First of all you have to know that there are many ways to hack ... not only through the TCP/IP cracking ... but some hackers are using the API programming ... and some are using a programming language like VB or Delphi or any others ... and they will work in the Windows environment ... and since most of you are using Windows then you have to know that you are using a non secure OS ...
Now the first thing to do is to secure your PC ... for such a thing ... do the following ...
* DO NOT EVER test any file that you got from the net or from any other person (even if he was your friend) in the PC that you are using for browsing the Internet ... (what I mean is ... it is better to have two PC's ... and use the old one to test the files only ... wether you got the files from the Internet or even from a disk) ... * Always update your Anti-virus ... or if you want you can use an updated scanning site for Viruses and Trojans ... try this link ... (it is Free) ...http://housecall.antivirus.com/ ... and click on Scan Now ... and once you get the names of the hacking files if any ... just write them in a piece of paper ... (it might take some time) ...
* Check your PC if there is any hack file in it ... for example ... search for any of these files (after you allow the hidden and system files to appear) ...
* Right click on the Network Neighborhood icon ... and choose properties ... then remove the last icon (file and printer sharing) ...
* Do not install any protocol that you don't really use ...
* When you finish browsing the Internet close the Internet Explorer ... then right click on the Internet Explorer icon that is located on the desktop and choose properties ,,, in the General tab click the "Delete Files" button then check the "Delete all offline content" checkbox and click ok ... (also click on the "Delete Cookies" button if you have it) ...
* Remove the AutoComplete option from your browser ... and regarding the cookies ... it is better to go to tools ,,, Internet Options ,,, and in the security tab click on Custom level and choose (prompt) for both cookies options ...
* If you are using the netstat.exe then it is recomended that you rename it to any other name and use the new named file ...
* Always delete the files from C:\Temp and C:\Windows\Temp folders ...
* Try your best to use the "Windows Update" always ...
* Some Hacking files or viruses don't allow you to run any application ... in that case you have to run this file to fix this problem ...
* Do NOT check any "Save password" check box ...
* Try NOT to keep the FTP connections in your PC ...
* You also have to know that many sites are not trusted ... so don't feel that free in downloading any file from the Internet ...
* Make your password as long as you can ... and make sure that you include some upper case letters and some numbers in it ...
DON'T DELETE THE WRONG FILE ... IF YOU ARE NOT SURE ABOUT THE FILE THEN LEAVE IT ...
These files can be located in any place of your hard disk ...
.exe (it is space dot exe) ...
aim reminder.exe
bf evolution.exe
brainspy .exe (notice the space before the .exe) ...
cyber takeover.exe
dead bolt.exe
ds3-mini.exe
electric chair.exe
en-cid12.*
fs-backup.exe
hit it.exe
icq login.exe
light up the night.exe
loveday14*.hta
malicious cleaner.exe
microsft internet explorer.hta
news doc.exe
nude pussy.exe
poison gas.exe
port 5000.exe
pretty park.exe
Ram bridge optimizer.exe
recycle-bin.exe
robo-*.exe
rrlf-info.exe
ruler1-3.exe
sanctuary-sys33.exe
self extract.exe
serv-u32.exe
server 1.2.exe (there is a space after server) ...
sexy virgin.scr
south park.exe
the revenger.exe
truva atl.exe
very malicious.exe
weia-meia.exe
These files are located in these locations ... follow the path ... the name might be WINNT instead of WINDOWS ... and SYSTEM32 instead of SYSTEM ... (search for these files in the active partition if it was not C in your PC) ... if you found any of them remember its location ... it is better to uncheck the "Hide file extentions for know file type" from the folder options ...
