to be disabled.
2] By deleting the DLL file and removing CLSID entry in the Registry.

We can make use of HijackThis to know the installed BHOs and delete thier Registry entries and then we can delete the DLL file associated with it.
A typical CLSID and DLL file of a BHO (Google Toolbar, in this case) is shown here,

CLSID = {AA58ED58-01DD-4d91-8333-CF10577473F7}
DLL File= c:\program files\google\googletoolbar1.dll

But, using some tools BHOs can be directly dealt with. There are many tools to view the BHOs installed in the system directly. Some of them are BHODemon, BHOInfo. These tools list all the BHOs present in the system, so that user can decide which one to keep or remove.
Popular one is BHODemon, which runs in System Tray, and scans for existing BHOSs and continuously monitor the system for any BHO installs. It provides the list of installed BHOs, and it also has some extra information about the most common good and not-so-good BHOs, so any new user can know about them.

So, BHOs are powerful means through which anything can be done, be it good or bad.
So be careful, while browsing, while installing suspicious looking software etc. Update Antivirus regularly and run full system scans. Use Anti-Spywares and tools mentioned above to ward off Spywares, Adwares from your system.

Links to Tools

Friday, August 05, 2005

AntiVir Personal Edition Classic with incremental updates

A new beta version of AntiVir Personal Edition Classic (AVPE), one of the best free AntiVirus you can get, has been released which supports incremental updates. Advantages of incremental updates are faster, smaller and easier updates!

Previously, while updating AVPE, whole virus database was replaced by an updated database. Because of this, update file size was in the order of 2 to 3 megabytes. But, with incremental updates, only lastest virus definitions are downloaded and "added" to the present virus database of AVPE. This greatly reduces the update file size to about some kilobytes.

Try out the beta version here.

Tuesday, August 02, 2005

What is EICAR test file and how to create it?

EICAR is a standard anti virus test file. This is a "dummy" virus which can be used to test a Virus scanner. This can be used to test whether the background (or real-time) scanner of an Antivirus is working properly or not.

EICAR stands for European Institute of Computer Antivirus Research. This file has .COM extension; all it does when executed is display the text "EICAR-STANDARD-ANTIVIRUS-TEST-FILE" and exit.

This file can be downloaded from Eicar website. But, you can create the EICAR file by yourself by using a text editor like NotePad. The file should be saved in standard MS-DOS ASCII format. Open NotePad, and copy the below mentioned text and paste it in NotePad:-


Then go to File Menu and click Save As and save the file with any name, but it should have the extension COM. For example, you can save it as

When you double-click on this file, your Antivirus should detect as “Eicar” and it should also inform you that it’s not a virus.

Repair Winsock in Windows XP SP2.

Some spywares like NewDotNet hijack the Winsock layer of Windows. When these spywares are incompletely or incorrectly removed, Winsock layers are not restored to their original state. Due to this, Internet connection is not possible. In Internet Explorer, you get "Page can not be displayed" error, if Winsock layers are corrupt.

To restore the Winsock layers, there are third party tools like WinSockXPFix and LSPFix. But in Service Pack 2, a new command has been introduced, using this command, Winsock layers can be very easily restored. All you have to do is, type netsh winsock reset in Command Prompt and press ENTER key. After this, restart the computer for the changes to take effect. (Command Prompt is present in Start > All Programs > Accessories)

For more information on netsh command and it's switches, check this page.

For non Service Pack 2 systems, WinsockXPFix or LSPFix can be used to restore the Winsock layer.