Note:For Educational Purposes only.
We can find
Credit card numbers:
Passwords
Programs / MP3's
ETC ... After seeing these examples try to create their own searches for
specifically get what they want.
Pruben these searches:
intitle: "Index of" passwords modified
allinurl: auth_user_file.txt
"Access denied for user" "using password"
"A syntax error has occurred" filetype: iHTML
allinurl: admin mdb
"ORA-00921: unexpected end of SQL command"
inurl: passlist.txt
"Index of / backup"
"Chatologica metasearch" "stack tracking:"
Q are to imagine these Grin:
Amex Numbers: 300 .. 399
MC Numbers: 517800 .. 517899
visa 435600 .. 435699
Directories and passwords revealed:
"Parent directory"
/ Appz /-xxx-html-htm-php-shtml-md5-md5sums-OpenDivX
"Parent directory"
DVDRip-xxx-html-htm-php-shtml-md5-md5sums-OpenDivX
"Parent directory" Xvid-xxx-html-htm-php-shtml-md5-md5sums-OpenDivX
"Parent directory"
Gamez-xxx-html-htm-php-shtml-md5-md5sums-OpenDivX
"Parent directory" MP3-xxx-html-htm-php-shtml-md5-md5sums-OpenDivX
"Parent directory" Name of Singer or
album-xxx-html-htm-php-shtml-md5-md5sums-OpenDivX
In these searches'm just changing the name after the parent directory
", Change it to whatever you want and you will get different results.
Try these searches:
? Intitle: index.of? mp3
Q There are only put you artist name or song
Example:? Intitle: index.of? Metallica mp3
inurl: microsoft filetype: iso
Can change the search to whatever you want, example: Microsoft to Linux
rar iso ....
"#-FrontPage-" inurl: service.pwd
Cheesy Frontpage passwords
"Autocreate = TRUE password =*"
Passwords "Website Access Analyzer", a Japanese program creates q
TATISTICS web.
"Http:// *: * @ www" domain
Passwords, just replace "domain" with the domain q look without it. Com
. Net q or whatever.
Example:
"Http:// *: * @ www" micronosoft or "http:// *: * @ www" micronosoft
Another way is to write:
"Http://bob:bob @ www /";
"Sets mode: + k"
This search reveals passwords on IRC channel logs.
allinurl: admin mdb
Grin Databases
allinurl: auth_user_file.txt
File DCForum's password and DCShop (shopping cart). This
crackeable file containing many passwords, user names and
emails.
intitle: "Index of" config.php
Nomarlmente These files contain the user and password for dir
database administration datos.Tendras total DB.
eggdrop filetype: user user
Usernames and passwords on IRC channels.
intitle: index.of.etc
This search will show the main page of the folder etc / where
You can find many important files and passwords are not always
passwords, but you'll find many interesting things here.
filetype: bak inurl: "htaccess | passwd | shadow | htusers"
This will show many files backups (backups) created by programs or
by the administrator.
If you need to find some serial numbers for any program, say windows
XP Professional.
"Windows XP Professional" 94FBR
The devido aq 94FBR is this piece of code is in many
CD-keys for windows, so this will decrease the amount q of q porn pages
attempt to deceive.
Why take the trouble of attacking a website in search of
vulnerabilities that have gone unnoticed when you can enter with
comfortably through the front door?
These intrusions can be done through existing databases
Internet connection. As tools for database management
used templates (templates) for submitting standardized data
the network to enter the user certain specific phrases can often
direct access to pages using these templates. For
example, by entering the phrase "Select a database to view" (select one
database to see)-a normal stage in the database interface
FileMaker Pro "in Google, it got about 200 links, the
which led to almost all databases created with FileMaker to which
can be accessed online.
For example if you use the following:
1 - http://www.google.com/
2 - Search
"Index of / admin" + passwd
or
"Index of / wwwboard" + passwd
or
"Index of / backup" + mdb
Really great results.!
If you write down what appears in the google search you can access
database, passwords, websites with bugs, even card numbers
credit. Practice a bit and try out different commands, then create your
own lines to search. A good site with information on how to hack
google is http://johnny.ihackstuff.com/ is in English, but will not reach
nothing if not visit sites like this
filetype: htpasswd htpasswd
intitle: "Index of". "htpasswd"-intitle: "dist"-apache-htpasswd.c
index.of.private (a private)
intitle: index.of master.passwd
inurl: passlist.txt (to find lists of passwords)
intitle: "Index of .. etc" passwd
intitle: admin intitle: login
"Incorrect syntax near '(SQL script error)
intitle: "the page can not be found" inetmgr (weakness in IIS4)
intitle: index.of ws_ftp.ini
"Supplied arguments is not a valid PostgreSQL result" (possible weakness
SQL)
_vti_pvt password intitle: index.of (Frontpage)
inurl: backup intitle: index.of inurl: admin
"Index of / backup"
index.of.password
index.of.winnt
inurl: "auth_user_file.txt"
"Index of / admin"
"Index of / password"
"Index of / mail"
"Index of /" + passwd
Index of / "+. Htaccess
Index of ftp +. Mdb allinurl: / cgi-bin / + mailto
allintitle: "index of / admin"
allintitle: "index of / root"
allintitle: sensitive filetype: doc
allintitle: restricted filetype: mail
allintitle: restricted filetype: doc site: gov
administrator.pwd.index
authors.pwd.index
service.pwd.index
filetype: config web
gobal.asax index
inurl: passwd filetype: txt
inurl: admin filetype: db
inurl: iisadmin
inurl: "auth_user_file.txt"
inurl: "wwwroot / *."
