Running Headless: How to Force Display Rez?

[BillW50]

*shrug* Suit yourself. I don't get the whole "scared to download"
thing. You can download malicious files all day long and not have a
problem until you execute one or more of them. In this case, you could
simply download, scan with your favorite scanner(s), upload to
virustotal, whatever. I see absolutely NO reason to be scared to
download something, especially something from a site like Nirsoft.

Sorry for the rant, but I just went through a similar scenario with
one of my clients. You give them the tools, you give them the
knowledge, and still they freeze.

I understand the fear. Even though I have been using Windows since '93
and I never had a virus or trojan yet. But I still understand the fear
of others. As all it takes is been bitten once or twice even with the
correct tools installed to be very leery.

 

[Char Jackson]

I understand the fear. Even though I have been using Windows since '93
and I never had a virus or trojan yet. But I still understand the fear
of others. As all it takes is been bitten once or twice even with the
correct tools installed to be very leery.

You understand something that I don't.

 

[Paul]

Liar. You're probably infected and don't even know it.

At one time, malware attacks were "all flash and fireworks".

Now that there is money to be made by infecting machines,
the less "fireworks" the better. If the user is unaware
they're infected, you can make money off them (replaced
advertisements on web pages for example). So there's no
particular reason for Bill to notice whether he's infected
or not.

The other kind of malware is "ransomware", where you
definitely notice you're in trouble. But by which time,
it's too late. Kaspersky ran into some users, where
all their data files were encrypted by the malware, and
a message appears on the screen asking for $200 or so,
if they want the files back. Which should teach the
importance of having an offline (disconnected hard drive)
backup available I haven't heard of that particular
exploit for a while now. But there's still ransomware
out there.

Paul

 

[(PeteCresswell)]

Per Char Jackson:

*shrug* Suit yourself. I don't get the whole "scared to download"
thing. You can download malicious files all day long and not have a
problem until you execute one or more of them. In this case, you could
simply download, scan with your favorite scanner(s), upload to
virustotal, whatever. I see absolutely NO reason to be scared to
download something, especially something from a site like Nirsoft.

That's probably because you know a lot more.

My assumption was that it had already been scanned by something
on my PC and found wanting bco the "Malicious..." message when I
started the download.

I'm totally clueless on the modalities of malicious software.
But, unimpeded by any knowledge, would think that something could
be malicious once unzipped and installed. How would one know if
an application that does something perfectly useful hasn't become
the vector or host for some StuxNet-type code? Yesterday's XYZ
app might be fine. Today's download of the nominally-same app
might be something else altogether.

Seems to me like it comes back to:

- Whether one trusts the supplier or not.

- How confident one is in one's ability to recover
(assuming they even know they're infected...) from
an infection by re-imaging.


I'd venture that most users don't even know what a system image
is - much less have a known good image to recover with.

That brings it down to trust and I think most users would trust
their anti-virus app more than they would trust a source that
they do not know anything about.

That lets your users off the hook, IMHO.

But, now that everybody in this thread as spoken up on behalf of
NirSoft, I guess I'm still on the hook...

 

[BillW50]

At one time, malware attacks were "all flash and fireworks".

Now that there is money to be made by infecting machines,
the less "fireworks" the better. If the user is unaware
they're infected, you can make money off them (replaced
advertisements on web pages for example). So there's no
particular reason for Bill to notice whether he's infected
or not.

Oh but Bill *does* notices. I clean others infected computers all of the
time. As there are lots of tip-offs that a system has become
compromised. Some include:

1) Unknown processes and/or services

2) Net traffic when there is no reason for traffic

3) The OS becomes sluggish

4) Unusual drive access

And when cleaning a compromised system, I have long learned that trying
to do so with the compromised OS is doing it the hard way. I won't say
it is completely impossible, but very difficult to say the least.

The best way is to have the compromised OS as non-operating (aka not
running). And use an uncompromised OS to clean it up. Thus the malware
is defenseless to defend itself. No matter how deep the hooks are into
the OS. ;-)

 

[Jake]

Per Char Jackson:

Based on that, I went back and clicked the "Download 64-bit
version" button, but Chrome popped "nircmd-x64.zip appears
malicious".

