How to Remove Spyware – Remove Almost All Infections

By now you should all know that even the best spyware removal software protects, but seldom removes spyware once it has infected the computer. The main reason for this is that once your computer is infected, the spyware loads itself in memory every time the computer is started. In Windows no program that is actively running in memory can be erased from the hard drive; it has to be stopped first. This is where all antivirus tools fail. Another reason is that the spyware disables most antiviruses and system tools that pose a threat to it, like for example the Windows task manager.
Lately I’ve discovered a technique to remove almost all malware infections. A technique that has been working reliably for me in a surprisingly vast majority of cases and that can be followed step by step and can be replicated for almost all types of adware or spyware. A technique that will work better than any spyware removal tool you can find. This technique works for all versions of Windows XP, Vista and Windows 7. The pictures that you will see in this article are from Windows XP, however, the steps are similar for all other versions of Windows.

How to remove spyware - Method Summary:
- Open Task Manager as soon as you see the desktop.
- Write down the name of the spyware showing up in task manager and kill it.
- Look for spyware on c:\documents and setting\username\local settings\application data and delete it.
- Look for spyware in registry and delete every single entry as it appears.
- Create a new username, log in with new usermane, rename previous username account folder and reboot.
- Log in with your old usernane so that new profile folder can be created.
- Transfer your files from the old account folder to the current.

 Step 1: Identify Spyware in memory and kill it

Turn your computer on and as soon as you login and see your Desktop hit Ctrl-Alt-Del and click on Task Manager, you have to do this fast otherwise the virus will take control of the computer and task manager will no longer open. Once Task Manager is open the spyware will not be able to close it. Never close Task Manager or else the spyware you will not let you open it again unless you reboot. As

soon as you see the spyware appear, (usually a fake anti virus shield on the task bar near the clock) check the Task Manager for any suspicious programs. It also helps if you sort items in the Task Manager by memory usage, this way you will see all new applications as they start popping up. How can you tell the application is suspicious? Use common sense. The application popping up in this example has the name “guxprpnshdw.exe”. As you can see, the name is just a bunch of letters that do not make sense. Now that we have identified our suspicious program, the next step is to get paper and pencil, and write the whole name of the suspicious application making sure not to miss any letters. Then, right click on the application and click “end task” to remove spyware from memory. Once you do this, hover the cursor of the mouse over the fake anti virus shield without clicking on it. If the shield disappears, we know we have killed the fake anti virus in memory. If it does not, we need to continue our search. Repeat the operation with another suspicious-looking file in Task Manager until you find the right one. Make sure to always write down the name of the file before clicking “end task”.

Step 2: Remove spyware from hard drive and registry
 Once you have the name of the file, go to “My Computer” and click on Tools -> Folder Options -> select “View hidden Files and Folders“. In Vista and Windows 7 go to Control Panel -> Folder Options and select “View hidden files and folders”. Go to “C:\Documents and Settings\” or “C:\Users” in Windows 7 or Vista and look for a folder with your username. If your computer logs in automatically or you are unsure of your username, you can find out in Windows XP by clicking Ctrl-Atl-Del and it will display who you are logged in as. In Windows 7 all you have to do is click on “start” and it will display your username on the top right corner of the menu; I am not sure about Vista. Once you have identified your username go to the following path “C:\Documents and Settings\username\local settings\application data\”, and in Vista and Windows 7

 it should be either on “C:\Users\username\” or “C:\ProgramData\”. Once there, look for a folder with a suspicious name. In this example our folder name is “xyfbofkle”. Again, notice that its name does not make any sense. Go into the folder and you should find a program with the name of our previously discovered spyware, in this case “guxprpnshdw.exe”. If you find the spyware, write down the name of the folder and delete it. Open the registry by clicking start -> run -> type “regedit” and click enter. Look for every instance of the spyware’s filename using the registry’s search utility and delete it. When you get to the end of the registry repeat the operation, this time using the spyware’s folder name. This should remove the spyware on your computer for good. However, there is one extra step we must take to lessen the possibility of future recurrence.