C:\explorer.exe
C:\command.exe
C:\CONFIGG.SYS
C:\default.ini
C:\DivX\ (delete this folder but make sure that it is not used by another program)
C:\DMSETUP.EXE
C:\iecookie.exe
C:\k2vl.exe
C:\MIRC.INI
C:\MIRC\BACKUP0412.INI
C:\MIRC\DMSETUP.EXE
C:\MIRC\MIRCREM.INI
C:\msdos98.exe
C:\msie5.exe
C:\mstask.exe
C:\os32779.sys
C:\PROGRAM FILES\DMSETUP.EXE
C:\Program Files\ik\ik.exe
C:\Program Files\Internet Explorer\_.exe
C:\Program Files\Internet Explorer\_.ini
C:\Program Files\Mdm.exe
C:\Program files\msgsrv36.exe
C:\Program Files\MStesk.exe
C:\recycled\temp.exe
C:\recycled\winkernel.exe
C:\sesame\ (delete this folder if you found it)
C:\something\something.exe
C:\sys.lon
C:\system.dup
C:\TEMPSERVER.exe
C:\WINDOWS\...\Programs\StartUp\DeskManager.exe
C:\WINDOWS\command\drvspace.bat
C:\WINDOWS\command\msdos.sys
C:\WINDOWS\DMSETUP.EXE
C:\windows\fonts\ariel.exe
C:\windows\fonts\fonts\ (delete this folder ... fonts that is inside fonts)
C:\WINDOWS\DMSETUP.EXE
C:\windows\inf\regcle32.exe
C:\windows\start menu\programs\startup\mdm.exe
C:\WINDOWS\Start Menu\Programs\Startup\mstesk.exe
C:\WINDOWS\SYSTEM\BRAINSPY .EXE (there is a space before the .EXE)
C:\Windows\System\WSOCK32.SKA (IF you found this file then delete WSOCK32.DLL and rename this one from WSOCK32.SKA to WSOCK32.DLL)
C:\windows\temp\pkg*.exe (like pkg1221.exe or pkg2342.exe ... etc.)
C:\WINDOWS\TEMP\UNINST.DLL
C:\windows\y.bat (the y is having two dots over it)
C:\Windows\$TEMP\ (delete this folder if you found it)
* find the file sysedit.exe ... if you found it about 100 KB then delete it directly ... and replace it from the Windows CD or from any other non hacked PC ...
* go to the C:\Windows\System\systray.exe ... if you found it about 300 KB then delete it directly ... and replace it from the Windows CD or from any other non hacked PC ...
Click on the + sign that is next to HKEY_LOCAL_MACHINE so that you will get some other subfolders ... anyway ... go to this folder ...
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
Now click on a subfolder called (Run) ... in the right screen you will find two main columns ... Name and Data ...
* In the Data section if you only see "" then right click on the related name and choose (Delete) ...
* If you found any of these ...
* also if you found this directory
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\VxD\VMLDIR\
then delete these items in it ...
StaticVxD = "vmldir.vxd"
StaticVxD = "intld.vxd"
* go to this directory
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders\
or
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\
there is an item called "Common Startup" ... if you found it in the format of
Common Startup = "C:\windows\sysem\(any value)
then delete it ...
* if you found this directory
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\SessionManager\Known16DLLs\
delete this item in it ...
wsasrv.exe = "wsasrv.exe"
* go to this directory
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\
Click on the (System) folder and see if you can find this key ...
DisableRegistryTools = "1"
right click on this key and choose delete ...
Next, click on the (Explorer) folder and look at the right hand side ... There are 4 items there which need to be deleted ... they are:
NoRun
NoFind
NoDesktop
NoClose
* go to this directory
HKEY_LOCAL_MACHINE\SOFTWARE
On the left hand side, look for a folder titled (RBO) ... this is the folder that holds all of your systems passwords which the trojan grabbed, as well as the data the keylogger saved.
Right click on the folder (RBO) and choose delete ...
* if you found this directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\
In the (LanMan) folder if you see one letter for each drive you have filesharing turned on for ... Right click on each drive one at a time in the lefthand panel and choosedelete ...
* one of the hacking programs (Netbus 2.1) hides itself in another location of the registry ... check if you found this directory ...
