My Blog
Here the tutorial How to Jailbreak iPhone 4G, 3Gs, 3G iOS 4.0, 4.0.1 with Jailbreakme. Follow this tutorial below :
1. Browse to www.jailbreakme.com through our device and wait for the complete page load.
2. Once your page loads swipe your finger across “Slide to jailbreak”, very similar to “Slide to unlock” what we perform daily by LockScreen to access the springboard of our device.
3. Now wait and watch while your device will begin to download the data necessary to execute the jailbreak procedure.
4. Once the download is complete, the words come out “Jailbreaking Sit Tight. ”
5. Wait a few seconds while installation finishes and a new popup will warn that Cydia icon is added on the springboard.
that’s it now enjoy your jailbroken iPhone
200 Ways To Recover Revive Your Hard-Drive
Download Here
Don't confuse csrcs.exe with csrss.exe, csrss.exe is a legitimate windows service, whereas the csrcs.exe is a Trojan, or a virus. It resides in the
C:\Windows\System32\
folder.
To remove csrcs.exe and all its effects, first take
regedit
( Start > Run : regedit ). Then search for the string "csrcs.exe", and remove all occurrence of the string from the values. If there is a path given like "C:\Windows\System32\csrcs.exe" delete the entire value from the registry.
Next delete the file, from C:\Windows\System32.
If you do not find it, first show all hidden files. You may have to fix that in the registry to show hidden files. This has been covered in an earlier post. So once thats done delete the exe file.
Restart.
Intro
The following steps were used to successfully reset the root password of a "Fedora 10" machine. In general, can be applied to any linux machine.
GRUBWhile booting, after the initial splash and POST screen of the bios, the control transfers to GRUB. If there is just one linux operating system installed, the GRUB screen is bypassed to the booting screen, in that case just keep on pressing or tapping the ESC Button until you see the GRUB Menu.
Edit Choose the OS you want to boot into and press "e" to edit.
Edit Find the line that corresponds to kernel, and again press "e". Add the following line to the end of the line.
single init=/bin/bash
Then press enter, and then "b" to boot the OS. After booting you will get a root shell.
Mounting the filesystem in readwrite mode: Type in the following command to remount the filesystem in read write mode.
mount -o remount,rw /
Not doing this step might give the following error when running passwd, passwd: Authentication token lock busy.
passwd Next just use the passwd command, and give a new root password, Now that's simple.
Reboot or init 5
Try this.
OR from the root shell, you can also edit the /etc/shadow file to remove the password.
OR copy the /etc/shadow /etc/passwd file and use John-The-Ripper software to try cracking the password.
Stuck?
Mail me
The jwgkvsq.vmx is a worm-type virus, which spreads via USB/portable drives and through the network. It also makes autorun.inf file on your USB device as well as a hidden system folder called RECYCLER which contains the jwgkvsq.vmx file. I’m not sure if this is an old virus, but it seems it’s been spreading a lot lately. And most anti-virus doesn’t detect this, but for those who does, it can’t remove it.
It is also known as:
W32/Confi
W32/Conficker.worm!inf
Win32/Conficker.B - CA
It exploits Microsoft Windows vulnerability:
Microsoft Security Bulletin MS08-067 – Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Published: October 23, 2008
Symptoms:
‘Show hidden files and folders’ doesn’t work. You can check this by going to a folder, then click Tools, then Folder Options, then View tab. Select the ‘Show hidden files and folders’ then click Apply, then Ok. Open Folder Options again, if it reverted back to ‘Do not show hidden files and folders’ then you have this virus.
Evey time you plug in a USB device on your computer, it creates an autorun.inf file, and a RECYCLER folder with the jwgkvsq.vmx virus file.
You can’t access anti-virus websites an other popular websites like microsoft.com or yahoo.com
Windows won’t boot into Safe Mode. This happens on extreme cases. When you try to boot into Safe Mode, your computer restarts/shuts down
Side-effects
Since this is a worm, system slowdown may (or may not) happen.
Quickly spreads through networked computers and USB devices. Which includes flash drives, portable external hard drives, mobile phones, mp3 players, and anything that can be plugged into a USB port.
Won’t let you access some websites.
Now let’s go back to the topic. Remember that this guide will only help you remove the jwgkvsq.vmx virus.
Here is a quick step to remove this virus from your computer, and from your USB devices.
Preparation:
Download FixDownadup.exe from Symantec.com
Download anti-Downadup-EN.zip from BitDefender.com (just in case the first one doesn’t work).
Download Process Explorer and AutoRuns from Sysinternals (we may or may not use this).
Download MoSo Force Delete (just in case we need to delete something that can’t be deleted).
Removing the jwgkvsq.vmx virus from your computer
Disconnect your computer from the network, if it is connected. Removing the network cable from your PC should do the trick.
Just run the FixDownadup.exe we downloaded from Symantec. It should clean the virus of the PC. This works if the infection is in a low-level state. Meaning you have anti-virus software already running and the infection is isolated.
After scanning you should see a report popup, and an option to go to Microsoft website to patch your computer with a critical security update.