allinurl: winnt/system32 / (get cmd.exe)
allinurl: / bash_history
intitle: "Index of". sh_history
intitle: "Index of". bash_history
intitle: "Index of" passwd
intitle: "Index of" people.1st
intitle: "Index of" pwd.db
intitle: "Index of" etc / shadow
intitle: "Index of" SPWD
intitle: "Index of" master.passwd
intitle: "Index of" htpasswd
intitle: "Index of" members OR accounts
intitle: "Index of" user user_carts _cart OR
_vti_inf.html
service.pwd
users.pwd
authors.pwd
administrators.pwd
test-cgi
wwwboard.pl
www-sql
pwd.dat
WS_FTP.LOG
Google disclose data does not seem all that complicated, especially for all
misconfigured systems ... can display a specific search
directory indexing and accessing, password, files,
roads, etc, etc ...
The Search Tips
the common search inputs below will give you an idea ... by
example if you want to search the index of "root"
Example 1:
allintitle: "index of / root"
Result:
http://www.google.com/search?hl=en&ie=IS...llintitle% 3A +% + of 22index
% 2Froot% 22 & btnG = Google + Search
What it reveals is 2.510 pages you can see and possibly
find your will ...
Example 2:
inurl: "auth_user_file.txt"
http://www.google.com/search?num=100&hl=...1&q=inurl% 3A% 22au
th_user_file.txt% 22 & btnG = Google + Search
This gives a figure of 414 possible files to access
OUT THE ROAD
"Index of / admin"
"Index of / password"
"Index of / mail"
"Index of /" + passwd
"Index of /" + password.txt
"Index of /" +. Htaccess
index of ftp +. mdb allinurl: / cgi-bin / + mailto
administrators.pwd.index
authors.pwd.index
service.pwd.index
filetype: config web
gobal.asax index
allintitle: "index of / admin"
allintitle: "index of / root"
allintitle: sensitive filetype: doc
allintitle: restricted filetype: mail
allintitle: restricted filetype: doc site: gov
inurl: passwd filetype: txt
inurl: admin filetype: db
inurl: iisadmin
inurl: "auth_user_file.txt"
inurl: "wwwroot / *."
top secret site: thousand
confidential site: thousand
allinurl: winnt/system32 / (get cmd.exe)
allinurl: / bash_history
intitle: "Index of". sh_history
intitle: "Index of". bash_history
intitle: "index of" passwd
intitle: "index of" people.lst
intitle: "index of" pwd.db
intitle: "index of" etc / shadow
intitle: "index of" SPWD
intitle: "index of" master.passwd
intitle: "index of" htpasswd
intitle: "index of" members OR accounts
intitle: "index of" user_carts OR user_cart
ALTERNATIVE INPUTS
_vti_inf.html
service.pwd
users.pwd
authors.pwd
administrators.pwd
shtml.dll
shtml.exe
fpcount.exe
default.asp
Showcode.asp
sendmail.cfm
getFile.cfm
imagemap.exe
To search the hacker language:
http://www.google.com/intl/xx-hacker/
To search for Linux user mode:
http://www.google.com/linux
To find pages by the proximity to a geographical point:
http://labs.google.com/location
To search how yanquee (ugh!)
http://www.google.com/unclesam
To search for pages to see the results in an animated sequence (test
to understand):
http://labs.google.com/gviewer.html
To search for MAC mode:
http://www.google.com/mac
To search with Google's voice calling over the phone (not fuck)
http://labs1.google.com/gvs.html
To search how Micro $ oft:
http://www.google.com/microsoft.html
To see the definition of a word or phrase:
http://labs.google.com/glossary
To answer any question through google human researchers:
http://answers.google.com/answers/
For google alert you by mail news appearance somewhere
the world on a topic that interests you:
http://www.google.com/newsalerts
To search how BSD
http://www.google.com/bsd
To search universities (U.S. only):
http://www.google.com/options/universities.html
To seek the opinion people have about something:
http://labs.google.com/cgi-bin/webquotes
To search without using the mouse (all from the keyboard, it handles like vi!)
http://labs.google.com/keys/index.html
To search for commercial products, according to price, quality, and other attributes:
http://froogle.google.com/
To search from a Palm, a cell phone or other wireless device:
http://www.google.com/options/wireless.html
(credits to hackforums.net)
Friday, July 15, 2011
Top Tips to keep Computer Clean
Table of Contents~
* How to analysis yourself for accepted infections.
