Saturday, August 9, 2008
Friday, August 8, 2008
Remove autorun.inf manually
so youmania will tell u how to remove autorun.inf virus which is cause of opening
of your drives in separate window when u click on the drive name in my computer
There is a Trojan/virus (either the Win32/Pacex virus or the Win32/PSW.Agent.NDP trojan) that uses those two files. Here is how you can get rid of them:
1) Open up Task Manager (Ctrl-Alt-Del)
2) If wscript.exe is running, end it.
3) If explorer.exe is running, end it.
4) Open up “File | New Task (Run)” in the Task manager
5) Run cmd
6) Run the following command del #:\autorun.* /f/a/s/q with other drives in turn
where # is replaced by drive name e.g-c,d,e etc
Be careful with this command it can delete your all data one by one from your hdd if execute wrongly so place your mouse on x position of cmd prompt windows and if it starts deleting your files close it
or we can do this step by without ending explorer.exe
just hit windows+R it will show you run dialog box now type cmd there,it will give you command prompt
now navigate to #:\ where # replaced with your different drive name
i am taking the example of c:\ drive
now write c:\del/a/s/q/f and give a space now press tab until you see autorun.inf press enter
now yo done do the rest steps as i said (be careful see clearly autorun.inf before deleting it and don’t delete any ntdelect there it may crash your system)
7) Go to your Windows\System32 directory by typing cd c:\windows\system32
8 ) Type dir /a avp*.*
9) If you see any files names avp0.dll or avpo.exe or avp0.exe, use the following commands to delete each of them:
attrib -r -s -h avpo.exe
del avpo.exe
10) Use the Task Manager’s Run command to fire up regedit
11) Navigate to HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run (as usual, take a backup of your registry before touching it!)
12) If there are any entries for avpo.exe, delete them.
13) Do a complete search of your registry for ntde1ect.com and delete any entries you find.
14) Restart your computer.
Use system restore when you can’t boot your system
If your system has failed to the point where you cannot access the Windows GUI either through booting normally or through safe mode,
you may still have the chance to use the System Restore feature if you have it enabled,
by running it form the command prompt.
To do this:
1.Restart your computer and press F8 after the POST screen to bring up the Windows XP boot menu.
2.Choose ‘boot in safe mode with command prompt.’
3.If your system gets to the command prompt successfully, type “‘%systemroot%\system32\restore\rstrui.exe’ “ without quote and then press enter.
4.Follow the onscreen instructions to restore your computer to a previous saved point.
Thursday, August 7, 2008
Reset and Fix Broken Windows Vista File Ext and Type Associations (Include EXE, COM, SYS, ZIP, LNK, Folder, Drive)
Windows Vista file type and file extension associations may be corrupted, broken and go haywire, causing files with some extensions cannot be opened properly. For example, some third party programs may wrongly set or assign file associations for extensions that not supposed to have a default program such as .exe, .com, .sys, .lnk, folder, directory, drive etc. (actually these special system files has unique associations which is not supposed to be another programs, so that Windows know to handle them accordingly).
Some programs that known to cause such problem including Lavasoft Ad-Aware SE with “Lock executable file associations” option enabled in Ad-Watch via automatic setting, which blocks registry changes related to file associations when new software application is installed or updated. Another possibly problematic app is dTools, which may delete or remove associated default program and icon for .exe, .sys, .scr, .rll, .pko, .pif, .ocx, .wmdb, .wsp, .xmp, .tpl and other extension types. Sometimes, user may accidentally unassociate or delete the file association too, or assign an extension such as shortcut with .lnk to a wrong program when forget to uncheck “Always use this program to open this type of file” option.
When a file type association for an extension is deleted or not found, the icon for the file type becomes blank in the shape of empty white paper. And when user double clicks or run the affected file of the kind of extension type, syste will prompt user with a “Open With” dialog to find a program to open the file with.
The problem is especially worse when the file association for executable with .exe extensions is broken, causing programs such as Adobe Reader, Internet Explorer, Notepad, System Restore, Microsoft Office Word, Excel, Powerpoint, and even Registry Editor (which is necessary to fix the invalid file association problem) cannot be started, and unable to launch or execute.