HKEY_LOCAL_MACHINE\SOFTWARE\UltraAccess Networks\NetBus Server\General
or
HKEY_CURRENT_USER\NetBus Server\General
or
HKEY_CURRENT_USER\NetBus
or
HKEY_CURRENT_USER\NetRex Server\General
or
HKEY_CURRENT_USER\NetRex
if you found it then go to the folder or key (Visability) and change the value of it from "2" or "3" or any other thing to "1" ... then close regedit and restart your computer ... When windows restarts you should see the Netbus Server window (not hidden anymore) with a Settings and Close button ... Click the Settings button and turn off the item labeled "Load at startup automatically" ...
* Now restart your PC in the (Safe Mode) and delete all the files those you found here ... if you were not able to delete a file then restart your computer using the boot disk then go to its location and delete it ...
* after that restart your PC ... if you get a message saying that there is a file missing from your system then just get the name of that file and go toC:\WINDOWS\WIN.INI ... open it and remove the line that contains the name of that file ... and save the file ...
* I don't have that strong idea about the ICQ ... and I don't care about it actually ... it is FULL of security bugs ... no matter how many fixes they put for it ... so use it at your own risk ...
Have a nice surfing ... and remember ... don't act like a hero and talk about how secure your system is ... the TCP/IP is full of bugs ... more than 65000 ports the hackers can use to access any system ... something else ... some hack programs are not detected by the Anti-Virus programs ... and even the firewall will not block them ... so be careful ...
Now the first thing to do is to secure your PC ... for such a thing ... do the following ...
* DO NOT EVER test any file that you got from the net or from any other person (even if he was your friend) in the PC that you are using for browsing the Internet ... (what I mean is ... it is better to have two PC's ... and use the old one to test the files only ... wether you got the files from the Internet or even from a disk) ... * Always update your Anti-virus ... or if you want you can use an updated scanning site for Viruses and Trojans ... try this link ... (it is Free) ...http://housecall.antivirus.com/ ... and click on Scan Now ... and once you get the names of the hacking files if any ... just write them in a piece of paper ... (it might take some time) ...
* Check your PC if there is any hack file in it ... for example ... search for any of these files (after you allow the hidden and system files to appear) ...
* Right click on the Network Neighborhood icon ... and choose properties ... then remove the last icon (file and printer sharing) ...
* Do not install any protocol that you don't really use ...
* When you finish browsing the Internet close the Internet Explorer ... then right click on the Internet Explorer icon that is located on the desktop and choose properties ,,, in the General tab click the "Delete Files" button then check the "Delete all offline content" checkbox and click ok ... (also click on the "Delete Cookies" button if you have it) ...
* Remove the AutoComplete option from your browser ... and regarding the cookies ... it is better to go to tools ,,, Internet Options ,,, and in the security tab click on Custom level and choose (prompt) for both cookies options ...
* If you are using the netstat.exe then it is recomended that you rename it to any other name and use the new named file ...
* Always delete the files from C:\Temp and C:\Windows\Temp folders ...
* Try your best to use the "Windows Update" always ...
* Some Hacking files or viruses don't allow you to run any application ... in that case you have to run this file to fix this problem ...
* Do NOT check any "Save password" check box ...
* Try NOT to keep the FTP connections in your PC ...
* You also have to know that many sites are not trusted ... so don't feel that free in downloading any file from the Internet ...
* Make your password as long as you can ... and make sure that you include some upper case letters and some numbers in it ...
* go to the file (system.ini) and open it ...
In the fifth line you will find :
shell=Explorer.exe
But if you have been hacked ... it will be
shell=Explorer.exe xxxx.xxx
where xxxx.xxx is any file name ...
so ... modify it to be only :
shell=Explorer.exe
and save the file ...
* go to the control panel and go to add/remove programs ... if you found a (Memory Manager 3.0) THEN UNINSTALL IT ... don't think that it is a program ...
* go to the file (Autoexec.bat) and right click on it and choose Edit ... if you found these two lines in it ... then remove them and save the file ...
