COCA-COLA WIFI BOOSTER!!!

July 16th, 2008 by ftoliao

Please see " how to’s " shown below then afterwards gain 300m(+)plus more on your wifi devices.. enjoy.

1_4 2_1 3 4 5 6 7 8 9 10

My directional wireless access point.

Posted in Uncategorized | No Comments »

Leaking private information

July 8th, 2008 by ftoliao

svhost32.exe - Here is the scoop on infostealer.maplosty trojan as it pertains to computer network security. The big question: what is svhost32.exe and is it spyware, a trojan and if so, how do I get rid of infostealer.maplosty trojan? svhost32.exe (infostealer.maplosty trojan) - Details If you find a program called svhost32.exe running on your pc, your system could be infected with a trojan known as ‘infostealer.maplosty’. svhost32.exe is considered to be a security risk, not only because antivirus programs flag infostealer.maplosty trojan as a trojan, but also because other sites consider it a Trojan as well. infostealer.maplosty trojan is likely a Trojan and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of svhost32.exe may cause serious harm to your system and will likely cause a number of problems, loss of data, loss of control or leaking private information.

Removal:

  1. Click Start > Run.
  2. Type regedit
  3. Click OK.

    Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

  4. Navigate to the subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  5. In the right pane, delete the value:

    "fzg" = "%Windir%\Config\svhost32.exe"

  6. Exit the Registry Editor.

And also….

  1. Click Start > Run. Svhost32
  2. Type regedit
  3. Navigate to the subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

  4. In the right pane, delete the value:

    "load" = "%ProgramFiles%\svhost32.exe"

  5. Exit the Registry Editor.

Posted in Web/Tech | No Comments »

Microsoft Corparation Virus

June 27th, 2008 by ftoliao

Name : regsvr.exe
Name : winhelp.exe
Type of File : Application
Icon : Folder icon
size : 1.06 MB (1,114,588 bytes)
size on disk : 1.07 MB (1,122,304 bytes)
File version : 1.1.2.2
Description : Microsoft Corparation (its Microsoft Corp’a’ration not Microsoft Corporation)
Copyright :
Compiled Script : Microsoft Corporation
File Verion : 1,1,2,2
Language : English (United Kingdom)

Name : rundll.exe
Type of File : Application
Description : Generic Host Process for Win32 Services
Size : 161 KB (164,864 bytes)
size on disk : 168 KB (172,032 bytes)
File version : 3.8.0.7400
Company : Microsoft Corporation
Internal name : svchost-full-org
Language : English (United States)
Original name : svchost-full-org.exe

other supporting files, created during installation ofvirus

Name : MSINET.OCX
Type : ActiveX Control
Size : 60.5 KB (61,952 bytes)
Size on disk : 64.0 KB (65,536 bytes)
File version : 5.1.45.11
Description : Microsoft Internet Transfer Control DLL
Copyright : Copyright © 1987-1997 Microsoft Corp.
Comments : September 11, 1997
Company : Microsoft Corporation
File version : 5.01.4511
Internal name : MSINET.OCX

Name : ijl11pro.dll
Type : Application Extension
Size : 70.0 KB (71,680 bytes)
six\ze on disk : 72.0 KB (73,728 bytes)
File version : 1.1.2.16
Description : Intel® JPEG Library - Retail Version
Copyright : Copyright © 1999
Comments : Intel® JPEG Library
Company : Intel Corporation
File version : 1.1.2
Internal name : Intel® JPEG Library
Original name : ijl11.dll

x—x—x

Recognized by KAV
—————–
not-a-virus:Monitor.Win32.007SpySoft.q rundll.exe
Worm.Win32.AutoIt.s regsvr.exe
x—x—x

Running Process
—————

regsvr.exe <user name> 1-30% 2 threads
rundll.exe <user name> 0% 4 threads
Winhelp.exe SYSTEM 1-40% 1 thread

x—x—x

Behind the Screen
—————–

Files Created:
…………..
I:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\aut3.tmp
I:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\aut4.tmp
I:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\aut5.tmp
I:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\aut6.tmp
I:\WINDOWS\winhelp.ini
I:\WINDOWS\system32\rundll.exe
I:\WINDOWS\system32\ijl11pro.dll
I:\WINDOWS\system32\MSINET.OCX
I:\WINDOWS\system32\regsvr.exe
I:\WINDOWS\regsvr.exe
I:\WINDOWS\system32\winhelp.exe
I:\Documents and Settings\Piyush Chandra\Local Settings\Temp\~DFD5E6.tmp
I:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
I:\WINDOWS\system32\COMCTL32.OCX
I:\WINDOWS\system32\stdole2.tlb
ModifyFile I:\WINDOWS\winhelp.ini