Restart your computer. When you’re back on the desktop, check your programs/softwares if it is still running.
Turn of System Restore to delete all entries, which sometimes contains remnants of the virus. To do this:
Right-click My Computer, select Properties.
Click System Restore tab.
Check ‘Turn off System Restore on all drives’. Click Apply, then Ok.
Restart your computer.
Then, uncheck ‘Turn off System Restore on all drives’ to enable it again.
Removing the jwgkvsq.vmx virus from your USB device
First. Start your computer on Safe Mode
Shut down your computer
Turn it back on, before the Windows loading screen comes up, press F8. Or just press it repeatedly after starting your computer
Select Safe Mode on the menu by pressing the arrow keys and hitting Enter.
Plug your USB device. Notice that the autorun.inf won’t run in safe mode.
Enable the ‘Show hidden files and folders’. Instructions are listed on the Symptoms section above.
Delete autorun.inf file. It is usually located on the root of the USB drive.
Delete the hidden/system folder RECYCLER.
If you can’t delete it, you have to disable it’s function (for external/portable hard drives). Right-click on the Recycle Bin icon on your desktop, then select Properties. Select ‘Configure drives independently’. Then tab to the external drive, and check ‘Do not move files to the Recycle Bin.’ Hit Apply, then Ok’
If it is a flash drive or other USB device, use MoSo Force Delete, we’ve downloaded earlier on this guide.
Just in case the virus registered itself on the registry. Open the Run dialog box from the start menu, then type regedit. Then search for the file name jwgkvsq.vmx. If you found an entry, just press DEL to delete it.
If your computer is in a network, better check all the other computers connected to it. Also download and install the automatic update (Microsoft vulnerability) which I’ve posted at the beginning of this post.
In extreme cases, your computer won’t initiate Safe Mode and after using the removal tool above, your system may report a missing .dll file or something.
Windows Vista Validation Update (KB929391) has just been released and deployed to Vista computer that are what called by Microsoft as “frankenbuild” system that use the workaround of mixing files from RC and RTM build to activate the Windows Vista. As there is no official retail or OEM version of Windows Vista on sale in market yet, so practically all Vista installation by personal or home users is likely to be activated with pirate or crack methods. Your Vista will be de-activated after this update and with Aero feature disabled.
Unactivated Windows Vista will go into reduced functionality mode once the activation grace period expired, where Vista will provide only limited usablity. So if you want to continue using Windows Vista at least until theoretical expiry date of RC1 or RC2 product key in mid 2007, there a few methods that you can try, and should works on all editions of Vista (ultimate, business, enterprise, home premium and etc).
Do not install KB929391 Windows Vista Validation Update. You can turn off Automatic Updates, or at least set it not to automatically install critical updates for you. But if you need to read this article, most likely you have installed it (or Microsoft has pushed it to you), so useless.
Reinstall Windows Vista. Straight forward method, format your hard drive and install fresh Windows Vista again, activate it with various crack or workaround, and then remember the point 1 above.
If you have made a ghost image of your hard drive which Vista is installed, roll back to the previous state of Vista by restoring the image. Also remember point 1 above.
If you have made a CompletePC Backup, boot from Windows Vista DVD, and recover your system by restoring the backup. Remember point 1 above too.
ronie reported the following steps will work to remove the KB929391 update:
Boot from your Vista installation DVD.
Select “Repair your computer”.
Choose “System Restore” and pick a restore point that has been created before the validation update (KB929391) was installed.
As usual, remember point 1 above.
Try to disable, uninstall or remove Windows Vista Validation Update (KB929391) in the hope to undone the ‘damage’ by using following steps. You will need the RC1 or RC2 files of tokens.dat and CPP product key (both is the same as what you used to crack Vista activation previously to make Vista validated and genuine. If you lost the files, download it here) plus Windows Vista DVD. You should backup your important files before trying this.
Reboot Windows Vista, and boot into Safe Mode.
Launch Windows Explorer, go to Folder Options and check (tick or select) “Show Hidden Files” and “Show protected system files” options. Then click OK.
Zap the WPA encrypted store by deleting the following files (hidden by default unless you show hidden file as instructed above):
“C:WindowsSystem327B296FB0-376B-497e-B012-9C450E1B7327-
2P-0.C7483456-A289-439d-8115-601632D005A0″
“C:WindowsSystem327B296FB0-376B-497e-B012-9C450E1B7327-
2P-1.C7483456-A289-439d-8115-601632D005A0″
Uninstall the WGA (Windows Vista Genuine Advantage) update by execute or run the following command:
regsvr32 /u c:windowssystem32LegitCheckControl.dll
Reset the Vista Software Licensing tokens file by copying back the RC1 or RC2 tokens.dat to
“C:WindowsServiceProfilesNetworkServiceAppData
RoamingMicrosoftSoftwareLicensing”
Replace the original tokens.dat.
The following step is to remove the Windows Product Activation (WPA) data from the registry. It’s impossible to do this at normal Vista installation bootup, so restart the computer and boot with Windows Vista DVD. Choose to “Repair my Computer” and then select your appropriate Vista installation.
