Top
This form does not yet contain any fields.

    On-site Service!

    Navigation
    Thursday
    Feb232012

    Suspicious svchost.exe in Windows 7

    DateThursday, February 23, 2012 at 05:49PM

    Audience: Fellow techs, power users

     

    A couple weeks ago while performing computer repair service in Snohomish,  the system I was troubleshooting was responding rather slowly. When I fired up process explorer from Sysinternals I found that a svchost.exe process was consuming up to 50% of the CPU's resources. In Windows Svchost.exe is simply a host process for windows services. Should you bring up Task Manager (Ctrl+Shift+Esc) you will find many svchost.exes listed, but no detailed information as to which services is running within each process (please also note the description column):

    svchost.exe in Windows Task Manager

    With process explorer you can get much more detailed information about all processes running on your system. In this case, by simply mousing over a svchost.exe process you will see which services it is hosting:

    svchost.exe in Process Explorer

     

    This can be particularly helpful when trying to find a service that is hogging resources. On the particular system I was working on, however, something was amiss. Firstly the description said "winrscmde" instead of Host Process For Windows Services, and secondly mousing over the entry simply listed "svchost.exe." Clearly, this process could not be hosting itself. At this point I suspected an imposter. By right clicking any process in Process Explorer you can launch a properties dialog to learn more about the process. The first Tab of this window is "Image." In this tab you can find, among other items, the file path. Svchost.exe should look like this:

    Valid svchost.exe location

    The location for svchost.exe should be: C:\Windows\system32\svchost.exe. Again, the afflicted system had an inconsistency here, as the location was C:\Windows\svchost.exe. I navigated to this location and attempted to delete the file, but found that it was locked. Fortunately, Process Explorer has a way to deal with this as well. Two of the other right-click menu items are "Kill Process" or "Suspend."

    Kill Process or Suspend

    The thing about Malware (which at this point it should be clear that is what I was dealing with) it that if you kill one part of it, another component might re-launch it. So, by clicking "Suspend" I was able to delete the fake svchost.exe file. I then followed up with an off-line virus scan to remove all traces of infection.

     

    In conclusion, Process Explorer in a great tool for trouble shooting malware, and bugs. If you haven't tried it yet, or the other Sysinteral tools, head on over to http://technet.microsoft.com/en-us/sysinternals/default and check them out.

     

    -Nomad 

    be safe out there

    AuthorLeif Olson | CommentPost a Comment | Reference1 Reference |
    tagged , , in Print ArticlePrint Article
    Saturday
    Jan282012

    Windows Cannot Find HELPCTR.EXE

    DateSaturday, January 28, 2012 at 12:51AM
    Audience: Fellow Techs, Power Users


    Recently, I received a call for computer repair in Marysville. The client was getting an error in Windows XP that "Windows cannot find HELPCTR.exe." Upon further discussion with the client, I found out that he had recently uninstalled a trial of AVG 2012 anti-virus. A little searching with Google showed that the problem was most likely caused by a missing registry key. Since I was providing tech support over the phone I didn't want to have the client running regedit.exe himself, so I did a little more searching for easy solutions (yes, I could have started a remote session at this point). My diligence paid off when I found this:

    This page contains a registry file to correct the observed error. After verifying the file I directed the client to the fix. He ran it, and upon seeing that the Help and Support link now worked, declared me a genius. (Truth be told I ride on the shoulders of giants.) Special thanks to the author of http://windowsxp.mvps.org/startmenuhelp.htm for his great resource.

    Now, in regard to AVG 2012 I can not say for certain that it caused the problem, but it would not be the first time I have seen an uninstalled program break registry links before.

    Stay safe out there,
    ~Nomad~

    AuthorLeif Olson | CommentPost a Comment |
    tagged , , Print ArticlePrint Article
    Tuesday
    Jul122011

    My Documents Are Hidden!

    DateTuesday, July 12, 2011 at 11:24PM

    Target Audience:Techs

    Lately I’ve been seeing infections of rogue anti-viruses that are hiding people’s files in their”My Documents” folders, and warning them that there hard drive has critical error. Here are the tools I used to  fix the problem:

    Process Explorer & Autoruns from Microsoft’s Sysinternals: To identify the rogue processes, terminate it, and prevent it from running again at start-

    UnHide.exe from bleepingcomputer.com: This program unhides user files and is supposed to keep system files hidden.