* What assurance cautions to booty if an infection is found.
* What do I do if I anticipate I'm infected?
* What NOT to do.
* Some important things you should apperceive about computer security.
* My recommendations on aegis software.
* Conclusion.
--
How to Analysis Yourself For Accepted Infections
A)
Understanding the infection
The aboriginal affair you charge acquire is how viruses, trojans, adware, worms, etc. work. Generally, aback you run a adulterated file, the aboriginal affair it will tend to do is actualize and bead added adulterated files in locations, such as:
* Temp folder: C:\Users\%USERPROFILE%\AppData\Local\Temp
* Windows folder: C:\Windows
* Drivers folder: C:\Windows\System32\Drivers
And more, these are aloof accepted directories but they can be custom (like for example, a Cybergate RAT infection may bead a book in the C:\Windows\System32\Adobe folder, as RAT's and added infections can bead files in custom directories).
This does NOT beggarly about that you should go deleting aggregate in those folders, no never EVER EVERRR annul files unless you're SURE they are malicious. Deleting a windows arrangement book could and will acceptable aftereffect in a computer that doesn't alike cossack up or assignment properly.
Next, the adulterated book will attack to assassinate the fresh file(s) it has dropped, these files about actualize anthology keys. Understanding the anthology is a charge aback it comes to alive how computers and infections work.
For instance, if a book wants to be ran for all users aback your computer starts, it will actualize a anthology key in the afterward anthology directory:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
This agency aback any user starts the computer up and logs in, any book listed in this anthology agenda will be ran. However, in this anthology (it looks agnate but accomplish agenda of the aboriginal binder it's in):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
All files actuality alone assassinate on startup for the currently active in user, not any added users on the computer. So aback blockage your startup files, don't balloon to analysis BOTH registries. Here's what the anthology looks like:
[Image: 2jfezb5.jpg]
To get to the anthology editor/explorer, amuse do the following:
Press the Windows key (next to the larboard alt) + R to accompany up Run > blazon in "regedit" and hit enter.
NOTE: Again, amuse for the adulation of God don't go deleting anthology keys unless you're absolutely assertive afterwards a adumbration of a agnosticism that it's affiliated to a awful file. Deleting accepted and adequate anthology keys can aftereffect in accepting to re-install your operating system. Amuse consistently accomplish backups afore alive in regedit, to accomplish a advancement chase these steps:
To accomplish a advancement of the registry:
* In regedit, bang 'File' > 'Export'.
* Navigate to a acceptable folder, MAKE abiding 'All' is arrested bottomward the basal left.
* Name it 'backup of registry.reg' and hit Save.
Lastly, files can do added things like inject themselves in to accepted processes (which charge run all the time) such as explorer.exe; or admission your keyboard/disable your antivirus/alter your hosts book etc.
But we don't acquire time to get in to that. I aloof appetite to advice you acquire that infections usually spread, actualize anthology keys, adapt your arrangement etc. and crave a lot added than artlessly deleting one file. It's attenuate that an infection consists of aloof one file.
==
B)
So what signs should I attending for?
If experiencing any of the afterward symptoms, you should acquire you're infected:
* You cannot admission specific websites, like antivirus websites, paypal, gaming sites etc.
* Antivirus is disabled, but not by you; or keeps admonishing you of attacks/infection.
* You're accepting awe-inspiring popups like "Server.exe has chock-full working, columnist end to end the program".
* Affected antivirus scans accumulate bustling up adage you're infected, bidding you to shop for anti-virus software.
* Your online accounts are compromised/hacked.
* Your webcam turns on by itself, your abrasion clicks by itself etc.
* Porn/advertisement websites pop up by themselves.
* You're seeing awe-inspiring files pop up everywhere.
* Ascendancy panel, assignment manager, command alert or regedit are disabled, and not by you.
* Your home folio changes and you can't change it back.
If you apprehension any of these, or annihilation abroad suspicious, it may be annual for alarm.
--
What assurance cautions to booty if an infection is found
If you acquire you acquire an infection, I'm abashed I acquire bad news.
Your claimed information, details, passwords and cyberbanking accreditation may be at risk.
I acclaim that you abstract this PC from the Internet immediately, and alone reconnect to download any accoutrement that are required. If you do any cyberbanking or added banking affairs on the PC or it if it contains any added acute information, amuse get to a accepted apple-pie computer and change all passwords area applicable, and it would be astute to acquaintance those aforementioned banking institutions to accustom them of your bearings as anon as possible.
If you do not acquire admission to a accepted apple-pie computer, you will still charge to change your passwords, and all added acute information, but alone already your arrangement is accounted clean.
--
What do I do if I anticipate I'm infected?
First of all, if you acquire an antivirus, accomplish abiding it's abreast and afresh run a abounding arrangement scan. Abolish annihilation it finds. Abutting you could run these scans and abolish annihilation they find:
MalwareBytes Anti-Malware (Click to View)
Please download Malwarebytes' AntiMalware.