Then select “Command Prompt”, and at command prompt window, type “regedit” (without quotes to run registry editor.
Select HKEY_LOCAL_MACHINE registry branch, and then click on File -> Load Hive.
Navigate to C:WindowsSystem32config and choose the SYSTEM hive. Give it key name of “temp”.
Locate HKEY_LOCAL_MACHINEtempWPA registry branch and then delete and remove every registry subkeys or child nodes under it. Leave only WPA that is blank. If you already deleted the WPA key, re-create it by right click on HKEY_LOCAL_MACHINEtemp, and choose New -> Key.
Select HKEY_LOCAL_MACHINEtemp and then click on File -> Unload Hive.
Exit from registry editor, exit from command prompt, and then restart the computer.
After booting up normally into Windows Vista, the Vista will be in RFM mode (reduced functionality mode) with message of “Your copy of windows is not genuine.”
Run slui.exe.
Enter any CPP product key (serial key issued during Release Candidate 1 or RC2).
Windows Vista should be activated as genuine.
Log off (logout) and log on (login) again to reactivate Windows Aero interface.
You can now run windows update, by remember point 1 above, uncheck the KB929391 WGA update and if you don’t want to see it forever, hide it.
Simplified and shorter method to recover from the KB929391 Vista Validation Tool that based on the above steps, as found out by joysa. Just execute step 1 - 7 and follow by step 12 - 18, and you’re will be rescued from Vista RFM hell.
Another way to get rid of KB929391 Windows Vista Validation Tool, very similar to step above but requires a new CPP product key:
Create a new Windows Live account.
Obtain a new Windows Vista Release Candidate (RC1) beta product key from here. You can also try out other product keys, if you have one. The existing RC1 beta product key used to activate Windows Vista is may has been blacklisted and banned by Microsoft already. Once generate and obtain the new product key, note it down.
Restart computer and boot into Safe Mode.
Launch Windows Explorer, go to Folder Options and check (tick or select) “View Hidden Files”. Then click OK.
Ensure that you have full administrative access or full administrator rights. Turn off UAC is needed.
Zap the WPA encrypted store by deleting the following files (hidden by default unless you show hidden file as instructed above):
“C:WindowsSystem327B296FB0-376B-497e-B012-9C450E1B7327-
2P-0.C7483456-A289-439d-8115-601632D005A0″
“C:WindowsSystem327B296FB0-376B-497e-B012-9C450E1B7327-
2P-1.C7483456-A289-439d-8115-601632D005A0″
Reboot the computer and log on to Windows Vista normally.
After you logged in, you will likely in RFM mode, with message of “There has been a change to your Windows Activation Process”, and requires you to activate Vista again or restart, with 2 options of either Validate Windows Online or Close.
Click on “Validate Windows Online”, system will still prompt you with error message “Your copy of Windows is not genuine”, and return to the previous screen with 2 options again.
Manually restart the computer.
After the reboot (and login to Vista if applicable), system should prompt “There has been a change in the Windows product key”, and pop up a window for user to type in Windows Vista product key.
Enter the new Vista RC1 product key.
The Windows Vista Ultimate edition should be activated again.
Remember point 1 above, turn off Automatic Updates now, and check out what is the updates before installing. Note that this method doesn’t remove or uninstall KB929391, but should works to make your Vista as genuine again.
Note: If you go to Genuine Microsoft Software website for validation, you will get validation results of “This copy of Windows does not pass genuine validation. The Windows product key installed on this computer has been blocked.”
You can now also permanently activate your Windows Vista with StopTimer.sys hack.
Common Trojans and there removal Details
* Master of Paradise
->Does not restart automaticaly.
*Original Server Puts a neat Icon In the Tray , while the modified version puts an NULL icon in the Tray, which means it looks like a space between original icons and The Time Day, Trojan also spoofs Date and Time options, so it doesn't look suspicious.
*Original Server Exe is exactly 327.680 bytes.
*Modified Server Exe is exactly 192.000 bytes. (Note: Icon is blank Like Boserve.exe)
* Back Orifice
->The Father of all GUI Trojans usually the key is:
1)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> Standard Value .exe *There is a space before the .exe
2)When used With SilkRope the key is something like
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 412124.TMP Value=412124.TMP
*Wierd numbers with the ending TMP.
* Original Boserve.exe is exactly 124.928 Bytes
With BT Plugin it is something around 193.149 Bytes
Crypted Verion called Infector is 184.832 Bytes
Size may vary due to lot of plugins
* Deep Thoat 2 (recognized by AVP)
->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sytemtray Value c:\windows\systray.exe *Can be renamed.
-> Not as easy to remove because it checks if Key in registry exists, if not it adds
it again, so simply removing the Key won't work. --> 3 possibilities
1)Restart or quit and enter DOS and simply delete the File c:\windows\systray.exe
(The original systemtray.exe is in C:\windows\system\systray.exe)
2)Use programms able to KILL programs in memory
And then simply delete the systray.exe in c:\windows
* Netbus Pro 2 + Beta + Netrex
->This former Trojan is an attempt of the author to make Netbus Pro 2 a shareware Remote
Control Program. Neitherway there are versions out which run invisible to the User
The standard key is as always. There are 2 Versions out (that I know)
1) Original NetbusPro 2 + Beta
->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NameoftheEXE Value c:\windows\nameofthe.exe *Can be renamed.
