Sunday, February 20, 2011

Legacy " wowexec.exe" and "ntvdm.exe" from TopCat.exe?

16-bit screen-mate?
.: Desktop mate or screen-mates is one quick method to enliven up our computer screen, but those tiny widgets can bring harm to our computer too...

Such case happens to me today. After trying one screen-mate - TopCat.exe from Cool on-Screen Fun, two UFI appears..

UFI : " wowexec.exe" and "ntvdm.exe".
UFI? 2 Unindentified Foreign Image-Name appears in my task manager after I close down TopCat.exe. Strange, hurmmmm... I tried to end both of them and it was a success. Lucky it was not some heavy trojans or other computer virus. Just to be sure I double check on the Net to see if somebody has encounter such process before.

Forum analysis:
  • WOWExec as in " wowexec.exe" means Windows16-bit on WindowsNT emulator? And "ntvdm.exe" means NT Virtual DOS Machine.
  • Usually " wowexec.exe" uses nothing, but "ntvdm.exe" use such a tiny fraction of your memory.(refer to picture)
  • These 2 process/utilities will starts automatically when we use or play any 16-bit (legacy) games or DOS programs, which in my case is this TopCat.exe.
  • Both will remain in memory even after we close the 16-bit program, so we need to end it manually.
  • If we still let them running, it takes up a whole lot of resources, blocks IE and Fx, and other programs from running.
  • "wowexec.exe" and " wowexec.exe" can be considered as safe process, but "_wowexec.exe" is still a mystery..

Okay, that should clear my questions for now. It's been 2 months already after I cleaned someone's computer from malwares. Oh I hate malwares, they're pretty clever in hiding and disguising themselves...


Ooigi.blog: "Sometimes you can see it x86, sometimes x64, 32 or 16. 8 is too old. But which one is which?"
:-?
:.

Windows AutoRun, your life saver or your computer destroyer?

.: Stock post that has been hibernating in my draft... :-(

What is an AutoRun actually?
Wiki: AutoRun is an automation feature for Microsoft Windows which allows removable media or devices to launch programs by itself. Programs launched depends on the commands written inside autorun.inf, a text file in the very first directory.

Autorun.inf
Wiki: autorun.inf is a text file that contains written commands (aka instructions). This commands is read by the Windows Autorun feature, only after it is found in the very first directory. If autorun.inf is found in the secondary or other directory, it will become just an ordinary text file...

Autorun is the feature only. The one who activates it is the operating system, a.k.a. Windows (XP/Vista/7). Windows runs the feature based on the commands found in autorun.inf. Good autorun.inf commands will generate good feature, while "naughty" autorun.inf commands do the opposite. So autorun.inf is quite a culprit~ 

Uses of AutoRun.
  • To read the autorun.inf commands and launch it.
  • To start the software installation. Simply by inserting your software CD/DVD, Windows AutoRun will read the autorun.inf automatically and ask for your permission before installing the software. So, there is no need to explore the CD/DVD looking for the setup.exe file. 
  • Silently run malwares or virus inside your computer... X-O 

While AutoRun is created to simplify our work, it can become a serious problem to us. Because of the automation process by Windows, the third use of AutoRun is a disaster. One wrong move, and you're officially runs the malwares or the virus inside your computer. That wrong moves includes:
  • Double-Click (eg: click twice on your removable drive and the virus runs automatically),
  • Contextual Menu (eg: choosing the wrong pop up menu also runs the virus),
  • AutoPlay (kinda similar to contextual menu above, but this graphical feature can recommends you related application to run, play or display the content).

AutoPlay Wrong move - DO NOT 'Open folder to view files using the program provided on the device'. The original 'Open folder to view files' can be seen at the bottom of the menu.

Comparing between the harm and benefits of AutoRun, it is not recommended to use these feature regularly. Only if you know what you're installing, then AutoRun doesn't bring any importance at all.

So, can we stop or block this AutoRun feature?
According to Wikipedia, there is a number of ways to alter this feature from running or we just stop it completely. Some of the alteration is very risky to do (especially for newbies), we might need to opt other "friendly" methods. Our main focus here to stop or block the autorun.inf file completely, because the commands inside it is the one who deceive the AutoRun feature. This can be done by:
  • using softwares, particularly antivirus or autorun.inf blocker. 
  • delete autorun.inf manually.

We will learn about stopping or blocking this AutoRun later, so in the meanwhile, please scan every USB inserted to your computer first before you use it. Better be aware rather in despair..


Ooigi.blog: "No program is too perfect - human who makes them too useful or too useless."
:-?
:.