I don't know who that is coming from. Avast, maybe?

I've had the nirsoft utilities forever. MS Security Essentials started
complaining about one of them a year or so ago and I stopped using MSSE
for that very reason. The nirsoft utilities include password readers and
resetters that MS doesn't think I should have.

 

[Zaidy036]

Per Char Jackson:

Based on that, I went back and clicked the "Download 64-bit
version" button, but Chrome popped "nircmd-x64.zip appears
malicious".

I don't know who that is coming from. Avast, maybe?

I think I'll take Paul's suggestion and go back and aim
PowerStrip at an installed Radeon driver.

That is because to do its work Nirsoft & Nircmd use some of the same
methods that malicious programs do. Go ahead and d/l the entire Nirsoft
package - it includes many usable routines.

 

[Paul]

Per Char Jackson:

That's probably because you know a lot more.

My assumption was that it had already been scanned by something
on my PC and found wanting bco the "Malicious..." message when I
started the download.

I'm totally clueless on the modalities of malicious software.
But, unimpeded by any knowledge, would think that something could
be malicious once unzipped and installed. How would one know if
an application that does something perfectly useful hasn't become
the vector or host for some StuxNet-type code? Yesterday's XYZ
app might be fine. Today's download of the nominally-same app
might be something else altogether.

Seems to me like it comes back to:

- Whether one trusts the supplier or not.

- How confident one is in one's ability to recover
(assuming they even know they're infected...) from
an infection by re-imaging.


I'd venture that most users don't even know what a system image
is - much less have a known good image to recover with.

That brings it down to trust and I think most users would trust
their anti-virus app more than they would trust a source that
they do not know anything about.

That lets your users off the hook, IMHO.

But, now that everybody in this thread as spoken up on behalf of
NirSoft, I guess I'm still on the hook...

Just because something "scans as clean", doesn't mean it's clean.

In the case of NirCmd, when I run it on virustotal, Sophos "detects"
it. When I go to the Sophos site, and look for references to NirCmd,
yes they list it, and they say absolutely nothing about why they
flagged it. It's a PUA (potentially unwanted application), but
they couldn't even be bothered to explain way.

To test NirCmd, I used regedit, exported the registry,
ran the command, then ran regedit and exported the registry
again. I did that in a virtual machine, to protect my main OS.

First off, make sure the command actually does something. If
the command syntax is wrong, nothing happens to the registry.

The NirCmd documentation gives this as an example:

nircmd.exe setdisplay 800 600 24

But in the virtual machine I tested in, the video card can only
go in 16 bit or 32 bit mode. There is no 24 bit, so the command fails.
As given, that command doesn't change the registry.

Once I change it to

nircmd.exe setdisplay 800 600 32

then it actually does something.

This is the kind of entry you'll find in the registry. There are
multiple of these. In this case, the virtual machine has an emulation
of an S3 video chip (a relatively dumb frame-buffer style chip),
and that's noted by the identifier "VPC-S3" for the video card.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Hardware Profiles\0001\System\CurrentControlSet\SERVICES\VPC-S3\DEVICE0]
"Attach.ToDesktop"=dword:00000001
"DefaultSettings.BitsPerPel"=dword:00000020
"DefaultSettings.XResolution"=dword:00000400
"DefaultSettings.YResolution"=dword:00000300
"DefaultSettings.VRefresh"=dword:0000004b
"DefaultSettings.Flags"=dword:00000000
"DefaultSettings.XPanning"=dword:00000000
"DefaultSettings.YPanning"=dword:00000000
"Attach.RelativeX"=dword:00000000
"Attach.RelativeY"=dword:00000000

The BitsPerPel is hex, and 0x20 is 32 bits per pixel.

XResolution of 0x400 is 1024 decimal width.

YResolution of 0x300 is 768 decimal width.

The NirCmd syntax doesn't include refresh rate (at least,
as given in the example). And the refresh rate of 0x4b is 75Hz.
Whereas, if I'd set it manually, for an LCD I would have chosen 60Hz refresh.
60Hz would be 0x3C hex.