To identify if it's surely NetbusPro which is running
->HKEY_CURRENT_USER\NetBus
->HKEY_CURRENT_USER\NetBus Server\General
->Accept Value = 1*
->AccesMode Value = 2*
->Autostart Value = 1*
->TCPPort Value = 20340*
->Visibility Value = 3*
*These are all standart keys and may vary
->HKEY_CURRENT_USER\NetBus Server\Protection
->Password Value = A *
*Password is Crypted and A stands for NO password
Nbsvr.exe has exactly 612.966 Bytes
2) The Version called Netrex
->Someone Disassembled the file and recompiled it
To identify if it's surely NetRex which is running
->HKEY_CURRENT_USER\NetRex
->HKEY_CURRENT_USER\NetRex Server\General
->Accept Value = 1*
->AccesMode Value = 2*
->Autostart Value = 1*
->TCPPort Value = 20340*
->Visibility Value = 3*
*These are all standart keys and may vary
->HKEY_CURRENT_USER\NetRex Server\Protection
->Password Value = A *
*Password is Crypted and A stands for NO password
Nrsvr.exe has exactly 326.144 Bytes
*HINT* NetbusPro AND Netrex write both log's of ALL connections in a file called
Log.txt in the same directory as the server is installed usually C:\windows
But as always there may be versions which DO NOT write the log.
* Wincrash (old version)
->Seems not to restart, thus should be rare
*Original Server Exe size is exactly 182.227 Bytes
*Suplement to the server exe but not needed are:
Win32cfg.exe exactly 4.128 Bytes
cfg95.exe has exactly 79.242 Bytes
* Millenium
->That's a little bastard.
When installing a little message box pops up saying .
It copies itself in the c:\windows\system directory with the name reg666.exe
AND to C:\WINDOWS\SYSTEM\regersys.ocx.
The keys Are:
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Millenium Value=reg666.exe
*AND in win.ini adds run=C:\windows\system\reg666.exe
Removing is a little bit difficult because this trojan has some neat self-check
routine, if you remove the Key in the registry it adds it again, if you remove
the win.ini key it adds the key again, this tricky thing has also a backup
in regersys.ocx which it renames again to reg666.exe.
You see it's quite difficult if you don't know dos. -> 2 possibilities
1)Restart or quit and enter DOS and simply delete the File c:\windows\reg666.exe
AND regersys.ocx (The names are always the same)
2)Use programms able to KILL programs in memory
And then simply delete thereg666.exe from c:\windows\system don't forget to to delete the c:\windows\system\regersys.ocx
* The exact size of reg666.exe is 48.128 Bytes
*Gate Crasher
->This one is different from 2 point of view's
1)Needs 2 files one named port.dat (always) accompaigned with an EXE OR an DOC
YES this ones can infect using a Word Macro.
The Word Macro Contains the Words >>This file once opened checks to see.
if you have the latest version of winsck.ocx and you have so no updates
are available<<->Nice Spelling
2)It doesn't open the ports immediatly it monitors the DUN (Dial Up Network)
If it's active it opens it's ports. So it isn't detecable up-on start
Actually it's fake Port watcher.
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Explorer Value=EXPLORE.exe
*Original Explore.exe size is exactly 94.208 Bytes which actually is Port.dat
Port.dat size is exactly 94.208 Bytes
Port.exe size is exactly 40.960 Bytes (Infector comes with port.dat)
Port.doc size is exactly 39.424 Bytes (Infector comes with port.dat)
|
->Shows the name FullBrock (author's name ?)
*Net Monitor (old version)
->Rare Chinese Trojan (The readme is a must see :)
Trojan doesn't restart. Only runs once
Spy Server exe has exaclty 30.720 Bytes
* Devil 1.x
->French Trojan
Trojan doesn't restart. Only runs if program is excecuted
Comes with a lot of fake apps but none of them runs the original
program.
Icqflood.exe has exaclty 24.576 Bytes
Opscript.exe has exactly 61.952 Bytes
Socket.exe has exactly 355.840 Bytes
winamp34.exe has exactly 690.688 Bytes
Wingenocide.exe has exactly 67.584 Bytes
Winrar.exe has exactly 687.616 Bytes
* GirlFriend (recognized by AVP)
->Russian Trojan
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windll Value c:\windows\windll.exe *Could be renamed.
1)Restart or quit and enter DOS and simply delete the File c:\windows\windll.exe
2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)
And then simply delete the windll.exe in c:\windows
*Hint* This Trojan is specialist in stealing Passes. Victim should
rename ALL passwords.
windll.exe has exactly 309.248 Bytes
windll.exe has exactly 189.196 Bytes (there are 2)
* Netbus 1.6 + 1.7 (recognized by AVP)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Patch Value c:\windows\patch.exe *Could be renamed.