Double bang mbam-setup.exe to install the application.
* Accomplish abiding a checkmark is placed abutting to Amend Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, afresh bang Finish.
* If an amend is found, it will download and install the best recent version.
* Already the affairs has loaded, baddest Perform Quick Scan, afresh bang Scan.
The browse may booty some time to finish,so amuse be patient.
* Aback the browse is complete, bang OK, afresh Show After-effects to appearance the results.
* Accomplish abiding that aggregate is checked, and bang Abolish Selected.
* Aback ablution is completed, a log will accessible in Notepad and you may be prompted to restart. Restart if it tells you to.
SuperAntiSpyware (Click to View)
Download SuperAntiSpyware
* Load SuperAntiSpyware and bang the Analysis for updates button.
* Already the amend is accomplished bang the Browse your computer button.
* Analysis Perform Complete Browse and afresh next.
* SuperAntiSpyware will now browse your computer and aback its accomplished it will annual all the infections it has found.
* Accomplish abiding that they all acquire a analysis abutting to them and columnist next.
* Bang accomplishment and you will be taken aback to the capital interface.
ESET Online Aegis Scanner (Click to View)
Please run a chargeless online browse with the ESET Online Scanner
Note: You will charge to use Internet Charlatan for this scan.
* Tick the box abutting to Yes, I acquire the Terms of Use.
* Bang Start
* Aback asked, acquiesce the ActiveX ascendancy to install
* Bang Start
* Accomplish abiding that the options Abolish begin threats and the advantage Browse exceptionable applications is checked
* Bang Scan
Wait for the browse to finish. Abolish annihilation it finds.
Combofix (DO NOT use this unless you acquire no best and are at atomic moderately accomplished with computers) (Click to View)
Please download Combofix from one of the afterward locations:
LINK 1
LINK 2
**IMPORTANT! Save Combofix to your Desktop
* Disable your AntiVirus and AntiSpyware applications, usually via a appropriate bang on the Arrangement Tray icon. They may contrarily baffle with our tools. If you acquire adversity appropriately disabling your accurate programs, accredit to this articulation --> http://www.hackforums.net/showthread.php?tid=198032
* Double bang on ComboFix.exe & chase the prompts.
* As allotment of it's process, ComboFix will analysis to see if the Microsoft Windows Recovery Console is installed. With malware infections actuality as they are today, it's acerb recommended to acquire this pre-installed on your apparatus afore accomplishing any malware removal. It will acquiesce you to cossack up into a appropriate recovery/repair approach that will acquiesce us to added calmly advice you should your computer acquire a botheration afterwards an attempted abatement of malware.
* Chase the prompts to acquiesce ComboFix to download and install the Microsoft Windows Recovery Console, and aback prompted, accede to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will abide it's malware abatement procedures.
[Image: RcAuto1.gif]
Once the Microsoft Windows Recovery Console is installed application ComboFix, you should see the afterward message:
[Image: whatnext.png]
Click on Yes, to abide scanning for malware.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may annual it to stall.
2. Do not "re-run" Combofix. If you acquire a problem, acknowledgment aback for added instructions.
3. ComboFix may displace a cardinal of Internet Explorer's settings, including authoritative I-E the absence browser.
4. Combofix prevents autorun of ALL CD, billowing and USB accessories to abetment with malware abatement & admission security. If this is an affair or makes it difficult for you -- amuse acquaint your helper.
5. CF disconnects your apparatus from the internet. The affiliation is automatically adequate afore CF completes its run. If CF runs into adversity and terminates prematurely, the affiliation can be manually adequate by restarting your machine.
If you acclimated Combofix, amuse chase these instructions to abolish it as it's a alarming apparatus in the easily of a amateur (Click to View)
* Bang START afresh RUN
* Now blazon Combofix /u in the runbox and bang OK
If active these don't absolutely break your issues, the infection is either FUD (Fully UnDetectable) or too abysmal for your akin of skill; in this case you should let a added accomplished user acquire a look.
To do so, amuse chase the instructions accustomed in this thread, and a able HJT abettor will be on their way to accommodate assistance.
--
What NOT to do
This applies to anybody who has no acquaintance removing viruses. Alike if you're able-bodied abreast in computing, you should be careful. It's consistently added acceptable safe than sorry.
First of all, DO NOT annul files, folders, anthology keys, anything; until you're absolute what you're deleting is malicious. How do you do that? Able-bodied here's some accessible things to try:
* Chase the file's name here, here, here, or here.
* If it's a process, chase it here: http://www.processlibrary.com/directory/?files=
* Google it: http://www.google.com
* Upload the book to http://www.virustotal.com, http://www.threatexpert.com, or http://anubis.iseclab.org/?action=home
* Use a Virtual Apparatus to run the book in it and analysis out what it does
Secondly, if any pop ups arise up adage you're adulterated and allurement you to buycomputer appliance to abolish the infection, IGNORE THEM and DO NOT shop for it. It's absolutely FAKE.