Step 3: Disable your old profile and create new one
 To be on the safe side and prevent malware from ever coming back, we are going to create a new user profile folder and delete your current one. To do this, create a username and make sure to give it administrator rights. Reboot your computer, (don’t just log off or switch users) and log into your newly

created account. Then, go to your “C:\Documents and Settings\” or “C:\Users\” (in Vista and Windows 7) and rename your previous username account folder. I usually rename it with a “.old” at the end. Example, if my original account folder is named “\administrator\”, I rename it to “\administrator.old\” so it is no longer recognized by Windows. Now reboot your computer again and log in with your old usermane. This will create a brand new account folder with your old usermane. Now, transfer everything you want to save from your “.old” account folder to your new one. Don’t transfer absolutely everything because you run into the risk of transferring whats left of the spyware to your new account. I usually transfer the “My Documents”, “Desktop”, “My Favorites” and nothing else. When finished you can delete the “.old” folder and the account folder you created at the beginning.

 And you are done! as easy as that. No more spyware. This will not work 100% of the time because not all spyware behave exactly same, some can’t even be terminated in the task manager; they just won’t close. However it will work in the big majority of cases. and as I said before it will work better than even the best spyware removal program available in the market today. I can say with certainty that 90% (or probably more) of the malware infections you encounter can be removed using this method.

No comments

Posted at 3:37 PM |  by Narut0

What is svchost.exe? Is it a Trojan or Virus?

Hasn’t this happened to all of us?. You discover you have a virus, you go to task manager and you are unable to identify it but you see a bunch of strange looking svchost processes.  SVCHOST.EXE is basically a Windows program that executes dll files. DLL files can’t run by themselves; they need a program to run them. This is where svchost comes in.  Some Windows pocesses come in DLL format rather than EXE. Some of these processes include “Windows Firewall”, “Automatic Updates”, “Plug and Play”, Windows Themes”, “Fax Service”, etc. Sometimes however, viruses use svchost to run; this way they cannot be identified on task manager and appear harmless, disguised as a Windows process.

How to tell if SVCHOST.EXE is harmless or not.
Fortunately for all of us there is a free utility designed just for identifying all svchost processes running on your computer. it is called svchost viewer and it works in XP, Vista and Windows 7. Svchost viewer not only tells you all processes running for each particular instance of svc host but also gives you a description of what these processes are. Take a look at the picture below:

What makes an svchost process suspicious?

Simple…

1) Any svchost process not identified by svchost viewer

2) Any svchost process consuming cpu capacity: If you see a svchost process hogging your cpu, making it run at 50%, 90%, 100% capacity, this might be the sign of a trojan horse trying to send spam or doing other malicious activities.

How to kill a suspicious svchost process

Svchost viewer itself can be a pretty effective svchost.exe killer. All you have to do is:

Select the Service to be killed >> Service Control >> Stop Selected Service.

A word of caution: Ending a particular service won’t probably cause permanent damage to your computer, however, before doing this make sure that no other programs are running, like an open document you have not finished or a defragmentation currently in progress. Some of these processes are critical, and ending one can cause the computer to frezee or to restart.

How to remove an svchost-related virus

If after killing the suspicious process, your virus or spyware goes away, you know you have identified it. Now it’s time to remove it. I have written an article on how to remove practically any virus on your computer, click here to read it.

No comments

Posted at 3:36 PM |  by Narut0

Password Reset Vulnerability in Facebook allowed hackers to hack accounts

An Independent Security Researcher, Sow Ching Shiong, has discovered a serious Password reset vulnerability in Facebook that allowed hackers to change the passwords of facebook accounts.

Normally, User is required to enter his current password before they can set the new one to prevent an unauthorized person from changing the password without the user's knowledge.

However, the Researcher identified that a hacker could change user's password without known the user's current password by accessing the url "https://www.facebook.com/hacked", which automatically redirected to the compromised account recovery page.


In this page,  an attacker was simply prompted to enter the new password and confirm it, without having to know any other information.

