You are on page 1of 20

01010101010101010101010101 01010010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010010101010101010101 01010101010101010101010101 01010101010101010101010101 01010011010101010101010101 01010101010101010101010101 01010101010101010101010101 01010101010101010101010101

Hunting Viruses
antivirus manually

) :P Happy learning

:P

Saving data & scanning virus


boot :D antivirus safe mode windows options update post antivirus F8 safe scan . Linux

mode, safe mode with command prompt, safe mode with networking

antivirus safe mode safe mode cmd networking ff safe mode security essential Update m avira network f Update antivirus boot f S f m (

f m

m drivers m ) safe mode safe mode

mm D S

safe mode with

networking safe mode Microsoft Updat ) removal f www.okviruscleaner.com safe mode

offline update ( offline update

Tracing Viruses
Folder options, Registry msconfig RUN > msconfig m ( ) task manager registry Hidden f f ) folder options f ) ( windows media player registry msconfig os file startup list ( ) editor, ( Task manager msconfig

folder options

task manager task manager

registry Group policy > Remove Task manager apply,ok Run gpedit.msc

group policy registry User

configuration > Administration templates > System > Ctrl+Alt+Del options Disabled

task manager

registry editor group policy D folder options

User configuration > Administration templates > System > task manager

Prevent access to registry editing tools

User configuration > Administration templates virus process

> Windows Components > Windows explorer > Remove the folder options menu item from the tools menu T m end process

process

process registry registry editor

process

Run > regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

sidebar delete f system32 C:\ Windows\ System32\mgy.exe mgy.exe registry ( ) right click

RUN> control folders note.txt note.txt hidden exe love love

folder options

show hidden files, folders and drives hide extensions for known file types extensions note exe love h Hide proctected os os options windows xp delete system file, read-only file E

hide protected operating system files

files .

autorun.inf folder

windows 7 attribute

attrib s h r C:\Windows\System32\mgy.exe

cmd C:\Windows\System32\mgy.exe process shutdown :D ) taskmanager registry editor f kill manager, folder options, control panel, run virus taskmanager RUN> regedit HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System HKCU HKEY_CURRENT_USER m registry editor folder options safe mode registry task anti process linux boot cd

DisableTaskMgr

delete

restart logoff

m restart

registry

setting logoff

restart reg delete

explorer.exe process

end process

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\

System /v DisableTaskMgr /t reg_dword /d 1 /f cmd notepad m

reg

delete

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\

System /v DisableTaskMgr /t reg_dword /d 1 /f .bat batch file m registry

Enable registry reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ System /v DisableRegistryTools /f Enable folder options reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer /v NoFolderOptions /f Enable cmd reg delete HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /f Enable RUN reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies \ Explorer /v NoRun /f Enable Control Panel reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer /v NoControlPanel /f

HKEY_CURRENT_USER(HKCU) windows xp ntldr cd m boot mini xp ( xp ntldr, bootmgr ntldr : ) i386 m partition ( ntldr : ) ntldr is missing windows 7 registry computer group policy HKLM

HKCU

HKEY_LOCAL_MACHINE(HKLM) group policy user group policy

windows cd ) Start mini windows xp h h cd

boot windows ntldr bootmgr

boot h linux

linux

dual

Defending Viruses
anti-virus memory stick exe autorun.inf double click xp Double click autorun.inf autorun Computer Configuration> Administrative Templates > Windows 7 autorun 7 autorun ) double click ( autorun autorun

autorun.inf

Components > AutoPlay Policies > Turn Off Autoplay all drives apply,ok

enabled

extension navigation pane

hidden file,

notepad [autorun] open=mgy.exe shellexecute=mgy.exe shell\Explore\command=mgy.exe shell\Open\command=mgy.exe shell=Explore mgy.exe f m f attrib s h r autorun.inf autorun.inf usb h usb disk security m cmd autorun.inf mgy.exe

autorun.inf autorun.inf

autorun windows 7 f

autorun

autorun

autorun autorun usb disk ) autorun.inf autorun.inf autorun.inf cmd autorun.inf exe exe usb disk security

security

autorun

autorun.inf

mkdir \\.\E:\autorun.inf\con\aux\nul attrib +s +h +r \\.\E:\autorun.inf\con\aux\nul cmd drive column F: autorun.inf E: : f f F:, G: \\.\E:\autorun.inf\con\aux\nul

rmdir \\.E:\autorun.inf /s /q attrib s h r Hidden, system, learning cmd commands :D autorun.inf autorun.inf D: m cmd m mm D: D: m D: autorun.inf Icon exe autorun.inf smadav drive lock

f :D

batch

@echo off rem start of code :start cls title USB defender program by backb0neb00t3r(MHU) echo To create autorun.inf on your drive, type 1 echo. echo To remove autoun.inf on your drive, type any key echo. set /p pass= echo Your choice# if %pass% equ 1 ( goto create ) else (

goto remove ) :create cls set /p create= echo To create autorun.inf folder, Type your drive letter ( eg. D:, E: ) # mkdir \\.\%create%\autorun.inf\con\aux\nul created by backb0neb00t3r(MHU) attrib +s +h +r %letter%\autorun.inf pause cls set /p decision= echo if you want to restart program, type start and if exit, type any key# if %decision% equ start ( goto start ) else ( msg * Bye Bye, Have a nice day! exit ) :remove cls set /p remove= echo To remove autorun.inf folder, Type your drive letter ( eg. D:, E: ) # rmdir \\.\%remove%\autorun.inf /s /q pause cls

set /p decision1= echo if you want to restart program, type start and if exit, type any key# if %decision1% equ start ( goto start ) else ( msg * Bye Bye, Have a nice day! exit ) rem end of code

Written by backb0neb00t3r(MHU)

Greetz to all MHUs