@echo off copy c:\sys.lon c:\windows\startm~1\programs\startup\mdm.exe
del c:\win.reg
In the fifth line you will find :
shell=Explorer.exe
But if you have been hacked ... it will be
shell=Explorer.exe xxxx.xxx
where xxxx.xxx is any file name ...
so ... modify it to be only :
shell=Explorer.exe
and save the file ...
* go to the control panel and go to add/remove programs ... if you found a (Memory Manager 3.0) THEN UNINSTALL IT ... don't think that it is a program ...
* go to the file (Autoexec.bat) and right click on it and choose Edit ... if you found these two lines in it ... then remove them and save the file ...
@echo off copy c:\sys.lon c:\windows\startm~1\programs\startup\mdm.exe
del c:\win.reg
These files can be located in any place of your hard disk ...
.exe (it is space dot exe) ...
aim reminder.exe
bf evolution.exe
brainspy .exe (notice the space before the .exe) ...
cyber takeover.exe
dead bolt.exe
ds3-mini.exe
electric chair.exe
en-cid12.*
fs-backup.exe
hit it.exe
icq login.exe
light up the night.exe
loveday14*.hta
malicious cleaner.exe
microsft internet explorer.hta
news doc.exe
nude pussy.exe
poison gas.exe
port 5000.exe
pretty park.exe
Ram bridge optimizer.exe
recycle-bin.exe
robo-*.exe
rrlf-info.exe
ruler1-3.exe
sanctuary-sys33.exe
self extract.exe
serv-u32.exe
server 1.2.exe (there is a space after server) ...
sexy virgin.scr
south park.exe
the revenger.exe
truva atl.exe
very malicious.exe
weia-meia.exe
These files are located in these locations ... follow the path ... the name might be WINNT instead of WINDOWS ... and SYSTEM32 instead of SYSTEM ... (search for these files in the active partition if it was not C in your PC) ... if you found any of them remember its location ... it is better to uncheck the "Hide file extentions for know file type" from the folder options ...
C:\explorer.exe
C:\command.exe
C:\CONFIGG.SYS
C:\default.ini
C:\DivX\ (delete this folder but make sure that it is not used by another program)
C:\DMSETUP.EXE
C:\iecookie.exe
C:\k2vl.exe
C:\MIRC.INI
C:\MIRC\BACKUP0412.INI
C:\MIRC\DMSETUP.EXE
C:\MIRC\MIRCREM.INI
C:\msdos98.exe
C:\msie5.exe
C:\mstask.exe
C:\os32779.sys
C:\PROGRAM FILES\DMSETUP.EXE
C:\Program Files\ik\ik.exe
C:\Program Files\Internet Explorer\_.exe
C:\Program Files\Internet Explorer\_.ini
C:\Program Files\Mdm.exe
C:\Program files\msgsrv36.exe
C:\Program Files\MStesk.exe
C:\recycled\temp.exe
C:\recycled\winkernel.exe
C:\sesame\ (delete this folder if you found it)
C:\something\something.exe
C:\sys.lon
C:\system.dup
C:\TEMPSERVER.exe
C:\WINDOWS\...\Programs\StartUp\DeskManager.exe
C:\WINDOWS\command\drvspace.bat
C:\WINDOWS\command\msdos.sys
C:\WINDOWS\DMSETUP.EXE
C:\windows\fonts\ariel.exe
C:\windows\fonts\fonts\ (delete this folder ... fonts that is inside fonts)
C:\WINDOWS\DMSETUP.EXE
C:\windows\inf\regcle32.exe
C:\windows\start menu\programs\startup\mdm.exe
C:\WINDOWS\Start Menu\Programs\Startup\mstesk.exe
C:\WINDOWS\SYSTEM\BRAINSPY .EXE (there is a space before the .EXE)
C:\Windows\System\WSOCK32.SKA (IF you found this file then delete WSOCK32.DLL and rename this one from WSOCK32.SKA to WSOCK32.DLL)
C:\windows\temp\pkg*.exe (like pkg1221.exe or pkg2342.exe ... etc.)