Regsitries changed:
……………….
ModifyRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79ebb8fd-f8e1-11dc-a1b1-806d6172696f}\BaseClass
etc
ModifyRegValue \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
CreateRegValue \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours
ModifyRegValue \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\system
CreateDir C:\WINNT\system32\ssdata\
CreateDir C:\Recycled\WinLiveUpdate32\scrdata\
CreateDir C:\Recycled\WinLiveUpdate32\
CreateRegValue \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User Themes
CreateRegKey \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}
etc
CreateRegKey \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
etc
CreateRegValue HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User “I:\WINDOWS\system32\rundll.exe”

Registry access:
…………….
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
HKLM\SYSTEM\ControlSet001\Hardware Profiles001
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness

x—x—x

More behind the screen
———————-
The virus gets completely installed only after rebooting two times.

It uses cacls.exe to change some permission setting (not yet discovered)

It saves printscreen images in c:\recycled\WinLiveUpdate32\ at an interval of 30 seconds
so it eats up the space for your c:\ if u are affected by this virus for long time

It saves some processes goining on the system in c:recycled\WinLiveUpdate32\scrdata\ in files namely Apps.data, Files.dat, Keys.data, scr.data, lgstat.ini

In simple words: it keeps a complete track about you computer.

Apps.data
………
Piyush Chandra|||2008-03-26 19:05:18|||Run|||Kaspersky Anti-Virus 6.0
Piyush Chandra|||2008-03-26 19:05:21|||Run|||Protection
Piyush Chandra|||2008-03-26 19:05:32|||Close|||Protection
Piyush Chandra|||2008-03-26 19:05:34|||Close|||Kaspersky Anti-Virus 6.0
Piyush Chandra|||2008-03-26 19:05:37|||Run|||Windows Task Manager
Piyush Chandra|||2008-03-26 19:06:04|||Run|||My Documents
etc

Files.dat
………
Piyush Chandra|||2008-03-26 19:31:55|||Create Dir|||H:\MyDocs\virus collection\Known\regsvr.exe Worm.Win32.AutoIt.s\Virus\New Folder
Piyush Chandra|||2008-03-26 19:32:00|||Rename Dir|||H:\MyDocs\virus collection\Known\regsvr.exe Worm.Win32.AutoIt.s\Virus\New Folder—>H:\MyDocs\virus collection\Known\regsvr.exe Worm.Win32.AutoIt.s\Virus\recycler files

etc

Keys.data
………
Piyush Chandra|||2008-03-26 19:10:03|||StartupMonitor Warning
{Enter}

scr.data
……..
Piyush Chandra|||2008-03-26 19:06:15|||Proactive Defense Alert|||C:\Recycled\WinLiveUpdate32\scrdata\2008032668776.jpg
Piyush Chandra|||2008-03-26 19:06:45|||Process Explorer - Sysinternals: www.sysinternals.com [PIYUSH\Piyush Chandra]|||C:\Recycled\WinLiveUpdate32\scrdata\2008032668806.jpg
Piyush Chandra|||2008-03-26 19:07:16|||Process Explorer - Sysinternals: www.sysinternals.com [PIYUSH\Piyush Chandra]|||C:\Recycled\WinLiveUpdate32\scrdata\2008032668836.jpg
Piyush Chandra|||2008-03-26 19:07:46|||~DFBFCB.tmp - Notepad|||C:\Recycled\WinLiveUpdate32\scrdata\2008032668866.jpg
Piyush Chandra|||2008-03-26 19:08:16|||Player

etc

Wanrning Messages
—————–

rundll.exe
Another program is currently using this file.