Windows Vista basic file extension Set Association management interface cannot reset and fix the corrupted or invalid file association back to factory default, or at least back to a workable state. As a workaround, user can try to manually remove the user-choice file association to restore back to Windows default file type and extension association.
If the manual deletion of user customized file association does not work, or want to direct yet simple fix for the file type and file extension association problem, Winhelponline.com has provided a few registry files that fix and reset several common file associations in Windows Vista back to its original default as if right after fresh installation.
The file association fixes for the following file extensions are available, which can be downloaded in ZIP format which contains a .reg file. Execute the registration entries file to merge the registry keys and values to replace and reset the existing system registry.
audiocd
avi
bat
bmp
chm
cmd
com
dvr-ms
exe
gif
htm
html
ico
inf
jpe
jpeg
jpg
js
lnk
mp3
mpe
mpeg
mpg
msc
reg
scr
tif
tiff
txt
vbs
wma
wmv
xml
xps
zip
Folder
Directory
Drive
For user who wants all the file association fixes, here’s a compressed zip file vista_extfix.zip that contains all of the individual file extension association fixes above.
Note that to apply the registration entries file (the .reg file downloaded), user must right click on the .reg file and select “Run as Administrator” to apply the file association fix for the respective file type and
Monday, August 4, 2008
Staying anonymous on net
I always wondered whether i could ever transform myself into wind. Moving from places to places, with no rules, no restrictions and above all no individuality. It looks distant reality in real life but being anonymous on net is not that tough.
Before you can start to hack systems you need a platform to work from. This platform must be stable and not easily traceable. How does one become anonymous on the Internet? . Let us look.
Permanent connection (leased line, cable, fiber)
The problem with these connections is that it needs to be installed by your local Telecom at a premise where you are physically located. Most ISPs wants you to sign a contract when you install a permanent line, and ask for identification papers. So, unless you can produce false identification papers, company papers etc., and have access to a building that cannot be directly tied to your name, this is not a good idea.
Dial-up
Many ISPs provides “free dial-up” accounts. The problem is that logs are kept either at the ISP, or at Telecom of calls that were made. At the ISP side this is normally done using RADIUS or TACACS. The RADIUS server will record the time that you dialed in, the connection speed, the reason for disconnecting, the time that you disconnected and the userID that you used. Armed with his information the Telecom can usually provide the source number of the call (YOUR number). For the Telecom to pinpoint the source of the call they need the destination number (the number you called), the time the call was placed and the duration of the call. In many cases, the Telecom need not be involved at all, as the ISP records the source number themselves via Caller Line Identification (CLI).
Let us assume that we find the DNS name “c1-pta-25.dial-up.net” in our logs and we want to trace the attacker. We also assume that the ISP does not support caller line identification, and the attacker was using a compromised account. We contact the ISP to find out what the destination number would be with a DNS name like that. The ISP provides the number - e.g. +27 12 664 5555. It’s a hunting line - meaning that there is one number with many phone lines connected to it. We also tell the ISP the time and date the attack took place (from our logs files). Let us assume the attack took place 2000/8/2 at 17h17. The RADIUS server tells us what userID was used, as well as the time it was connected: (these are the typical logs)
6774138 2000-08-02 17:05:00.0 2000-08-02 17:25:00.0 demo1 icon.co.za 168.209.4.61 2 Async 196.34.158.25 52000 1248 00010 B6B 87369 617378 null 11
These logs tell us that user “demo1″ was connected from 17h05 to 17h25 on the date the attack took place. It was dialing in at a speed of 52kbps, it send 87369 bytes, and received 617378 bytes. We now have the start time of the call, the destination number and the duration of the call (20 minutes). Telecom will supply us with source number as well as account details - e.g. physical location. As you can see, phoning from your house to an ISP (even using a compromised or free ID) is not making any sense.