Facebook Security Team fixed the vulnerability after being notified by the Security researcher and Sow Ching Shiong has been added to Facebook's white hats list ( https://www.facebook.com/whitehat )
 

No comments

Posted at 1:11 AM |  by Narut0

Doxing and Anti-Doxing – Part I

For those of us following or taking part in the various hacktivist activities happening around the globe on a regular basis, doxing is a regular feature. We wake up in the morning to find the personal lives of businessmen, hackers who have made target of themselves for one reason or another, government employees, and a host of others spilled out onto the Internet for the entire world to see. Doxing can be a tool for use in security testing, investigation, or research on the positive side. But it can also be a tool for humiliation, harassment, and worse on the negative side.

In the Part I of this article, we will discuss what exactly doxing is and the tools and techniques we might use to carry out such an attack. In the Part II of this article we will talk about the steps we can take to at least lessen its impact, should we find ourselves on the receiving end of such efforts.

What is Doxing?
The word doxing is a simple word involving a bit of mangling of the English language in order to communicate a somewhat more complex concept. We arrive at doxing by starting with documents, shortening it to docs, applying a bit of leetness to make it dox, then transforming it into a verb: documents -> docs -> dox -> doxing. But what is it?  Doxing is the process of locating, to the greatest extent possible, all of the information available on an individual, this being generally followed by the exposure of the information discovered to a group or the general public. Those following along might also realize that doxing, information reconnaissance, OSINT, and a number of other similar concepts are all very closely related, so much so that we might successfully argue that they are slight variations on describing the exact same concept.

We commonly see doxing used by hacking groups such as Anonymous, LulzSec, AntiSec, and so on. An excellent example is the large scale doxing of law enforcement-related personnel by Anonymous in December of 2011, an act which was reportedly carried out in revenge for the close attention being given to hacktivist groups by various law enforcement agencies. In this particular attack the information on over 7000 people was exposed, including names, addresses, social security numbers, email contents, passwords to sensitive systems, and a great deal of other information.
On the white hat side of the fence, a somewhat more restrained form of doxing is also used, although generally much more limited in the set of techniques available, and generally lacking the public exposure of information. Doxing techniques may be used by penetration testers, security researchers, incident responders, and investigators to collect information on potential targets, track down information regarding the origins of tools used in attacks or malware, or to locate the originator of an attack. In March of 2012, the FBI is said to have used information gained from doxing and turned over by another hacking group to arrest Hector Monsegur, a.k.a Sabu, who is widely supposed to have been the founder and/or leader of LulzSec.
Ultimately, doxing is searching for information on an individual, although usually taken to a much greater length than the typical light cyberstalking or ego surfing many of us engage in on a daily basis.
Why Would Anyone Want To Do This?
The motivations behind doxing, whether originated by the good guys or the bad guys, are generally not positive for the person who is the target of such activity. As we mentioned, doxing is used by those who are considered to be on the dark side, hackers (in the bad sense) and hacktivist groups, and also by others such as stalkers, identity thieves, internet trolls, and so on. Usually people in this group seek out said information to attack or harass their targets in some fashion. The specific motivations here may vary somewhat, but we can quickly come up with specific cases in which the entirety of the available data on an individual might be used including name, address and social security number (the identity theft trifecta), account credentials, telephone numbers, and so on.
Even on the light side, where we might find an investigator, incident responder, law enforcement, or other similar personnel using such techniques, the consequences for the target will likely be at least unpleasant, if not targeted at the same ultimate goals. In actuality, much of the set of techniques we would call doxing is simply referred to as investigation in such communities.
What are the Consequences of Being Doxed?
The consequences of doxed information being exposed can range from slight irritation to serious threat to health, livelihood, or potentially life. We can very quickly see where exposing information on a person’s social activities, sexual preference, medical history, and other such interesting bits of information may be seriously damaging. This type of exposure could easily result in public embarrassment, severe reputational damage, loss of employment, identity theft, and worse.
A fairly serious example of doxing and subsequent attacks can be seen in the actions taken by Anonymous against Aaron Barr, then the CEO of HBGary Federal, a defense contracting company. In February of 2011, Barr announced his infiltration of Anonymous and said he would expose the information he had found in a talk at a security conference that year. As with most cases of poking a wasp nest with a stick, this ended badly. Anonymous doxed Barr and attacked the HBGary Federal servers, later posting tens of thousands of emails from the HBGary Federal systems on the Internet, as well as the body of personal information on Barr himself. They subsequently took over social networking accounts, compromising servers, and generally causing quite a bit of havoc. Ultimately, this series of attacks resulted in Barr resigning, reputation damage to Barr and HBGary Federal, some level of investigation by the US House Armed Services Subcommittee on Emerging Threats and Capabilities, and the US Congress.
Doxing Techniques
A number of different sources can provide information for doxing efforts. We can, for instance, collect from social networking sites and tools, people-oriented search tools, pay search sites, public records, and any of a number of other places. Some such sources or tools are generic and will show data on nearly any name we care to enter, and others are very specific and pertain to a particular company, city, or the like.
Typically when we start to dox someone, we will have some small amount of information to start with. A name, depending on how common the name is, is a good starting point; a name and an email address are better. If we have an email address on which to search, we may immediately turn up other sources of information, particularly if the target in question uses the email address as a common account name, posts online frequently, etc. Given a name, email address, and a city, we may be able to turn up a home address, employer, professional organizations, local sports teams or hobby groups, and so on. Each additional piece of information we turn up adds to the body of information we have and makes validating the next piece of information along the path much easier. The more information we have to begin with, the easier our job is.
If we are starting with a weak set of information, or the target has a very common name (James Smith would be a problem), we may have to do a bit of inference at the beginning. One of the most likely starting points would be to pin down a physical location to a smaller area. If we know James Smith had a particular IP address at some point, we look this IP up to find which ISP or company this IP belongs to. Based on this, we might narrow down our search parameters to the areas this ISP serves or this company operates in. Of course the danger exists that our inference is entirely wrong, and we have just gone down the wrong path entirely. But we do have to start somewhere.