Instead, you acceptable acquire a Smitfraud infection so chase the accomplish in the spoiler.
Smitfraud fix instructions (Click to View)
You should book out these instructions, or archetype them to a Notepad book for annual while in Safe Mode, because you will not be able to affix to the Internet to apprehend from this site.
Please download SmitfraudFix (by S!Ri)
Extract the agreeable (a binder called SmitfraudFix) to your Desktop.
Please reboot your computer in Safe Approach by accomplishing the following:
* Restart your computer
* Afterwards audition your computer beep already during startup, but afore the Windows figure appears, tap the F8 key continually;
* Instead of Windows loading as normal, a card with options should appear;
* Baddest the aboriginal option, to run Windows in Safe Mode, afresh columnist "Enter".
* Choose your accepted account.
Once in Safe Mode, accessible the SmitfraudFix binder afresh and double-click smitfraudfix.cmd
Select advantage #2 - Apple-pie by accounting 2 and columnist "Enter" to annul adulterated files.
You will be prompted : "Registry charwoman - Do you appetite to apple-pie the anthology ?"; acknowledgment "Yes" by accounting Y and columnist "Enter" in adjustment to abolish the Desktop accomplishments and apple-pie anthology keys associated with the infection.
The apparatus will now analysis if wininet.dll is infected. You may be prompted to alter the adulterated book (if found); acknowledgment "Yes" by accounting Y and columnist "Enter".
The apparatus may charge to restart your computer to accomplishment the charwoman process; if it doesn't, amuse restart anyhow into accustomed Windows. A argument book will arise onscreen, with after-effects from the charwoman process; amuse copy/paste the agreeable of that address into your abutting acknowledgment forth with a fresh HijackThis log.
The address can additionally be begin at the basis of the arrangement drive, usually at C:\rapport.txt
Warning If your desktop accomplishments is removed, it agency you weren't infected. Artlessly put it back..
Now, lastly, you're apparently activity to be on the anchor for tools/antiviruses that will advice you abolish the infection. But the absoluteness is best of these accoutrement are advised for experts and shouldn't be messed about with; because you'll apparently end up accepting to re-install your operating system. Also, there's consistently the adventitious it's affected and absolutely infects you.
It's best you use the scans/tools I provided beforehand on. Or seek advice from an expert.
--
Some important things you should apperceive about computer security
Here's some facts I anticipate you should know:
* Best infections do not accident your computer, rather they use it to advertise/steal information/attack websites/spread the infection.
* A trojan is a book that attempts to arise like a accepted Windows Process, but absolutely is malicious.
* A rootkit/RAT/infostealer/keylogger are all spyware which are able of capturing screenshots, webcam, keystrokes, adored passwords and accretion admission to files.
* Infections can use your hosts file, and DNS name servers to accomplish it so visiting assertive sites redirects you abroad (like from google to a bad site).
* Never fix a winsock band in HJT, as it can accident your internet connection.
* Alone O2, O3, and O9 curve in HJT are absolutely missing aback it says (file missing), the blow can glitch.
* Deleting a anthology key will NOT annul the book it's associated with.
* Capitalisation in book names or directories makes no aberration in Windows.
* If an infection is FUD, scanning will accomplish no difference. Alone analysing the computer can advice you now.
* Added than one antivirus/firewall causes conflictions and can do added abuse than good. Stick to aloof one.
--
My recommendations on aegis software
For acceptable protection, I would admonish you acquire anniversary of the following:
1. Antivirus
2. Firewall
3. Antimalware
4. Antispyware
One of anniversary will be a acceptable bulk afterwards the accident of conflicts, as two or added AV's can battle and do added abuse than good. The afterward articles I would admonish to ANYBODY, but amuse use no added than one AV and firewall at a time:
Antiviruses:
* NOD32 (this one is chargeless to try for 30 canicule but costs $40 US to buy).
* Avast! Home Edition (free).
* Avira Antivir (free).
* AVG Chargeless (free).
Firewalls:
* Tallemu Online Armor (also chargeless for 30 canicule but costs money for abounding version).
* Comodo (free).
* Zone Anxiety (free).
Anti-malware programs (for scans only, no real-time protection):
* MalwareBytes AntiMalware.
* That's absolutely alone the best one but you can use online scans like ESET and Kaspersky.
Anti-Spyware programs:
* SuperAntiSpyware.
* Spybot Chase & Destroy.
Other:
* Ad-aware (free anti-adware).
* Winpatrol (free affairs that monitors apprehensive changes to your critial arrangement resources, recommended by me)..
* CCleaner (run this generally to apple-pie your anthology and added acting files etc. Is free.).
* KeyScrambler (ultimate aegis adjoin keyloggers, costs money).
But remember, your best aegis is artlessly actuality careful.
--
Conclusion
So in the end, the basal band is unless you've had months of training, it's awful recommended you alone use scans and the such to abolish malware. Because any chiral accoutrement are about consistently actual alarming for novices.