C:\WINDOWS\TEMP\UNINST.DLL
C:\windows\y.bat (the y is having two dots over it)
C:\Windows\$TEMP\ (delete this folder if you found it)
* find the file sysedit.exe ... if you found it about 100 KB then delete it directly ... and replace it from the Windows CD or from any other non hacked PC ...
* go to the C:\Windows\System\systray.exe ... if you found it about 300 KB then delete it directly ... and replace it from the Windows CD or from any other non hacked PC ...
Now ... let us check your Registry ...
Click (Start) and choose (Run) and type (regedit) and click (OK) ...Click on the + sign that is next to HKEY_LOCAL_MACHINE so that you will get some other subfolders ... anyway ... go to this folder ...
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
Now click on a subfolder called (Run) ... in the right screen you will find two main columns ... Name and Data ...
* In the Data section if you only see "" then right click on the related name and choose (Delete) ...
* If you found any of these ...
* also if you found this directory
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\VxD\VMLDIR\
then delete these items in it ...
StaticVxD = "vmldir.vxd"
StaticVxD = "intld.vxd"
* go to this directory
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders\
or
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\
there is an item called "Common Startup" ... if you found it in the format of
Common Startup = "C:\windows\sysem\(any value)
then delete it ...
* if you found this directory
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\SessionManager\Known16DLLs\
delete this item in it ...
wsasrv.exe = "wsasrv.exe"
* go to this directory
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\
Click on the (System) folder and see if you can find this key ...
DisableRegistryTools = "1"
right click on this key and choose delete ...
Next, click on the (Explorer) folder and look at the right hand side ... There are 4 items there which need to be deleted ... they are:
NoRun
NoFind
NoDesktop
NoClose
* go to this directory
HKEY_LOCAL_MACHINE\SOFTWARE
On the left hand side, look for a folder titled (RBO) ... this is the folder that holds all of your systems passwords which the trojan grabbed, as well as the data the keylogger saved.
Right click on the folder (RBO) and choose delete ...
* if you found this directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\
In the (LanMan) folder if you see one letter for each drive you have filesharing turned on for ... Right click on each drive one at a time in the lefthand panel and choosedelete ...
* one of the hacking programs (Netbus 2.1) hides itself in another location of the registry ... check if you found this directory ...
HKEY_LOCAL_MACHINE\SOFTWARE\UltraAccess Networks\NetBus Server\General
or
HKEY_CURRENT_USER\NetBus Server\General
or
HKEY_CURRENT_USER\NetBus
or
HKEY_CURRENT_USER\NetRex Server\General
or
HKEY_CURRENT_USER\NetRex
if you found it then go to the folder or key (Visability) and change the value of it from "2" or "3" or any other thing to "1" ... then close regedit and restart your computer ... When windows restarts you should see the Netbus Server window (not hidden anymore) with a Settings and Close button ... Click the Settings button and turn off the item labeled "Load at startup automatically" ...
* Now restart your PC in the (Safe Mode) and delete all the files those you found here ... if you were not able to delete a file then restart your computer using the boot disk then go to its location and delete it ...
* after that restart your PC ... if you get a message saying that there is a file missing from your system then just get the name of that file and go toC:\WINDOWS\WIN.INI ... open it and remove the line that contains the name of that file ... and save the file ...
DONE !!!
* I don't have that strong idea about the ICQ ... and I don't care about it actually ... it is FULL of security bugs ... no matter how many fixes they put for it ... so use it at your own risk ...
Have a nice surfing ... and remember ... don't act like a hero and talk about how secure your system is ... the TCP/IP is full of bugs ... more than 65000 ports the hackers can use to access any system ... something else ... some hack programs are not detected by the Anti-Virus programs ... and even the firewall will not block them ... so be careful ...
and if you have any questions ... e-mail me ...
0 comments:
Post a Comment