Social Networking Sites
Social networking sites can provide a virtual gold mine of information for doxing purposes. A typical person who is at all active online will typically have accounts on at least two or three social networking sites. Depending on the site in question, we may find all manner of personal information (some not fit for public consumption) including current and past employers, education, physical location data, and a plethora of other items.

Of benefit to those using such sites to collect information is the myriad of privacy and sharing settings, each being entirely unique to a particular site. Those of us who are security professionals may have a good grip on handling such settings and may be aware of the need to restrict our personal information, putting us in a better position than the common user to properly safeguard our information. In some cases, this may not be good enough to completely protect us. The companies who run these social networking tools regularly update their privacy settings, and many of them allow “friends” to take actions like tagging pictures with names and re-sharing information, thus circumventing our security efforts.
Additionally, friends, family, co-workers, et al may provide another avenue for gathering information, even if the target has a properly secured account and is extremely careful. Given a particularly chatty friend on a social networking site, we may not even need information directly from the target. This is one of the main reasons that doxing efforts often extend outside of the target in question.

We may also be able to bypass the security measures on a social networking account by simply asking for access to the information through whatever friending mechanism available for the service in question. Such an approach will often enjoy success if we create an account impersonating someone who the target already knows or has some history with, such as a friend, co-worker, classmate etc. We can see an excellent example of this in the Robin Sage incident in which a security researcher impersonating a woman managed to friend over 300 people and gain access to all manner of sensitive information, including classified military information on troop movements.
General Online Content
Although social networking sites provide us with one of the richest sources we may find, they are by no means the only sources available. We can find all types of information by looking for online resumes, blog postings, postings to newsgroups, archives of local newspapers, newsletters from professional organizations, records of births, deaths, and marriages, any of a number of public records and other data. The problem we encounter when digging for such data is finding what we actually want in the massive volume we might need to sift through.
People-oriented Search Tools
Given this enormous body of information available to search, it is helpful to filter some of this through sets of tools that will do some of the work for us. Fortunately, there are a number of services that will conduct searches oriented around individuals and will often give us at least some portion of the information we seek for free. Some of the more common tools include:

• Pipl.com
• Spokeo.com
• Zabasearch.com
• Mylife.com
• Peekyou.com

 and many, many, others. These sites will commonly turn up names, addresses, birth dates, family members, pictures, documents, employers, and quite a bit of other information. Such sites do not exist out of pure altruism, so they will often display a certain amount of information as a hook and then ask for a payment to access the remainder. We can usually get enough free information from such search engines on which to base further searches or general digging, making these sites worth a visit.