* How to analysis yourself for accepted infections.
* What assurance cautions to booty if an infection is found.
* What do I do if I anticipate I'm infected?
* What NOT to do.
* Some important things you should apperceive about computer security.
* My recommendations on aegis software.
* Conclusion.
--
How to Analysis Yourself For Accepted Infections
A)
Understanding the infection
The aboriginal affair you charge acquire is how viruses, trojans, adware, worms, etc. work. Generally, aback you run a adulterated file, the aboriginal affair it will tend to do is actualize and bead added adulterated files in locations, such as:
* Temp folder: C:\Users\%USERPROFILE%\AppData\Local\Temp
* Windows folder: C:\Windows
* Drivers folder: C:\Windows\System32\Drivers
And more, these are aloof accepted directories but they can be custom (like for example, a Cybergate RAT infection may bead a book in the C:\Windows\System32\Adobe folder, as RAT's and added infections can bead files in custom directories).
This does NOT beggarly about that you should go deleting aggregate in those folders, no never EVER EVERRR annul files unless you're SURE they are malicious. Deleting a windows arrangement book could and will acceptable aftereffect in a computer that doesn't alike cossack up or assignment properly.
Next, the adulterated book will attack to assassinate the fresh file(s) it has dropped, these files about actualize anthology keys. Understanding the anthology is a charge aback it comes to alive how computers and infections work.
For instance, if a book wants to be ran for all users aback your computer starts, it will actualize a anthology key in the afterward anthology directory:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
This agency aback any user starts the computer up and logs in, any book listed in this anthology agenda will be ran. However, in this anthology (it looks agnate but accomplish agenda of the aboriginal binder it's in):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
All files actuality alone assassinate on startup for the currently active in user, not any added users on the computer. So aback blockage your startup files, don't balloon to analysis BOTH registries. Here's what the anthology looks like:
[Image: 2jfezb5.jpg]
To get to the anthology editor/explorer, amuse do the following:
Press the Windows key (next to the larboard alt) + R to accompany up Run > blazon in "regedit" and hit enter.
NOTE: Again, amuse for the adulation of God don't go deleting anthology keys unless you're absolutely assertive afterwards a adumbration of a agnosticism that it's affiliated to a awful file. Deleting accepted and adequate anthology keys can aftereffect in accepting to re-install your operating system. Amuse consistently accomplish backups afore alive in regedit, to accomplish a advancement chase these steps:
To accomplish a advancement of the registry:
* In regedit, bang 'File' > 'Export'.
* Navigate to a acceptable folder, MAKE abiding 'All' is arrested bottomward the basal left.
* Name it 'backup of registry.reg' and hit Save.
Lastly, files can do added things like inject themselves in to accepted processes (which charge run all the time) such as explorer.exe; or admission your keyboard/disable your antivirus/alter your hosts book etc.
But we don't acquire time to get in to that. I aloof appetite to advice you acquire that infections usually spread, actualize anthology keys, adapt your arrangement etc. and crave a lot added than artlessly deleting one file. It's attenuate that an infection consists of aloof one file.
==
B)
So what signs should I attending for?
If experiencing any of the afterward symptoms, you should acquire you're infected:
* You cannot admission specific websites, like antivirus websites, paypal, gaming sites etc.
* Antivirus is disabled, but not by you; or keeps admonishing you of attacks/infection.
* You're accepting awe-inspiring popups like "Server.exe has chock-full working, columnist end to end the program".
* Affected antivirus scans accumulate bustling up adage you're infected, bidding you to shop for anti-virus software.
* Your online accounts are compromised/hacked.
* Your webcam turns on by itself, your abrasion clicks by itself etc.
* Porn/advertisement websites pop up by themselves.
* You're seeing awe-inspiring files pop up everywhere.
* Ascendancy panel, assignment manager, command alert or regedit are disabled, and not by you.
* Your home folio changes and you can't change it back.
If you apprehension any of these, or annihilation abroad suspicious, it may be annual for alarm.
--
What assurance cautions to booty if an infection is found
If you acquire you acquire an infection, I'm abashed I acquire bad news.
Your claimed information, details, passwords and cyberbanking accreditation may be at risk.
I acclaim that you abstract this PC from the Internet immediately, and alone reconnect to download any accoutrement that are required. If you do any cyberbanking or added banking affairs on the PC or it if it contains any added acute information, amuse get to a accepted apple-pie computer and change all passwords area applicable, and it would be astute to acquaintance those aforementioned banking institutions to accustom them of your bearings as anon as possible.
If you do not acquire admission to a accepted apple-pie computer, you will still charge to change your passwords, and all added acute information, but alone already your arrangement is accounted clean.
--
What do I do if I anticipate I'm infected?
First of all, if you acquire an antivirus, accomplish abiding it's abreast and afresh run a abounding arrangement scan. Abolish annihilation it finds. Abutting you could run these scans and abolish annihilation they find:
MalwareBytes Anti-Malware (Click to View)
Please download Malwarebytes' AntiMalware.