Kaspersky
Riskware: not-a-virus:Monitor.Win32.007SpySoft.q
File: I:\WINDOWS\system32\rundll.exe

x—x—x

Solution:
———

Start > Run > type the following

(if you have a lappy, then copy taskkill.exe in your c:\windows\system32\ folder)

End task
……..
taskkill /f /im regsvr.exe /t
taskkill /f /im rundll.exe /t
taskkill /f /im winhelp.exe /t

Registries
……….
at /delete /yes
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /f
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v “Yahoo Messengger” /f
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run /v “Yahoo Messengger” /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v System /t REG_SZ /d “” /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v shell /t REG_SZ /d “Explorer.exe” /f
reg delete “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “User Themes” /f

Files
…..
cmd /k del “%USERPROFILE%\Local Settings\Temp\aut*” /f
cmd /k del “%USERPROFILE%\Local Settings\Temp\~*” /f
cmd /k del “%WINDIR%\System32\rundll.exe” /f
cmd /k del “%WINDIR%\winhelp.ini” /f
cmd /k del “%WINDIR%\system32\ijl11pro.dll” /f
cmd /k del “%WINDIR%\system32\MSINET.OCX” /f
cmd /k del “%WINDIR%\system32\regsvr.exe” /f
cmd /k del “%WINDIR%\regsvr.exe” /f
cmd /k del “%WINDIR%\system32\winhelp.exe” /f
cmd /k del “C:\WINNT\system32\ssdata\”
cmd /k del “C:\Recycled\WinLiveUpdate32\scrdata\” /f /q
cmd /k del “C:\Recycled\WinLiveUpdate32\” /f /q
(and delete regsvr.exe, New Folder.exe and autorun.inf from pen drives)

Download:
———
Please download the Heal for regsvr.exe from here

http:\\piyushlabs.googlepages.com\Heal_regsvr1.0.zip

More Downloads

—————–

http://piyushlabs.wordpress.com/downloads/

tnx to stephen ^_^..

Posted in Web/Tech | No Comments »

Yahoo messenger virus

June 25th, 2008 by ftoliao

Information about the W32/Sohanad.B Worm:

W32/Sohanad.B is a worm. The worm will infect Windows systems and spreads through Instant Messaging applications.
The worm arrives via the popular instant messaging applications.
Upon execution, this worm copies itself as SVHOST32.EXE or SVHOST.EXE in the Windows folder.
The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

It also creates the following registry keys to modify the settings of Yahoo! Messenger:

HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast

The worm also modifies the registry to disable Registry Editor and Task Manager. It also changes the Internet Explorer (IE) home page. This worm propagates via Yahoo! Messenger, AIM, Windows Live Messenger or Windows Messenger by sending an instant message to all the contacts of an active user. This message contains a link to a remote copy of itself. When the recipient clicks the link, a copy of this worm is executed on the recipients’ system.

Solution:

Enabling the Windows Task Manager and Registry Editor

This malware disables the Windows Task Manager and Registry Editor. To re-enable these tools, perform the following instructions.

1. Open Notepad. Click Start>Run, type Notepad, then press Enter.
2. Copy and paste the following:

On Error Resume Next Set shl = CreateObject(”WScript.Shell”) Set fso = CreateObject(”scripting.FileSystemObject”) shl.RegDelete “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools” shl.RegDelete “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr” shl.RegDelete “HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools” shl.RegDelete “HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”

3. Save this file as {any file name}.VBS.
4. Click Start>Run, type {any file name}.VBS, then press Enter.
5. Click Yes at the prompt of the message box.
6. Click Ok
Edit the Registry

For detailed instructions on how to edit registry click here..

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete any of the following entries:
* Task Manager = “%Windows%\svhost32.exe”
* Svchost = “%Windows%\svhost.exe”
(Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)

Removing Added Keys and Entries from the Registry

1. Still in Registry Editor, in the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Yahoo>pager>View
2. Still in the left panel, locate and delete the following keys:
* YMSGR_buzz
* YMSGR_Launchcast
3. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Policies>Microsoft>
Internet Explorer>Control Panel
4. In the right panel, locate and delete the following entries:
Homepage = “dword:00000001″
5. Close Registry Editor.

Resetting Internet Explorer Home Page and Search Page

This procedure restores the Internet Explorer home page and search page to the default settings.

1. Close all Internet Explorer windows.
2. Open Control Panel. Click Start>Settings>Control Panel.
3. Double-click the Internet Options icon.
4. In the Internet Properties window, click the Programs tab.
5. Click the Reset Web Setting… button.
6. Select Also reset my home page. Click Yes.
7. Click OK.

Always run your favorite anti-virus program.. have a virus free day.

Posted in Web/Tech | No Comments »