In addition there are a number of pay sites that exist for the purpose of performing “background checks,” allowing us direct access to databases of information collected on individuals. These sites will likely include the same set of information as the people-oriented search engines (in fact they may be the same company), but the better sites will also have access to more difficult to reach records such as criminal proceedings, court documents, mortgage documents, and other similar items that are public or semi-public records. Most of this data is available to the individual in general, should we choose to look for it, but it often requires considerably more legwork and expense to obtain. A few background check sites include:
• Intelius.com
• Ussearch.com
• Peoplefinders.com


Information about Domains and Networks
Considering the connectedness of the average computer-savvy person these days, chances are we will be able to turn up an IP address or domain name connected to them in some fashion. Given a small amount of such information, unless the person has been particularly careful, we will often be able to quickly find a good deal more with a few simple searches.
Whois searches and searches of DNS records can often give us contacts for the domain or IP in question, sometimes even being directly connected to the individual who is our target. While this seems unlikely and entirely too easy, such information is often present. Aggregation tool sites such as Netcraft.com, IPinfoDB.com, and yougetsignal.com can also provide us with additional information such as where the system on the other end of the domain name or IP might be physically located, what software it is running, and any of a number of other useful bits.
Lastly, we would be remiss to not mention the Wayback Machine at web.archive.org. The Wayback Machine archives the content of a huge number of web servers on a regular basis, and looking at changes to a website over time can be extremely instructive.  It may be that the system on the other end of a domain name contains no interesting information now, but it might have a month ago, or a year ago, or five years ago. The Wayback Machine can be en extremely helpful tool for many research efforts.
Our Friend Google
 Google can be the doxers best friend. We all know what Google is and how easy it is to type "firstname lastname" into the search field and get a few hits. There are, however, considerably more advanced ways of searching Google that will get us better results.

Google hacking is the use of advanced operators in search engine queries (not necessarily just Google), in order to enable more targeted searches. As we mentioned, this is not specific to Google and similar search parameters can be used with most any search engine. Lists of advances operators can generally be found on the page for the search engine in question. For Google, the advanced operators can be found here http://support.google.com/websearch/bin/answer.py?hl=en&answer=136861 and for Bing here http://msdn.microsoft.com/en-us/library/ff795620.aspx. For most any search engine, we can find the advanced operator listing by searching for the engine name and “advanced operators”. While we will find some variation in query construction between different engines, the construction is usually fairly similar.

A large body of work exists for using advance operators to perform very specific searches, alongowith a few books. The book Google Hacking for Penetration Testers by Johnny Long (available from Syngress) is an entire volume dedicated to this specific subject. Although it is a bit long in the tooth at this point, it is still a good resource.  We can also look to the Google Hacking Database (GHDB) at http://www.hackersforcharity.org/ghdb/ or http://www.exploit-db.com/google-dorks/ for a database of specific searches. These databases contain a wide variety of security specific searches and are available to the public through a few simple clicks.
Metadata
Metadata is data about data, and we can find such data associated with almost any file with the exceptions to this being vanishingly small. We can see a common example of metadata in the creation and modification timestamps associated with almost all files. Metadata can provide us with another excellent source for our doxing efforts. We can find this data in word processing documents, presentations, image files, videos, and any of a number of similar artifacts. In this metatdata, we can often locate various interesting items such as usernames, hostnames, network paths, various dates, hardware information, and a variety of other interesting bits. For files created on hardware containing GPS capabilities, we may also find embedded GPS coordinates for the location where the file was created, databases or temporary files containing a history of physical locations, and the like. Overall, metadata is definitely worth taking a look at if we find files in the course of our search.
There are number of tools that can provide us with the capability to sift through metadata. For general usage, we can use Metagoofil (although this is now a bit aged and requires some effort to get working properly), FOCA which is in the same general vein as Metagoofil, ExifTool which ostensibly handles image formats but actually does a great number of other formats as well, and several others. Becoming familiar with metadata tools can lead to all sorts of interesting information.
Maltego
Any of a variety of other tools might assist us in our reconnaissance efforts whilst doxing. While it would be nearly impossible to develop an exhaustive list, there is at least one that deserves a special mention, namely Maltego. Maltego is “an open source intelligence and forensics application”. Maltego enables us to conduct, in many cases, a certain portion of our doxing in an automated fashion. Maltego, given a starting place, such as an IP address, hostname, name, etc… will attempt to ferret out other related items of information.