1)Restart or quit and enter DOS and simply delete the File c:\windows\patch.exe
2)Use programms able to KILL programs in memory
And then simply delete the patch.exe in c:\windows
*Hint*Netbus 1.7 saves the IP of attacker in c:\windows\access.txt
but only if he has restricted access to server with this IP.
->Name of the trojan.INI -> if trojan name is patch.exe, patch.ini
Consists of the following : [Settings]
Port1=12345 *Obvious
ServerPwd=asl *Uncrypted
LogTraffic=1
MailTo=cocksucker@cf.com *Attacker e-mail
MailFrom=my@myself.com *yours
MailHost=127.0.0.1 *Smpt-Server
*Note the Mailto and the MailFrom could be interchanged (Bug or Feature to hide real E-mail adress because I entered just the opposite)
The Patch.exe of netbus 1.6 has exactly 472.576 Bytes
The Patch.exe of netbus 1.7 has exactly 314.636 Bytes
The Whakamol.exe Fake game has exactly 314.636 Bytes
* Rare Version of NBP2
-> see netbus Pro 2
* Attack Ftp
->French Trojan (and therefore needs a few french Dll's)
What it Does ?
- Copies Wsgt32.dl_ in the System directory and renames the file in Drwatsom.exe
- Copies Wsgt32.dl_ in the Windows directory and renames the file in Wver.dll
- Copies Install.exe in the System directory and renames the file in Wscan.exe
- Writes a key in Win.ini to launch Drwatsom.exe up-on next reboot.
- Writes to registry to launch Wscan.exe at next reboot
- Searches CD-rom drives
- Creates Serv-u.ini in the System directory
- Scans HD for TREE.DAT (password of Cute-FTP)
- Copies result to c:\windows\Result.dll
- Launches Drwatsom.exe
- Fakes a Error-Message
Remove:
Quoted from the authors Readme :
- Kill Drwatsom (Ctrl-Alt-Del)
- Execute the command : "Wscan.exe Louis_Cypher"
- Delete the Key
"HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Run"
Value wscan.exe
- Delete Wscan.exe from c:\windows\system
Size of the setup.exe is exactly 230.912 Bytes
* Streaming Audio Trojan
-> Sets Up a streaming Audio Server
Needs a lot of dll's and needs a registration before functionating achieved by
a Reg file which Registrates the serials. I think it's impossible
to setup it up with no physical access to the victim computer. (therefore rare)
* Hackcity Ripper Trojan
-> Only Ripps Passwords
Removes itself on next reboot.
*Hint* The Victim should change his Dial-Up Password immediatly.
*Telecommando
-> Basic Trojan
Key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Systemapp Value ODBC.exe
1)Restart or quit and enter DOS and simply delete the File c:\windows\system\odbc.exe
2)Use programms able to KILL programs in memory like CCTASK (Url Below 1.4)
And then simply delete the odbc.exe in c:\windows\system
*Icq Trojen
-> Dos Based Trojan (not very usefull)
Quoted from the readme
>>Icqtrogen.exe is made to be placed in your icq folder and move the real icq
to icq2.exe. netdetect calls our icq and ours calls icq2 so the user can't see it<<
Removing is quite easy.
-> Goto Icq Directory delete ICQ.exe and rename the ICQ2.exe as ICQ.EXE. DONE
*Original Server EXE is exactly 39.424 Bytes.
->**Modified Version**
Doesn't need original ICQ.
Restarts not automatically.
*Modified Server Exe is exactly 27.779 Bytes
*Installer attached WITH BO is 188.438 Bytes
*Prority BETA
->New release, trojan needs Runtime-files (VB),
while pressing CTRL-ALT-DELETE the name pserver shows up.
The Key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
pserver Value pserver.exe (everytime)
*Original Server Exe is excactly 98.304 Bytes
*Deep BO
->Wide spread version of BO. Runs on specific port
removing see BO.
*Gjamer
->NO information avaible at this time. I need some info. (Mail me)
*Voodoo
->Needs all the lame Visual Basic Dll's
*Original Server Exe is excactly 36.864 Bytes.