Mobile (GSM) dial-up
Maybe using a GSM mobile phone will help? What can the GSM mobile service providers extract from their logs? What is logged? A lot it seems. GSM switches send raw logging information to systems that crunch the data into what is called Call Data Records (CDRs). More systems crush CDRs in SCDRs (Simple CDR). The SCDRs is sent to the various providers for billing. How does a CDR look like? Hereby an example of a broken down CDR:
99042300000123000004018927000000005216003
27834486997
9903220753571830
834544204
000001MOBILE000
0000001000000000000000000
AIRTIME1:24
20377
UON0000T11L
MTL420121414652470
This tells us that date and time the call was placed (1st string), the source number (+27 83 448 6997), the destination number (834544204), that it was made from a mobile phone, the duration of the call (1 minute 24 seconds), the cellID (20377), the three letter code for the service provider (MTL = Mtel in this case), and the unique mobile device number (IMEI number) 420121414652470. Another database can quickly identify the location (long/lat) of the cell. This database typically looks like this:
20377
25731
-26.043059
28.011393
120
32
103
“Didata Oval uCell”,”Sandton”
From this database we can see that the exact longitude and latitude of the cell (in this case in the middle of Sandton, Johannesburg) and the description of the cell. The call was thus placed from the Dimension Data Oval in Sandton. Other databases provide the account information for the specific source number. It is important to note that the IMEI number is also logged - using your phone to phone your mother, switching SIM cards, moving to a different location and hacking the NSA is not a good idea using the same device is not bright - the IMEI number stays the same, and links you to all other calls that you have made. Building a profile is very easy and you’ll be nailed in no time.
Using time advances and additional tracking cells, it is theoretically possible to track you up to a resolution of 100 meters, but as the switches only keep these logs for 24 hours, it is usually done in real time with other tracking devices - and only in extreme situations. Bottom line - even if you use a GSM mobile phone as modem device, the GSM service providers knows a lot more about you than you might suspect.
How to
So how do we use dial in accounts? It seems that having a compromised dial in account does not help at all, but common sense goes a long way. Suppose you used a landline, and they track you down to someone that does not even owns a computer? Or to the PABX of a business? Or to a payphone? Keeping all of above in mind - hereby a list of notes: (all kinda common sense)
Landlines:
1. Tag your notebook computer, modem and croc-clips along to a DP (distribution point). These are found all around - it is not discussed in detail here as it differs from country to country. Choose a random line and phone.
2. In many cases one can walk into a large corporation with a notebook and a suit with no questions asked. Find any empty office, sit down, plug in and dial.
3. etc…use your imagination
GSM:
1. Remember that the device number (IMEI) is logged (and it can be blocked). Keep this in mind! The ultimate would be to use a single device only once. - never use the device in a location that is linked to you (e.g. a microcell inside your office)
2. Try to use either a very densely populated cell (shopping malls) or a location where there is only one tracking cell (like close to the highway) as it makes it very hard to do spot positioning. Moving around while you are online also makes it much harder to track you down.
3. Use prepaid cards! For obvious reasons you do not want the source number to point directly to you. Prepaid cards are readily available without any form of identification. (note: some prepaid cards does not have data facilities, so find out first)
4. GSM has data limitations - currently the maximum data rate is 9600bps.
Using the I’net
All of this seems like a lot of trouble. Is there not an easier way of becoming anonymous on the Internet? Indeed there are many ways to skin a cat. It really depends on what type of connectivity you need. Lets assume all you want to do is sending anonymous email (I look at email specifically because many of the techniques involved can be used for other services such as HTTP, FTP etc.). How difficult could it be?
For many individuals it seems that registering a fake Hotmail, Yahoo etc. account and popping a flame email to a unsuspected recipient is the way to go. Doing this could land you in a lot of trouble. Lets look at a header of email that originating from Yahoo:
Return-Path:
Received: from web111.yahoomail.com (web111.yahoomail.com [205.180.60.81])
by wips.sensepost.com (8.9.3/1.0.0) with SMTP id MAA04124
for
(envelope-from r_h@yahoo.com)
Received: (qmail 636 invoked by uid 60001); 15 Jul 2000 10:37:15 -0000
Message-ID: <20000715103715.635.qmail@web111.yahoomail.com>
Received: from [196.34.250.7] by web111.yahoomail.com; Sat,
15 Jul 2000 03:37:15 PDT
Date: Sat, 15 Jul 2000 03:37:15 -0700 (PDT)
From: RH
Subject: Hello
To: roelof@sensepost.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
The mail header tells us that our mailserver (wips.sensepost.com) received email via SMTP from the web-enabled mailserver (web111.yahoomail.com). It also tells us that the web-enabled mailserver received the mail via HTTP (the web) from the IP number 196.34.250.7. It is thus possible to trace the email to the originator. Given the fact that we have the time the webserver received the mail (over the web) and the source IP, we can use techniques explained earlier to find the person who was sending the email. Most free web enabled email services includes the client source IP (list of free email providers at www.fepg.net).