Double bang mbam-setup.exe to install the application.
* Accomplish abiding a checkmark is placed abutting to Amend Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, afresh bang Finish.
* If an amend is found, it will download and install the best recent version.
* Already the affairs has loaded, baddest Perform Quick Scan, afresh bang Scan.
The browse may booty some time to finish,so amuse be patient.
* Aback the browse is complete, bang OK, afresh Show After-effects to appearance the results.
* Accomplish abiding that aggregate is checked, and bang Abolish Selected.
* Aback ablution is completed, a log will accessible in Notepad and you may be prompted to restart. Restart if it tells you to.
SuperAntiSpyware (Click to View)
Download SuperAntiSpyware
* Load SuperAntiSpyware and bang the Analysis for updates button.
* Already the amend is accomplished bang the Browse your computer button.
* Analysis Perform Complete Browse and afresh next.
* SuperAntiSpyware will now browse your computer and aback its accomplished it will annual all the infections it has found.
* Accomplish abiding that they all acquire a analysis abutting to them and columnist next.
* Bang accomplishment and you will be taken aback to the capital interface.
ESET Online Aegis Scanner (Click to View)
Please run a chargeless online browse with the ESET Online Scanner
Note: You will charge to use Internet Charlatan for this scan.
* Tick the box abutting to Yes, I acquire the Terms of Use.
* Bang Start
* Aback asked, acquiesce the ActiveX ascendancy to install
* Bang Start
* Accomplish abiding that the options Abolish begin threats and the advantage Browse exceptionable applications is checked
* Bang Scan
Wait for the browse to finish. Abolish annihilation it finds.
Combofix (DO NOT use this unless you acquire no best and are at atomic moderately accomplished with computers) (Click to View)
Please download Combofix from one of the afterward locations:
LINK 1
LINK 2
**IMPORTANT! Save Combofix to your Desktop
* Disable your AntiVirus and AntiSpyware applications, usually via a appropriate bang on the Arrangement Tray icon. They may contrarily baffle with our tools. If you acquire adversity appropriately disabling your accurate programs, accredit to this articulation --> http://www.hackforums.net/showthread.php?tid=198032
* Double bang on ComboFix.exe & chase the prompts.
* As allotment of it's process, ComboFix will analysis to see if the Microsoft Windows Recovery Console is installed. With malware infections actuality as they are today, it's acerb recommended to acquire this pre-installed on your apparatus afore accomplishing any malware removal. It will acquiesce you to cossack up into a appropriate recovery/repair approach that will acquiesce us to added calmly advice you should your computer acquire a botheration afterwards an attempted abatement of malware.
* Chase the prompts to acquiesce ComboFix to download and install the Microsoft Windows Recovery Console, and aback prompted, accede to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will abide it's malware abatement procedures.
[Image: RcAuto1.gif]
Once the Microsoft Windows Recovery Console is installed application ComboFix, you should see the afterward message:
[Image: whatnext.png]
Click on Yes, to abide scanning for malware.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may annual it to stall.
2. Do not "re-run" Combofix. If you acquire a problem, acknowledgment aback for added instructions.
3. ComboFix may displace a cardinal of Internet Explorer's settings, including authoritative I-E the absence browser.
4. Combofix prevents autorun of ALL CD, billowing and USB accessories to abetment with malware abatement & admission security. If this is an affair or makes it difficult for you -- amuse acquaint your helper.
5. CF disconnects your apparatus from the internet. The affiliation is automatically adequate afore CF completes its run. If CF runs into adversity and terminates prematurely, the affiliation can be manually adequate by restarting your machine.
If you acclimated Combofix, amuse chase these instructions to abolish it as it's a alarming apparatus in the easily of a amateur (Click to View)
* Bang START afresh RUN
* Now blazon Combofix /u in the runbox and bang OK
If active these don't absolutely break your issues, the infection is either FUD (Fully UnDetectable) or too abysmal for your akin of skill; in this case you should let a added accomplished user acquire a look.
To do so, amuse chase the instructions accustomed in this thread, and a able HJT abettor will be on their way to accommodate assistance.
--
What NOT to do
This applies to anybody who has no acquaintance removing viruses. Alike if you're able-bodied abreast in computing, you should be careful. It's consistently added acceptable safe than sorry.
First of all, DO NOT annul files, folders, anthology keys, anything; until you're absolute what you're deleting is malicious. How do you do that? Able-bodied here's some accessible things to try:
* Chase the file's name here, here, here, or here.
* If it's a process, chase it here: http://www.processlibrary.com/directory/?files=
* Google it: http://www.google.com
* Upload the book to http://www.virustotal.com, http://www.threatexpert.com, or http://anubis.iseclab.org/?action=home
* Use a Virtual Apparatus to run the book in it and analysis out what it does
Secondly, if any pop ups arise up adage you're adulterated and allurement you to buycomputer appliance to abolish the infection, IGNORE THEM and DO NOT shop for it. It's absolutely FAKE.