*Ncw
The Key in the registry are :
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"MSSystemSet"="msset32.exe"
*Shadow Phyre
Copies to
c:\windows\system\inet.exe 200K
c:\windows\system\WinZipp.exe 200K
The Keys in the registry are :
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WinZipp"="C:\\WINDOWS\\SYSTEM\\WinZipp.exe /nomsg"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"INET Wizard"="C:\\WINDOWS\\SYSTEM\\inet.exe /nomsg"
*Tiny Telnet Server
Copies to :
c:\windows\windll.exe 127488 Bytes
The Key in the registry is :
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windll.exe"="C:\\WINDOWS\\Windll.exe"
*Kuang
Copies to :
c:\windows\_webcache_.exe
C:\WINDOWS\SYSTEM\Temp$1.exe
The Keys in the registry are :
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WebAccelerator"="_webcache_.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Temp$1.task"="C:\\WINDOWS\\SYSTEM\\Temp$1.exe"
*Netsphere
Copies to :
C:\WINDOWS\system\nssx.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "NSSX"="C:\\WINDOWS\\system\\nssx.exe"
*FakeVirii
Copies to :
C:\WINDOWS\system\nssx.exe 36864 Bytes [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Kernel32.dll"="c:\\windows\\ccc.exe"
*Satans Back Door
Copies to :
C:\windows\sysprot.exe 77 824bytes
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "sysprot "protection"="C:\\windows\\sysprot.exe"
*Indoctrination
Copies to :
C:\windows\sysprot.exe29 184bytes
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Msgsrv16"="Msgsrv16"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Msgsrv16"="Msgsrv16"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Msgsrv16"="Msgsrv16"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Msgsrv16"="Msgsrv16"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Msgsrv16"="Msgsrv16"
*JammerKillah12
Copies to :
C:\windows\MsWin32.drv 92 697bytes
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"MsWindrv"="MsWin32.drv"
*AolTrojan
Copies to :
C:\windows\DAT92003.exe 32 768bytes or
C:\windows\DAT92003.exe 69 632bytes
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"dat92003"="C:\\WINDOWS\\SYSTEM\\DAT92003.exe"
*Hack'a'tack
Copies to :
C:\windows\Expl32.exe 241 397bytes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Explorer32"="C:\\WINDOWS\\Expl32.exe"
*The Unexplained
Copies to :
C:\windows\INETB00ST.EXE 28.000bytes
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"InetB00st"="C:\\WINDOWS\\TEMP\\INETB00ST.EXE"
*Bla
Copies to :
C:\WINDOWS\$Temp\TROJAN.EXE"
c:\windows\system\Rundll.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"system"="C:\\WINDOWS\\$TEMP\TROJAN.EXE"
"systemdoor"="c:\\windows\\system\\Rundll argp1"
*Progenic Trojan Beta Series
Copies to :
c:\windows\scandiskvr.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Scandisk"="c:\\windows\\scandiskvr.exe"
* Hack'a'ttack1.12
Copies to :
C:\WINDOWS\Expl32.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Explorer32"="C:\\WINDOWS\\Expl32.exe"
* Bla1.1
Copies to :
C:\WINDOWS\SYSTEM\mprdll.exe
[[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"system"="C:\\WINDOWS\\SYSTEM\\mprdll.exe"
* VL RAT. 5.3.0
Copies to :
C:\WINDOWS\SYSTEM\ .exe
C:\WINDOWS\system\MSGSVR16.EXE
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Default"=" "
"Explorer"=" "
'Note This runs " .exe" just like BO.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Explorer"="C:\\WINDOWS\\system\\MSGSVR16.EXE"
* BackConstruction 1.2
Copies to :
C:\WINDOWS\Cmctl32.exe
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Shell"="C:\\WINDOWS\\Cmctl32.exe"
* Kuang (Psender)
- Kuang2Full:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"K2ps_full.task"="C:\\WINDOWS\\SYSTEM\\K2ps_full.exe"
-Kuang2:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"K2ps"="C:\\WINDOWS\\SYSTEM\\K2psl.exe"
* Frenzy 1.01
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Explore"="C:\\Program files\\msgsrv36.exe"
* Kuang2 The Virus
Since Kuang2 The Virus acts like a Virus attaching himself to every PE EXE on the HD. NO usual Removal Method. I suppose you download Kuang2 The Virus with built-in disinfector
* Xtcp PORT 5550
Copies to : c:\windows\winmsg32.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Msgsv32"="C:\\WINDOWS\\SYSTEM\\winmsg32.exe"
Uses port 5550.
* Netsphere Final (131337)
Copies to : c:\windows\system\epp32.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ExecPowerProfile"="C:\\WINDOWS\\system\\epp32.exe"
Uses port 30133
* Schwindler 1.82
Copies to : c:\windows\user.exe NOT c:\windows\system\user.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"User.exe"="C:\\WINDOWS\\User.exe"
Uses port 21554
* SubSeven 1.9
Copies to : c:\windows\system\mtmtask.dl
- Default:
System.ini
Shell=explorer.exe mtmtask.dl
Uses port 1243
* BackConstruction 2.1
Copies to : c:\windows\Cmctl32.exe
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Shell"="C:\\WINDOWS\\Cmctl32.exe"
Uses port 1234
* Vampire
Copies to : c:\windows\system\Sockets.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Sockets"="c:\windows\system\Sockets.exe"
Uses port 6669
* Trojan Spirit 2001 a
Copies to: c:\WINDOWS\netip.exe
Win.ini : [windows]run= c:\windows\netip.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Internet="c:\windows\netip.exe"
Uses port 30911
* Maverick's Matrix
Copies to: C:\WINDOWS\Wincfg.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Wincfg.exe"="C:\WINDOWS\Wincfg.exe"
Uses port 1269
* Total Eclypse
Copies to: C:\Windows\System\Rmaapp.exe 'Note NOT Rnaapp.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Rnaapp"="C:\\Windows\\System\\Rmaapp.exe"
Uses port 3791 (for FTP)
* Kuang2 logger AS
Copies to: C:\WINDOWS\SYSTEM\K2logas.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "K2logas.task"="C:\\WINDOWS\\SYSTEM\\K2logas.exe"
* Vampire 1.2
Copies to: c:\windows\system\Winboot.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsBootFile"="c:\\windows\\system\\Winboot.exe"
* BoBo 1.0
Copies to: C:\WINDOWS\SYSTEM\Dllclient.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "DirectLibrarySupport"="C:\\WINDOWS\\SYSTEM\\Dllclient.exe"
* Deep Throat 3.1
Copies to: c:\windows\systray.exe 'NOT c:\windows\system\systray .exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Systemtray"="c:\\windows\\systray.exe"
* Trojan Spirit 1.2
Copies to: c:\WINDOWS\FileName.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Internet="c:\windows\filename.exe
* Eclipse 2000
Copies to: C:\\WINDOWS\\SYSTEM\\Filename.EXE
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Cksys"="C:\\WINDOWS\\SYSTEM\\Filename.EXE"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Ewgiops"="C:\\WINDOWS\\SYSTEM\\ECLIPSE2000.EXE"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Bybt"="C:\\WINDOWS\\SYSTEM\\ECLIPSE2000.EXE"
Keynames seem to be selected randomly.