How to overcome this? There are some people that think that one should be allowed to surf the Internet totally anonymous. An example of these people is Anonymizer.com (www.anonymizer.com). Anonymizer.com allows you to enter a URL into a text box. It then proxy all connections to the specified destination. Anonymizer claims that they only keep hashes (one way encryption, cannot be reversed) of logs. According to documentation on the Anonymizer website there is no way that even they can determine your source IP. Surfing to Hotmail via Anonymizer thus change the IP address in the mail header.
But beware. Many ISPs make use of technology called transparent proxy servers. These servers is normally located between the ISP’s clients and their main feed to the Internet. These servers pick up on HTTP requests, change the source IP to their own IP and does the reverse upon receiving the return packet. All of this is totally transparent to the end user - therefore the name. And the servers keep logs. Typically the servers cannot keep logs forever, but the ISP could be backing up logs for analyses. Would I be tasked to find a person that sent mail via Hotmail and Anonymizer I would ask for the transparent proxy logs for the time the user was connected to the web-enabled mailserver, and search for connections to Anonymizer. With any luck it would be the only connections to the Anonymizer in that time frame. Although I won’t be able to prove it, I would find the source IP involved.
Another way of tackling the problem is anonymous remailers. These mailservers will change your source IP, your
Yet another way is to make use of servers that provide free Unix shell accounts. You can telnet directly to these servers (some provide SSH (encrypted shells) access as well). Most of the free shell providers also provide email facilities, but limit shell capabilities -e.g. you can’t telnet from the free shell server to another server. In 99% of the cases connections are logged, and logs are kept in backup. A website that list most free shell providers are to be found at www.leftfoot.com/freeshells.html. Some freeshell servers provider more shell functionality than others - consult the list for detailed descriptions.
How do we combine all of the above to send email anonymously? Consider this - I SSH to a freeshell server. I therefor bypass the transparent proxies, and my communication to the server is encrypted and thus invisible to people that might be sniffing my network (locally or anywhere). I use lynx (a text based web browser) to connect to an Anonymizer service. From the Anonymizer I connect to a free email service. I might also consider a remailer located somewhere in Finland. 100% safe?
Even when using all of above measures I cannot be 100% sure that I cannot be traced. In most cases logs are kept of every move you make. Daisy chaining and hopping between sites and servers does make it hard to be traced, but not impossible.
Other techniques
1. The cybercafe is your friend! Although cybercafes are stepping up their security measures it is still relatively easy to walk into a cybercafe without any form of identification. Sit down, and surf to hotmail.com - no one would notice as everyone else is doing exactly the same thing. Compose your email and walk out. Do not become a regular! Never visit the scene of the crime again. When indulging in other activities such as telnetting to servers or doing a full blast hack cybercafes should be avoided as your activity can raise suspicion with the administrators.
2. Search for proxy like services. Here I am referring to things like WinGate servers. WinGate server runs on a Microsoft platform and is used as a proxy server for a small network (read SOHO environment with a dial-up link). In many cases these servers are not configured correctly and will allow anyone to proxy/relay via them. These servers do not keep any logs by default. Hoping via WinGate servers is so popular that lists of active WinGates are published (www.cyberarmy.com/lists/wingate/).
3. With some experience you can hop via open routers. Finding open routers are very easy - many routers on the Internet is configured with default passwords (list of default passwords to be found at www.nerdnet.com/security/index.php )
Doing a host scan with port 23 (later more on this) in a “router subnet” would quickly reveal valid candidates. In most of the cases these routers are not configured to log incoming connections, and provides excellent stepping-stones to freeshell servers. You might also consider daisy chaining them together for maximum protection.