The "XPanning" (not used) could apply to cases where
what the user sees, is a "window" into the entire desktop
surface. For example, with the appropriate hardware and driver
support, I could be looking at a 1024x768 chunk of a 4000x3000 surface.
Some of the video drivers (SIS being one), allow the desktop to
be larger than the display can present, and then when you move the
mouse and bang against the side of the 1024x768 window, the window
"moves" to expose a different view of the 4000x3000 area. It could
be that is what the XPanning and YPanning values are for.

Anyway, that's what NirCmd seems to be changing. The tough part,
is figuring out just which of the multiple sets of those keys,
should be changed.

So you don't have to use NirCmd. You could experiment with
those kinds of registry entries, reboot, and see what resolution
it comes up in. Just be careful to use values that are reasonable,
or be prepared to use a Restore Point to bring sanity to the system.
(Like, go into Safe Mode, restore to a previous sane state, such
that on the next reboot, you can see the screen again.)

Paul

 

[BillW50]

You understand something that I don't.

Perhaps because I felt that fear before. I decided to reinstall Windows
2000 from scratch on a Toshiba 2595XDVD. It was 2001 or maybe the latest
was 2002. I was still using dialup (shortly later I was using DSL). I
was also very cocky about malware back then. As I was always one step
ahead of the hackers. And whatever they could come up with, I was
already ready for them.

Still believing this, I reinstalled Windows 2000 from scratch. Logged on
dialup and got the updates from Microsoft. When asked to reboot, I
selected later. I didn't have an AV yet on this computer, so I
downloaded and installed AVG. I don't recall if AVG wanted me to reboot
too or not. I guess it doesn't matter. But at this point I logged off
and I could get AVG to scan before a reboot.

Why I did it this way, I dunno, I guess it was that little voice in your
head telling you to do it this way. I couldn't see the harm, so ok. And
I was totally shocked at the end result! One virus was downloaded in the
background and was ready to install on the next reboot. Luckily AVG
found it and removed it and removed the launch from the Windows registry
before it could even run.

I was now totally blown away! All of my cockiness was gone. They almost
got me! I didn't access any malware site or anything. Just Microsoft and
AVG websites and that is it. No I didn't have a firewall installed. And
the only thing that makes sense is that a hacker's computer (BOT) pinged
my computer and my computer answered back in the background. My computer
not running in stealth mode was talking to a stranger. So the BOT found
an easy way through an open port to slip the malware in and to modify
the Windows registry. Ready to do its dirty deed when I rebooted.

That was my scariest day when it comes to malware. I couldn't believe
they almost got me. All I had to do was to reboot and they would have.
So I had to rethink everything and how I almost got nabbed. I lost sleep
that night worrying about this.

But that was the closest I came. I am not as cocky about malware
anymore. And I look more over my shoulder a lot more than I did before. ;-)

 

[Gene E. Bloch]

Can you imagine normal people wanting to sit in their bedrooms for hours
on end corresponding with other people, few, if any, they know or will
ever meet? Me neither.

Yes, I can imagine that, but still, I have no idea why you asked.
Mystified...

 

[Robin Bignall]

Yes, I can imagine that, but still, I have no idea why you asked.
Mystified...

It was the line about your screen causing insomnia. I keep fangled
gadgets (new and old) out of my bedroom.

 

[Paul]

Perhaps because I felt that fear before. I decided to reinstall Windows
2000 from scratch on a Toshiba 2595XDVD. It was 2001 or maybe the latest
was 2002. I was still using dialup (shortly later I was using DSL). I
was also very cocky about malware back then. As I was always one step
ahead of the hackers. And whatever they could come up with, I was
already ready for them.

Still believing this, I reinstalled Windows 2000 from scratch. Logged on
dialup and got the updates from Microsoft. When asked to reboot, I
selected later. I didn't have an AV yet on this computer, so I
downloaded and installed AVG. I don't recall if AVG wanted me to reboot
too or not. I guess it doesn't matter. But at this point I logged off
and I could get AVG to scan before a reboot.

Why I did it this way, I dunno, I guess it was that little voice in your
head telling you to do it this way. I couldn't see the harm, so ok. And
I was totally shocked at the end result! One virus was downloaded in the
background and was ready to install on the next reboot. Luckily AVG
found it and removed it and removed the launch from the Windows registry
before it could even run.