Instead, you acceptable acquire a Smitfraud infection so chase the accomplish in the spoiler.
Smitfraud fix instructions (Click to View)
You should book out these instructions, or archetype them to a Notepad book for annual while in Safe Mode, because you will not be able to affix to the Internet to apprehend from this site.
Please download SmitfraudFix (by S!Ri)
Extract the agreeable (a binder called SmitfraudFix) to your Desktop.
Please reboot your computer in Safe Approach by accomplishing the following:
* Restart your computer
* Afterwards audition your computer beep already during startup, but afore the Windows figure appears, tap the F8 key continually;
* Instead of Windows loading as normal, a card with options should appear;
* Baddest the aboriginal option, to run Windows in Safe Mode, afresh columnist "Enter".
* Choose your accepted account.
Once in Safe Mode, accessible the SmitfraudFix binder afresh and double-click smitfraudfix.cmd
Select advantage #2 - Apple-pie by accounting 2 and columnist "Enter" to annul adulterated files.
You will be prompted : "Registry charwoman - Do you appetite to apple-pie the anthology ?"; acknowledgment "Yes" by accounting Y and columnist "Enter" in adjustment to abolish the Desktop accomplishments and apple-pie anthology keys associated with the infection.
The apparatus will now analysis if wininet.dll is infected. You may be prompted to alter the adulterated book (if found); acknowledgment "Yes" by accounting Y and columnist "Enter".
The apparatus may charge to restart your computer to accomplishment the charwoman process; if it doesn't, amuse restart anyhow into accustomed Windows. A argument book will arise onscreen, with after-effects from the charwoman process; amuse copy/paste the agreeable of that address into your abutting acknowledgment forth with a fresh HijackThis log.
The address can additionally be begin at the basis of the arrangement drive, usually at C:\rapport.txt
Warning If your desktop accomplishments is removed, it agency you weren't infected. Artlessly put it back..
Now, lastly, you're apparently activity to be on the anchor for tools/antiviruses that will advice you abolish the infection. But the absoluteness is best of these accoutrement are advised for experts and shouldn't be messed about with; because you'll apparently end up accepting to re-install your operating system. Also, there's consistently the adventitious it's affected and absolutely infects you.
It's best you use the scans/tools I provided beforehand on. Or seek advice from an expert.
--
Some important things you should apperceive about computer security
Here's some facts I anticipate you should know:
* Best infections do not accident your computer, rather they use it to advertise/steal information/attack websites/spread the infection.
* A trojan is a book that attempts to arise like a accepted Windows Process, but absolutely is malicious.
* A rootkit/RAT/infostealer/keylogger are all spyware which are able of capturing screenshots, webcam, keystrokes, adored passwords and accretion admission to files.
* Infections can use your hosts file, and DNS name servers to accomplish it so visiting assertive sites redirects you abroad (like from google to a bad site).
* Never fix a winsock band in HJT, as it can accident your internet connection.
* Alone O2, O3, and O9 curve in HJT are absolutely missing aback it says (file missing), the blow can glitch.
* Deleting a anthology key will NOT annul the book it's associated with.
* Capitalisation in book names or directories makes no aberration in Windows.
* If an infection is FUD, scanning will accomplish no difference. Alone analysing the computer can advice you now.
* Added than one antivirus/firewall causes conflictions and can do added abuse than good. Stick to aloof one.
--
My recommendations on aegis software
For acceptable protection, I would admonish you acquire anniversary of the following:
1. Antivirus
2. Firewall
3. Antimalware
4. Antispyware
One of anniversary will be a acceptable bulk afterwards the accident of conflicts, as two or added AV's can battle and do added abuse than good. The afterward articles I would admonish to ANYBODY, but amuse use no added than one AV and firewall at a time:
Antiviruses:
* NOD32 (this one is chargeless to try for 30 canicule but costs $40 US to buy).
* Avast! Home Edition (free).
* Avira Antivir (free).
* AVG Chargeless (free).
Firewalls:
* Tallemu Online Armor (also chargeless for 30 canicule but costs money for abounding version).
* Comodo (free).
* Zone Anxiety (free).
Anti-malware programs (for scans only, no real-time protection):
* MalwareBytes AntiMalware.
* That's absolutely alone the best one but you can use online scans like ESET and Kaspersky.
Anti-Spyware programs:
* SuperAntiSpyware.
* Spybot Chase & Destroy.
Other:
* Ad-aware (free anti-adware).
* Winpatrol (free affairs that monitors apprehensive changes to your critial arrangement resources, recommended by me)..
* CCleaner (run this generally to apple-pie your anthology and added acting files etc. Is free.).
* KeyScrambler (ultimate aegis adjoin keyloggers, costs money).
But remember, your best aegis is artlessly actuality careful.
--
Conclusion
So in the end, the basal band is unless you've had months of training, it's awful recommended you alone use scans and the such to abolish malware. Because any chiral accoutrement are about consistently actual alarming for novices.
Subscribe to:
Posts (Atom)