4. Change the communication medium. Connect to a X.25 pad via a XXX service. Find the DTE of a dial-out X.25 PAD. Dial back to your local service provider. Your telephone call now originates from e.g. Sweden. Confused? See the section on X.25 hacking later in the document. The exact same principle can be applied using open routers (see point 3) Some open routers listens on high ports (typically 2001,3001,X001) and drops you directly into the AT command set of a dial-out modems. Get creative.
The best way to stay anonymous and untraceable on the Internet would be a creative mix of all of the above-mentioned techniques. There is no easy way to be 100% sure all of the time that you are not traceable. The nature of the “hack” should determine how many “stealth” techniques should be used. Doing a simple portscan to a university in Mexico should not dictate that you use 15 hops and 5 different mediums.
For more information read: Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
Look Whose Watching youuuuuu
Internet Surfing has been revolutionized in this new era and a major contribution is from Google and it’s myriad tools and services. The main reason for it’s wide spread domain is because of the ‘free‘ tag. Most of it’s services like orkut, gmail, gearth basic and gtalk are available free of cost. So, were does google find its profits? It’s advertising services is the answer to that. Google’s powerful bots don’t just crawl the net to get you the best search results, they can even crawl your mails to display relevant ads on your mail page.
So how private is your life?
Let me look at the google services I use. iGoogle, Gmail, Orkut, Gtalk, GReader, GEarth, Google Blog Search, Picasa, YouTube, GVideos, GGroups, GBooks, GAnalytics. That’s a good long list, would have cost me a fortune if these weren’t free.
My online life is so much dependent on Google. No doubt there will many others like me. Now lets look at how gOOgle’s eyes follow you.
iGoogle - Customisable Search Page. It knows what you search for, what you want from the internet, and hence your fields of interests. I remember using Google search to know about my ailment during illness. So based on the search history, anyone who has access to it can know of my physical and even mental status. With such information, the lifestyle of any individual can be constructed.
Gmail and GTalk - Google’s mail and chat services. Again your interests, contacts, friends are there in your mail box. I know of an incident when we gained access to our friends gmail account by keylogging. From his chat history, we gained so much of personal information, like his new crush, reasons for observable changes in his behavior etc.
Orkut - For Indians, social networking got a new meaning through orkut. Your profile represents your online self. And you tend to make your profile as unique as possible, ending up giving more of personal info, sometimes info that shouldn’t be that public, like home address and personal phone number. You can closely follow a profile and get to know so much about the person in real life.
GEarth and WikiMap - You will be thrilled to find your place of residence on them and mark them as say “My House”, but it also permits strangers to know of your physical location. Well, I guess that’s dangerous.
Youtube and GVideos - These service changed the way we watch videos on the internet. Again it logs your video interests, letting people know more about you.
These are just instances, few examples I realised out of my Googling experiences. I myself know people who get information about others just based on online data, sometimes just from Orkut. The only hindrance they faced is the new privacy settings. Hence, it may be difficult for unauthorized people to cross your life, yet people with authority and permission to access Google data can construct the complete life of any individual simply from online data even without having any contact with the individual. He will never know his life is being watched upon.
It might be scary to realize that there could be someone watching every step of yours, knowing your little secrets and understanding your weakness more than the best of your best friends. But we can pacify ourselves :
“We are just one in a billion Google users. Who is jobless to trace our tracks? “
This is done by adding their respective registry keys to the folder’s name. After this when you’ll double click on the folder, either Control Panel, Recycle Bin, My Computer or Internet Explorer will open according to your choice. Actually that folder is then treated by Windows as a link to any of these four. The folder will remain intact with all its data and no one can access that folder via Windows. It can only be accessed via Command Prompt or some third party app.
To Convert Folder Into Contol Panel, Rename With Adding.{21EC2020-3AEA-1069-A2DD-08002B30309D}
To Convert Folder Into Recycle Bin, Rename With Adding.{645FF040-5081-101B-9F08-00AA002F954E}
To Convert Folder Into My Computer, Rename With Adding.{20D04FE0-3AEA-1069-A2D8-08002B30309D}To Convert Folder Into Internet Explorer, Rename With Adding.{871C5380-42A0-1069-A2EA-08002B30309D}
Eg:- If you have a folder ABC, to convert it into Control Panel, rename the folder asABC.{21EC2020-3AEA-1069-A2DD-08002B30309D} After this, the key should disappear and act as an attribute. And if it doesn’t, then also no problem, as the folder will start working the way you want it to.