* Incommand
Copies to: Path_Where_Run\Filename.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "AdvancedSettings"="Path_Where_Run\Filename.exe"
.
* BrainSpy
Copies to: C:\WINDOWS\SYSTEM\BRAINSPY .EXE
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Gbubuzhnw"="C:\\WINDOWS\\SYSTEM\\BRAINSPY .EXE""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Dualji"="C:\\WINDOWS\\SYSTEM\\BRAINSPY .EXE"
'Note Keynames are randomized.
* IRC3
Win.ini :
load = closew
Closew.bat contains the foloowing commands:
@prompt @START C:\WINDOWS\RUNDLLS.EXE /h
Rundlls.exe is ServU.exe and the /h option runs it hidden.
* PC Xplorer
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"PCX"="C:\\WINDOWS\\SYSTEM\\PCX.exe"
"TaskManager"="C:\\WINDOWS\\SYSTEM\\PCX.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"PCX"="C:\\WINDOWS\\SYSTEM\\PCX.exe"
"TaskManager"="C:\\WINDOWS\\SYSTEM\\PCX.exe"
* Online Keylogger
Copies to the drive set as Temp.
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"WinSet"="E:\\system.sys"
* Transscout 1.1 +1.2
Copies to c:\windows\kernel16.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "kernel16"="C:\\WINDOWS\\kernel16.exe"
* Ambush
Copies to c:\windows\Zcn32.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ZKA"="Zcn32.exe"
* DerSpaeher3
Copies to C:\WINDOWS\System\dkbdll.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Explore"="C:\WINDOWS\System\\dkbdll.exe Hi"
* The Prayer 1.2 + 1.3
Copies to C:\WINDOWS\SYSTEM\dlls32.exe
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "SystemFiles"="C:\\WINDOWS\\SYSTEM\\dlls32.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "SysFiles"="C:\\WINDOWS\\SYSTEM\\dlls32.exe"
* NetRaider
Copies to C:\WINDOWS\Rsrcnrs.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Rsrcnrs"="C:\\WINDOWS\\Rsrcnrs.exe"
* Subseven 2.x
Copies to C:\WINDOWS\MSREXE.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Winloader"="MSREXE.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "WinLoader"="MSREXE.exe"
Win.ini
[windows] load=MSREXE.exe
System.ini
shell=Explorer.exe MSREXE.exe
* YAT aka Yet Another Trojan
Start-UP:
Firstly HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Batterieanzeige
is registered.
Then winstart.bat is created if it doesn't exist yet, this file is normally used by installation generators to manipulate/delete/exchange/register DLL or other files.
Content of winstart.bat :
ÿ
This might seem wired, but this simply means Windows will check for ÿ.bat ÿ.exe ÿ.com to be executed if they exist, Dos/Windows uses the directory set in the PATH variable in autoexec.bat to search for the executables.
Then autoexec.bat is changed and ÿ is appended at the end.
Then system.ini is changed and
shell=explorer.exe is changed to
shell=explorer.exe Path_were_ran/NCHARGE.exe /NOMSG
Then wini.ini is changed and
run = is changed to
run = "very large space here" Path_were_ran/NCHARGE.exe /NOMSG
Then ÿ.bat is created (note the nice character, which can be greated using the ALT-Number combination).