Results from Maltego can be hit or miss, depending on the information available to find. It is absolutely fantastic at tasks like combing through data for an organization. We may also discover a larger set of information from Maltego than we can comfortably cope with, is we are not careful to limit its scope.
Keeping Track
Last, but certainly not least, we will want some method for keeping track of the information we find. We could absolutely use a simple text editing tool like Notepad, Gedit, or the like. Such tools are very useful for taking notes as we go along, but ultimately not a good tool in the long run. In the case where our research has been thorough enough to include multiple individuals, a plain text document will quickly become a difficult task to keep up with and will not lend itself well to searching or correlating information.
As with many larger sets of data, or data we might need to manipulate in various ways, spreadsheets and/or databases are a very handy tool. We will typically want to develop a common template for our doxing efforts, so we do not miss particular items by oversight, i.e.:

• Maiden name • Facebook account • Twitter account • IP addresses • System names • Domain names • Blog URL

• Name • Address • DoB • SSN • Email addresses • Phone numbers • Employer

this, of course, is a very small sample and our template would need to cover considerably more. In an exhaustive doxing effort, we would likely end up with a stack of such collections of data.
There are also a few commercial tools are purpose-built for just such a use. CaseFile is one such tool, and was created by the makers of Maltego. This provides us with a much more tailored solution, but may be overkill for some smaller efforts.

Part II
In the next part of this article, we will be discussing the opposite side of the doxing equation, namely anti-doxing. Now that we have covered what doxing is and how it is performed, we will talk about how we can protect ourselves and help to mitigate such an attack when we are on the receiving end.

No comments

Posted at 2:23 PM |  by Narut0

Find out who is using your WiFi

Do you suspect your neighbour using your WiFi network without your consent? Rather than spending hours staring at your router’s administration console to find out who is using your WiFi, you can use Wireless Network Watcher – a free utility that scans for devices currently connected to your network.

Once launched, the utility scans the network you are connected to and display the devices currently using your WiFi connection along with their corresponding IP address, Mac Address, Computer names and Network Adapter name.

That’s cool! But what if your neighbour is not connected at the moment you are running the scan? You will obviously not see his or her computer in the list. If you want to get notified as soon as someone attempts to connect to your WiFi network, you will need to tweak the app a bit.
Go to Options and select the following: Put Icon On Tray,Start As Hidden, Tray Balloon on New Device, Background Scan and Beep on New Device.

 We will now set the interval between two scans. To do this click on Options > Advanced options or press F9. In the new window, enter the desired time in seconds between scans, for example 900 (equivalent to 15 minutes).

 Now each time someone connects to your WiFi Network, a balloon notification will appear in your tray icon.

Someone is using my WiFi! Now what?

Ok calm down – don’t tear your hair out if you found someone is using your WiFi. I’ll show you how you can keep freeloaders away from using your WiFi connection.
If someone has been able to connect to your WiFi network, it is most likely because there was no password protection. The simplest solution is set up a strong password using a secure algorithm such as WPA/ WPA2 – avoid using WEP as it is easily crackable.
Don’t worry, you don’t need to know about how encryption algorithm such as WEP/WPA works. You just need to select it on your router’s administration console and set a password.
So how do you do all that? Well, it depends on the type of router you have. Most routers admin console are accessible via the address http://192.168.1.1. You will be prompted for a username and a password. Most router manufacturers set the default credentials to root or admin for both the username and the password. Once you have logged in, look for your Wireless settings and make the appropriate changes.

 Congratulation! You can now start breathing again. This should be enough to keep unauthorized users from using your WiFi. If you are still being paranoid, you can harden your WiFi security by white-listing your computer’s mac address in your router’s console. However, this makes it a bit tougher for welcome guests such as your family or friends, to get online at your house.

No comments

Posted at 12:41 PM |  by Narut0