To re-enable your folder to be accessible via Windows, go to command prompt and rename the folder there. Eg:- If the folder is in C:\Temp\ABC, then get to C:\Temp in the command prompt and type:ren ABC.{21EC2020-3AEA-1069-A2DD-08002B30309D} ABC
(Command Prompt supports CLIPBOARD. Copy-Paste will work there.)Your folder will be back to normal state.
This method can be used to protect any data, but it will not provide reliable security to the data.
You can also search the registry for more relevant keys like these
Javascript Injection Attack
Javascript Injection is a facility by which we can insert our own javascript codes into the websites, either by entering the code into the address bar, or by finding an XSS(Cross site Scripting) vulnerability in a website. Note that the changes can only be seen by you and are not permanent. This is because JavaScript is a ‘client-side’ language.
This can be very useful when one needs to spoof the server by editing some form option.
Javascript Injection Shall be briefly covered up in the following three parts
1. Injection Basics
2. Cookie Editing
3. Form Editing
1. Injection Basics
Javascript injections are run from the URL bar of the page you are visiting. To use them, you must first completly empty the URL from the URL bar.
Javascript is run from the URL bar by using the javascript: protocol. If you are a Javascript expert, you can expand on this using plain old javascript.
The two commands covered in this Article are the alert(); and void(); commands. These are pretty much all you will need in most situations. For your first javascript, you will make a simple window appear, first go to any website and then type the following into your URL bar:
javascript:alert(’Hello, World’);
You should get a little dialog box that says “Hello, World”. This will be altered later to have more practical uses.
You can also have more than one command run at the same time:
javascript:alert(’Hello’); alert(’World’);
This would pop up a box that said ‘Hello’ and than another that says ‘World’.
2. Cookie Editing
DO NOT USE THIS INFORMATION TO COMMIT CYBER CRIMES
First off, check to see if the site you are visiting has set any cookies by using this script:
javascript:alert(document.cookie);
This will pop up any information stored in the sites cookies. To edit any information, we make use of the void(); command.javascript:void(document.cookie=”Field = myValue”);
This command can either alter existing information or create entirely new values. Replace “Field” with either an existing field found using the alert(document.cookie); command, or insert your very own value. Then replace “myValue” with whatever you want the field to be. For example:javascript:void(document.cookie=”Authorized=yes”);
Would either make the field “authorized” or edit it to say “yes”… now whether or not this does anything of value depends on the site you are injecting it on.
It is also usefull to tack an alert(document.cookie); at the end of the same line to see what effect your altering had.
3. Form Editing
Sometimes, to edit values sent to a given website through a form, you can simply download that html and edit it slightly to allow you to submit what you want. However, sometimes the website checks to see if you actually submitted it from the website you were supposed to. To get around this, we can just edit the form straight from javascript. Note: The changes are only temporary, so it’s no tuse trying to deface a site through javascript injection like this.
Every form on a given web page (unless named otherwise) is stored in the forms[x] array… where “x” is the number, in order from top to bottom, of all the forms in a page. Note that the forms start at 0, so the first form on the page would actually be 0, and the second would be 1 and so on.
how to become hacker
What Is a Hacker?
The Hacker Attitude
1. The world is full of fascinating problems waiting to be solved.
2. No problem should ever have to be solved twice.
3. Boredom and drudgery are evil.
4. Freedom is good.
5. Attitude is no substitute for competence.
Basic Hacking Skills
1. Learn how to program.
2. Get one of the open-source Unixes and learn to use and run it.
3. Learn how to use the World Wide Web and write HTML.
4. If you don’t have functional English, learn it.
Status in the Hacker Culture
1. Write open-source software
2. Help test and debug open-source software
3. Publish useful information
4. Help keep the infrastructure working
5. Serve the hacker culture itself
The Hacker/Nerd Connection
Points For Style
Other Resources
Frequently Asked Questions
Read More: http://www.catb.org/~esr/faqs/hacker-howto.html