Content of ÿ.bat :
@echo off if exist
F:\Directory_where_ran\NCHARGE.exe goto end
'If backdoor file exists goto end.
if exist C:\WINDOWS\command\msdos.sys copy C:\WINDOWS\command\msdos.sys F:\Directory_where_ran\NCHARGE.exe >nul
'If backdoor backup does exist copy the backup to the backdoor location. The > NUL means that all comments dos usually displays when copying/deleting etc re NOT displayed, thus it will run hidden.
if exist F:\Directory_where_ran\NCHARGE.exe goto end
if exist C:\WINDOWS\system\windows.dat copy C:\WINDOWS\system\windows.dat F:\Directory_wherer_ran\NCHARGE.exe >nul
if exist F:\Directory_wherer_ran\NCHARGE.exe goto end if exist C:\WINDOWS\command\drvspace.bat copy C:\WINDOWS\command\drvspace.bat F:\Directory_wherer_ran\NCHARGE.exe >nul
:end C:\WINDOWS\regedit.exe C:\WINDOWS\reg.dat >nul
'Registers the autostart key again silently. To achieve this the option /s could also have been used.
Content of reg.dat :
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] "Batterieanzeige"="F:\Directory_where_ran\NCHARGE.exe /nomsg "
'Using the RunServiceOnce key makes it more stealthy against Anti-Trojan programs which usually do NOT check this key, because it gets deleted automatically.
Note that all the filenames and filepathes are fully configurable, so this is only the default installtion of YAT.
Removal:
Delete HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Batterieanzeige andÿ.bat , and change the system.ini back.
* Incommand 1.3
Copies to C:\WINDOWS\Msie50h.exe
Win.ini
run=Msie50h.exe
Version Info of the File : 1.3.0.32824
Product Name : Microsoft Internet Explorer Advanced Settings Module
* Barock 1.0
Copies to C:\WINDOWS\SYSTEM\WCheckUp.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "WCheckUp"="C:\WINDOWS\SYSTEM\WCheckUp.exe"
* Net Controller 1.08
Copies to C:\WINDOWS\system.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "System"="C:\\WINDOWS\\System.exe"
The Server has to be started from the C drive, else it will fail to install itself succesfully.
* Intruse Pack 1.27b
Copies to C:\WINDOWS\SYSTEM\nameoftheserver.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Wind"="C:\\WINDOWS\\SYSTEM\\Nameoftheserver.EXE"
* Prosiak 0.70 Beta 5
Copies to C:\WINDOWS\SYSTEM\prosiak_trojan.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Trojan horse"="prosiak_trojan.exe"
'Note : This is the Default Key and very likely to be changed
* Asylium Family (0.1 & 0.11 & 0.12 & 0.13)
Copies to C:\WINDOWS\SYSTEM\wincmp32.exe
[System.ini]
shell=explorer.exe wincmp32.exe
This is the default starting method, note that these are fully customisable including the filename and registry keynames.
* Traitor 2.1
Copies to C:\WINDOWS\SYSTEM\WINDLL32.exe
[HKLMACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Windll32"="C:\\WINDOWS\\SYSTEM\\WINDLL32.EXE"
FTP Banner: "traitor:21 server ready"
* Senna Spy FTP Server
Copies to C:\WINDOWS\SYSTEM\SSFTPSVR.EXE
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] "SSFTPSVR"="C:\\WINDOWS\\SYSTEM\\SSFTPSVR.EXE"
* Connection
Copies to C:\WINDOWS\SYSTEM\WINRUN.EXE
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Winrun"="C:\\win\\system\\winrun.exe"
* Y3k
Copies to C:\WINDOWS\SYSTEM\RundII.EXE
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Explorer32"="C:\\WINDOWS\\RundII.exe"
* Remote hack 1.1 & 1.2
Copies to C:\WINDOWS\SYSTEM\RundII.EXE
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Norton Anti Virus"="C:\\WINDOWS\\norton.exe"
* BioNet Family (Versions : 0-8-4; 0.8.71; 2.2.1; 2.6.1)
Copies to C:\WINDOWS\SYSTEM\libupdate.exe
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"WinLibUpdate"="C:\\WINDOWS\\libupdate.exe -hide"
* RUX.PSW
Copies to C:\WINDOWS\SYSTEM\server.exe
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"(Standard)"="C:\\WINDOWS\\system\\SERVER.exe"
* SheepGoat
Copies to C:\WINDOWS\SYSTEM\SG.scr
[Win.ini]
run=C:\WINDOWS\SYSTEM\SG.scr
* CrazyNet
Copies to C:\WINDOWS\Registry32.exe
[HKCUU\Software\Microsoft\Windows\CurrentVersion\Run]
"Reg32"="Registry32.exe"
[Win.ini]
run=Registry32.exe
[System.ini]
shell=Explorer.exe Registry32.exe
Balram Antivirus Finally Launched Download
You can Download the Antivirus from the above link. Hope you all like it.
This antivirus removes virus like iph.exe, remdrv.exe, semiantivirus.vbs and all other VBS script, batch Script, and all other suspicious executables on USB, Harddrive and it monitors all USB port, COM port, Floppy Drive, CD Drive and blocks executables from running directly.
if you have nay queries do mail at
balram@balram.com.np
Balram
Navicat 8 Keys
NAVH-4C5Z-4KUL-2WZE for mysql
NAVH-VNQI-CN24-3TDK for postgres
NAVA-YKM3-6NAX-FAMA for mysql
AVG 8 Serial No
8MEH-REDSL-7ETEC-ULA8R-EAOKL-4EMBR-ACED
