Archive for the ‘Advanced’ Category
PHP Web Application Development Part 1
This is a collection of notes from a professional development series I am doing on web application development using PHP. Even though I am using PHP, it’s just one language, and many of the concepts are implemented in other languages. The focus is on the concepts behind web application development.
Part 1 – Building a Weibo Isotope with CodeIgniter
You will need to download these to get ready for the hands-on parts of the seminar (no need to install yet):
- Download XAMPP for your operating system: Windows, Linux, Mac OS X
- Download CodeIgniter: zip
- Download 960 Grid System: zip
- Download Smarty: zip
- Download Smarty integration code: codepad.org/GofSbVfT
- Download RedBeanPHP: tar.gz
- Download RedBeanPHP integration code (updated): codepad.org/5L48Nvgm
It’s advisable to skim through the following reading:
- Web building primer at W3Schools
Next steps that we will cover at the seminar (coming this Saturday):
- Setting up server environment
- Setting up CodeIgniter
- Integrating 960 Grid System
- Integrating Smarty
- Integrating RedBeanPHP
To be continued…
Useful Registry Locations
I’ve come across these keys by searching on the Internet. I use these keys for detecting viruses, troubleshooting stuff, and other geeky things. The convention I’m using in writing out the keys is MainKey\SubKey1\SubKey2\SubKeyEtc > Value (I’m not stating the data)
1. Windows Shell – This is the place where the OS sets its shell “explorer.exe”. Viruses often target this and inject other files to start up
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon > Shell
2. Run on Startup – The place programs use to start with the OS. There are two places in the registry that hold this, one for the system generally, and one specific to the logged in user.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3. Default Wallpaper – Sets the default wallpaper of your desktop (the one that shows when no one is logged in yet)
HKEY_USERS\.DEFAULT\Control Panel\Desktop
4. My Computer Context Menu – Things that show up when you right-click the My Computer icon on the desktop (not sure if the CLSID number value will be the same)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell
5. System Services – Listing of all system services. Useful for removing them manually
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
win32:rontokbr-I2 Worm Infection
Symptoms
- Your registry is disabled
- Your system might be performing less than usual
Epilogue
I haven’t researched very well on this worm. It seems simple and is handled by just 2 files:
C:\WINDOWS\eksplorasi.exe
C:\WINDOWS\shellnew\sempalong.exe
Please note that I am not affiliated with any brands or software mentioned in this article.
Infection
The basic infection method is the worm adds itself to the “Shell” launch key for the system. This key in the registry is responsible for loading “explorer.exe” which is the parent of many other software that run on the PC.
Cure
The cure (as far as I can tell) for the strand that I encountered is simple. However, before trying it, I suggest you try out a-Squared Free. I find this software pretty reliable in detecting and removing ordinary trojans and worms (a feature lacking in most anti-virus I have tried).
We need the following tools for it (most of this is just to get to the registry, which this worm disables):
- ID System Optimizer (to enable the registry again)
- KillBox (to completely and safely delete the executables of the worm)
- Process Explorer (to detect and kill the worm’s processes)
Step 1. Run Process Explorer and try and locate the above named files running. If found, kill them.
Step 2. Use KillBox to delete the above files (I assume you have read their manual). If you have to, select the “Delete on ReBoot” option.
Step 3. Use ID System Optimizer to re-enable the Registry:
a. Navigate through “APPLICATIONS>Regedit>Disable Regedit”
b. When you click on “Disable Regedit”, a setting called “Enable Regedit” will appear on the right side. This will be turned to “No”. Click on it to make it “Yes”.
c. Click the “Apply Settings” button.
Step 4. Remove the infected key of the worm in the registry
a. Click “Run” from the Start Menu and type “regedit”. The registry opens. Now navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
b. Right-click on the “Shell” and select “Modify”. In the window that opens, you would see a text box called “Value Data” reading something like:
Explorer.exe “C:\WINDOWS\eksplorasi.exe”
c. Modify it to read ONLY “explorer.exe”. That is, delete the whole “C:\WINDOWS\eksplorasi.exe” part.
d. Also note the capital “E” in “explorer”. This usually gives an indication of an infection because the correct entry has a small “e”. If your value doesn’t include “C:\WINDOWS\eksplorasi.exe” but has a capital “E”, there is a possibility that the “explorer.exe” file might have been infected internally! [I could not verify this completely]
Step 5. Restart your PC
Prologue
These were the steps I took to remove the worm. I had discovered it by accident one day when the system gave a “File not found” error message showing this strangely named file “eksplorasi.exe”. [There’s probably a bug in the worm itself!] After some research on the Internet, I was able to find the name of the worm, but not much else. So I decided to document this, just for reference