    SuperAntiSpyware: to clean up remaining bits of malware.

    AccRestore v2.0:  On one system the Accessories Folder wasn’t just hidden it was deleted. I used this simple tool from Ramesh Srinivasan to fix it.

    The final part is to educate users on safe browsing habits, and to offer anti-virus solutions.

    I hope this has been useful in the battle against Malware.

    -Nomad Computer Repair

    AuthorLeif Olson | Comment1 Comment |
    tagged , , , , , in Print ArticlePrint Article
    Sunday
    Jun192011

    Top Firefox Security Add-ons

    DateSunday, June 19, 2011 at 01:38PM

    Security Add-ons for Firefox

    Firefox is my browser of choice. The number one reason for this is the add-ons that can be installed for increased functionality. Some of these add-ons are useful for making Firefox more secure. These are some of the add-ons that I recommend:


    Adblock Plus
    While I have some reservations about blocking ads, because they are so useful to businesses for bringing in new customers, they have also been a growing avenue of attack. Cyber-criminals have found ways of hacking ads that get posted on otherwise 'safe' websites. The website of The New York Times is a great example. Adblock Plus uses constantly updated lists to block ads from loading. This should theoretically stop some maliciously hacked ads from loading as well.

    NoScript
    What about malicious elements that aren't ads? Well you can use NoScript to block all active elements from running in your browser. This will certainly add security to your browser, but it will make a lot of websites look much different. For convenience, you can set-up rules on a per-site basis.

    Web of Trust
    Web of Trust or "WOT" places color-coded dots next to results on major search engines, and one in your toolbar for your current page. Furthermore, it blocks poorly rated websites from loading with a big warning screen. These ratings are community based, and if you have this add-on you can rate and comment on sites yourself. The comments can be very useful for evaluating others' experience with a specific website/company.


    Long URL Please
    This simple add-on will automatically lengthen any shortened URLs from services such as bit.ly. This way you can tell at a glance where they go.

    PassIFox
    PassIFox integrates the KeePass password management tool with Firefox. KeePass is a great program for generating and storing complex passwords. KeePass deserves its own blog post so look for one in the near future.
     
    Better Privacy
    This may be more privacy related, but the borders between privacy and security overlap. Better Privacy deletes Local Share Objects. Excerpt from the creators:

    Why are LSO's harmful?
    • they are never expiring - staying on your computer for an unlimited time.
    • by default they offer a storage of 100 KB (compare: Usual cookies 4 KB).
    • browsers are not aware of those cookies, LSO's usually cannot be removed by browsers.
    • via Flash they can access and store highly specific personal and technical information (system, user name, .).
    • ability to send the stored information to the appropriate server, without user's permission.
    • flash applications do not need to be visible to the user
    • there is no easy way to tell which flash-cookie sites are tracking you.
    • shared folders allow cross-browser tracking, all browsers use the same LSO folder
    • the company doesn't provide a user-friendly way to manage LSO's, in fact it's incredible cumbersome.
    • many domains and tracking companies make extensive use of flash-cookies.
    • flash-cookies are used to re-create data of deleted traditional cookies.

    Qualys BrowserCheck
    This one is new to me, but very handy. It checks to make sure your browser and its plug-ins are up-to-date. This can be particularly useful for techs.

    In conclusion Firefox add-ons not only add functionality, and personalized touches to the browser, they can also help increase your security. If you do not have Firefox try it out now, and find out how amazingly customizable it can be.

    -Be safe out there,
    Nomad Computer Repair


    

    AuthorLeif Olson | Comment4 Comments |
    Print ArticlePrint Article
    Sunday
    Apr172011

    Snohomish Computer Repair commercial... be afraid.

    DateSunday, April 17, 2011 at 06:53PM

    A quick little commercial I put together with a free tool.

    AuthorLeif Olson | Comment2 Comments |
    tagged , , , , , Print ArticlePrint Article
    Page 1 2 3 4 5 ... 5 Next 5 Entries »