I was now totally blown away! All of my cockiness was gone. They almost
got me! I didn't access any malware site or anything. Just Microsoft and
AVG websites and that is it. No I didn't have a firewall installed. And
the only thing that makes sense is that a hacker's computer (BOT) pinged
my computer and my computer answered back in the background. My computer
not running in stealth mode was talking to a stranger. So the BOT found
an easy way through an open port to slip the malware in and to modify
the Windows registry. Ready to do its dirty deed when I rebooted.

That was my scariest day when it comes to malware. I couldn't believe
they almost got me. All I had to do was to reboot and they would have.
So I had to rethink everything and how I almost got nabbed. I lost sleep
that night worrying about this.

But that was the closest I came. I am not as cocky about malware
anymore. And I look more over my shoulder a lot more than I did before. ;-)

That could be something like this. Direct connection
to a modem, with no Windows firewall, would be enough. Even
if you had a box with NAT between you and the Internet, it
would help. Some of those exploits, are stopped by the
NAT in a home router.

http://en.wikipedia.org/wiki/Sasser_(computer_worm)

Paul

 

[Gene E. Bloch]

It was the line about your screen causing insomnia. I keep fangled
gadgets (new and old) out of my bedroom.

Thanks for the explanation. You can see below why I didn't understand
your remark until you explained it

The computer is in another bedroom which has been redesignated as an
office, but the doors face each other and the light annoyed me a bit.

That said, I confess that my remark about insomnia qualifies as a
significant exaggeration

 

[Char Jackson]

Oh but Bill *does* notices. I clean others infected computers all of the
time. As there are lots of tip-offs that a system has become
compromised. Some include:

1) Unknown processes and/or services

2) Net traffic when there is no reason for traffic

3) The OS becomes sluggish

4) Unusual drive access

#4 is just your Linux live CD accessing your Windows pagefile. ;-)

 

[Char Jackson]

My assumption was that it had already been scanned by something
on my PC and found wanting bco the "Malicious..." message when I
started the download.

The local scan doesn't start until the download is complete.

 

[BillW50]

That could be something like this. Direct connection
to a modem, with no Windows firewall, would be enough. Even
if you had a box with NAT between you and the Internet, it
would help. Some of those exploits, are stopped by the
NAT in a home router.

http://en.wikipedia.org/wiki/Sasser_(computer_worm)

Paul

Yes indeed. I didn't know this 10+ years ago when it happened. But I
quickly examined how the heck they almost got by me. Once I figured it
out I made sure that would never happen again. And after 10+ years, the
hackers haven't even come close. I am still a bit scared though. As they
almost got me once. Is the day coming when they actually do?

 

[Paul]

Yes indeed. I didn't know this 10+ years ago when it happened. But I
quickly examined how the heck they almost got by me. Once I figured it
out I made sure that would never happen again. And after 10+ years, the
hackers haven't even come close. I am still a bit scared though. As they
almost got me once. Is the day coming when they actually do?

The attack surface is huge, so yes, I'd say some day they'll get you.

Paul

 

[(PeteCresswell)]

Per Char Jackson:

The local scan doesn't start until the download is complete.

Any thoughts on where it came from? WOT maybe?

 

[Char Jackson]

Per Char Jackson:

Any thoughts on where it came from? WOT maybe?

The likely candidates appear to be Chrome, WOT, and Avast, based on
what you've told us you've got running on that system.

I imagine you've got one or more of them set to "Warn me when visiting
potentially malicious sites", and I assume there's a mechanism that
lets you identify specific sites as false positives in order to stop
the warnings.

 

[(PeteCresswell)]

Per (PeteCresswell):

Maybe replace the Radeon driver with some sort of special driver?

This is starting to beg a question for me: Once I remove or turn
off that Radeon driver, what is it that's left and is supplying
whatever it takes to get me a screen image?

Maybe that's what I need to try to hack in order to move from
1600x1200 to 1920x1200.

FWIW, this is not a religious issue. As someone already observed
I can live with 16x12 just fine. It's more the idea than
anything else.